Method

Description

Wired Equivalent Privacy (WEP)

WEP is an optional component of the 802.11 specifications and was deployed in 1997. WEP was designed to provide wireless connections with the same security as wired connections. WEP has the following weaknesses:

• Static Pre-shared Keys (PSK) were given to the access point and client and could not be dynamically changed or exchanged without administration. As a result, every host on large networks usually use the same key.
• Because it doesn't change, the key can be captured and easily broken. The key values were short, making it easy to predict.

Cisco interim solution

Cisco's interim solution was deployed in 2001 to address the problems of WEP. The solution included the following:

• A Cisco proprietary version of Temporal Key Integrity Protocol (TKIP) encryption.
• User authentication using 802.1x. 802.1x requires a centralized server (called a RADIUS server) to authenticate users through user account names and passwords.
• The use of dynamic keys.

Wi-Fi Protected Access (WPA)

WPA is the implementation name for wireless security based on initial 802.11i drafts and was deployed in 2003. It was intended as an intermediate measure to take the place of WEP while a fully secured system (802.11i) was prepared. WPA:

• Uses TKIP for encryption.
• Supports both Pre-shared Key (referred to as WPA-PSK or WPA Personal) and 802.1x (referred to as WPA Enterprise) authentication.
• Can use dynamic keys or pre-shared keys.
• Can typically be implemented in WEP-capable devices through a software/firmware update.

Note: The Cisco interim solution is not compatible with WPA.

Wi-Fi Protected Access 2 (WPA2) or 802.11i

WPA2 is the implementation name for wireless security that adheres to the 802.11i specifications and was deployed in 2005. It is built upon the idea of Robust Secure Networks (RSN). Like WPA, it resolves the weaknesses inherent in WEP, and is intended to eventually replace both WEP and WPA. WPA2:

• Uses Advanced Encryption Standard (AES) as the encryption method. It is similar to and more secure than TKIP, but requires special hardware for performing encryption.
• Supports both Pre-shared Key (referred to as WPA2-PSK or WPA2 Personal) and 802.1x (referred to as WPA2 Enterprise) authentication.
• Can use dynamic keys or pre-shared keys.

Note: WPA2 has the same advantages over WEP as WPA. While more secure than WPA, its main disadvantage is that it requires new hardware for implementation.

Method

Description

Change the administrator account name and password

The access point typically comes configured with a default username and password that is used to configure the access point settings. If possible, it is important to change the administrator account name and password from the defaults. This helps prevent outsiders from breaking into your system by guessing the default username and password.

Update the firmware

Update the firmware on the access point from the manufacturer's Web site frequently to prevent your system from being exposed to known bugs and security holes.

Enable the firewall on the access point

Most wireless access points come with a built-in firewall that connects the wireless network to a wired network.

Change SSID from defaults

Many manufacturers use a default SSID, so it is important to change your SSID from the defaults. You can also disable the SSID broadcast for further protection, this is known as SSID suppression or cloaking.

Note: Even with SSID broadcast turned off, a determined hacker can still identify the SSID by analyzing wireless broadcasts.

Disable DHCP

DHCP servers dynamically assign IP addresses, gateway addresses, subnet masks, and DNS addresses whenever a computer on the wireless network starts up. Disabling DHCP on the wireless access points allows only users with a valid, static IP address in the range to connect.

Enable MAC address filtering

Every network board has a unique code assigned to it called a MAC address. By specifying which MAC addresses are allowed to connect to your network, you can prevent unauthorized MAC addresses from connecting to the access point. Configuring a MAC address filtering system is very time consuming and demands upkeep.

Note: Attackers can still use tools to capture packets and then retrieve valid MAC addresses. An attacker could then spoof their wireless adapter's MAC address and circumvent the filter.