Securing a wireless network requires authentication and encryption technologies. Authentication is the process of ensuring that a user is authorized to access the wireless network. For personal networks, authentication is usually handled with a username and password. In the corporate environment, authentication technologies include digital certificates, smart cards, and biometric information, such as a fingerprint.

Encryption makes information traveling over the wireless network unreadable to anyone who is eavesdropping on the transmission. Encryption algorithms (formulas) convert plain text into cipher text. Different encryption algorithms provide different levels of security.

Wireless authentication and encryption technologies. The original 802.11 Wi-Fi specification included WEP (Wired Equivalent Privacy) technology to address authentication and encryption requirements. However, the security provided by WEP proved insufficient. For example, the WEP encryption key, which defines the translation of plain text into cipher text, is static and does not change. By collecting a network’s transmissions and using WEP-cracking tools, hackers can determine the encryption key and decode the information.

As a result of the security problems in WEP, the Wi-Fi industry began developing the more secure IEEE 802.11i standard. Until the new standard was finalized, however, the industry adopted WPA (Wi-Fi Protected Access) as an interim solution. WPA contains many improvements and addresses most of the security issues found in WEP.

The 802.11i standard, also known as WPA2 (Wi-Fi Protected Access 2), was released in 2004 and is available on newer wireless devices. WPA2 differs from WPA in that it includes the AES (Advanced Encryption Standard), a strong cryptographic technology required by the U.S. government and some corporations. For authentication, WPA2 uses the same methods as WPA.

How to choose. To protect network transmissions and sensitive information, your wireless network should operate with the strongest encryption method supported by your wireless AP and devices. Of the three options for securing wireless transmissions, WPA2 is the newest and most secure technology.

Some wireless APs can accommodate a mixture of wireless technologies, and others require you to select only one. For example, if your wireless AP supports WPA2 mixed mode, it can handle WPA and WPA2 on the same SSID. An alternative, if the wireless AP supports it, is to create multiple SSIDs, each with a different wireless security standard.

If your wireless AP limits the network to a single security standard, all of your devices must support it. To use WPA2, for example, the wireless AP and your wireless devices (notebooks, PDAs, barcode scanners) must also support WPA2. (The Wi-Fi Alliance maintains a list of WPA and WPA2 certified devices at certifications.wi-fi.org/wbcs_certi
fied_products.php.) The following information discusses each technology in more detail.

WEP. WEP is considered unsecure, primarily because the encryption key is static and does not change. However, if WEP is your only alternative, it is more secure than no encryption at all. And unlike WPA and WPA2, WEP operates on Win98/Me/XP systems. WPA and WPA2 work with WinXP only.

To use WEP, first configure your wireless AP (as we mentioned earlier, you’ll use your browser and admin software). If possible, select 128-bit encryption, which is stronger than 64-bit encryption. For the passphrase, use a combination of hard-to-guess letters and numbers appropriate for a strong password. After saving this information on the wireless AP, configure the same settings on your wireless devices and test device connectivity.

WPA. WPA was an interim solution to WEP security issues, and it implements many of the security improvements of WPA2. If your wireless devices currently support only WEP, you may be able to upgrade them to WPA. Check the device vendor’s Web site to determine whether there is an update available.

For encryption, WPA uses the TKIP (Temporal Key Integrity Protocol). Rather than relying on a single, fixed key, TKIP makes the encryption key more difficult to guess because it changes regularly. In addition, the WPA encryption process uses multiple keys derived from a master key, rather than simply a single master key as with WEP.

To use WPA, your network needs:

• A wireless access point that supports WPA
• Client devices with an OS and a network adapter that support WPA


Computers running WinXP SP2 support WPA. You also need a wireless network adapter and driver enabled with WPA in order to select WPA encryption and authentication options in the wireless network properties. Finally, your wireless AP must also be configured for WPA.

WPA offers two options for authentication. For personal and SOHO use, WPA comes with a PSK (preshared key) option. This is a simple method of authentication to implement because it only requires you to enter a secret set of characters on the wireless AP and each device that accesses the network. To activate WPA-PSK, select it on your wireless AP and enter a set of characters for the shared key, choosing characters similar to a strong password. Enter the same information in your device’s wireless connection configuration and test connectivity.

For corporations, WPA provides the 802.11x port-based network access control with EAP (Extensible Authentication Protocol) authentication method. It supports stronger security than PSK because it requires an authentication server, such as a RADIUS (Remote Authentication Dial In User Service) server, to control access to the network. However, small businesses or employees working from home can use WPA-EAP with additional software.

WPA2. Similar to WPA, WPA2 uses the PSK and 802.1x with EAP methods for authentication. However, the encryption standard for WPA2 is AES, whereas WPA uses TKIP. AES provides strong encryption, and it is the standard adopted by the U.S. government to protect sensitive data.

To use WPA2, your network needs:

• A wireless access point that supports WPA2
• Client devices with an OS and a network adapter that support WPA2

If you already own a wireless AP, you can check with the manufacturer to determine whether it’s upgradeable to WPA2. Wireless APs released in 2003 or after that support 802.11g devices probably support WPA2 with a firmware update. If your wireless AP does not support WPA2, you can use WPA or WEP.

Whether you can use WPA2 also depends on whether your wireless devices’ operating systems support it. Similar to the wireless access point, some wireless network adapters are upgradeable to WPA2 with a firmware update from the manufacturer. You must also update the adapter driver.

WinXP is the only Windows OS with WPA2 capabilities. Windows-based wireless notebooks must run WinXP with SP2. In addition, Microsoft released a WPA2 update for WinXP SP2 that you must install. For details about the WPA2 update, see the Microsoft Help And Support article at support.microsoft.com/?id=893357.

After you install the WPA2 update, WinXP’s Choose A Wireless Network dialog box designates any WPA2-enabled networks with “security-enabled wireless network (WPA2).” The wireless connection Properties dialog box adds WPA2 (corporate/enterprise networks) and WPA2-PSK (personal networks) options to the Network Authentication drop-down box on the Association tab. Note that the WPA2 options are available only if your wireless network adapter and its driver support WPA2.

To activate WPA2 on your SOHO wireless network, select WPA2-PSK on the wireless AP and type a set of characters for the shared key, choosing characters as you would a strong password. Enter the same information in your device’s wireless connection configuration and test connectivity.

Wireless Network

Following a few easy steps can ensure that no one intercepts your Wi-Fi traffic.

Becky Waring

Wi-Fi piggybacking widespread, Sophos research reveals Over 50% of people polled admit they have stolen Wi-Fi internet access

Over 50% of people polled admitted they had stolen Wi-Fi internet access from others.

IT security and control firm Sophos has revealed new research into the use of other people's Wi-Fi networks to piggyback onto the internet without payment. The research, carried out by Sophos on behalf of The Times, shows that 54 percent of computer users have admitted breaking the law, by using someone else's wireless internet access without permission.

According to Sophos, many internet-enabled homes fail to properly secure their wireless connection with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an Internet Service Provider (ISP) for their own. In addition, while businesses often have security measures in place to protect the Wi-Fi networks within their offices from attack, Sophos experts note that remote users working from home could prove to be a weak link in corporate defenses.

Summary: Hubs, switches and routers are all computer networking devices with varying capabilities. Unfortunately the terms are also often misused.

In a word: intelligence.

Hubs, switches, and routers are all devices which let you connect one or more computers to other computers, networked devices, or to other networks. Each has two or more connectors called ports into which you plug in the cables to make the connection. Varying degrees of magic happen inside the device, and therein lies the difference. I often see the terms misused so let's clarify what each one really means.

Summary: NAT routers are a fundamental way to share an internet connection while protecting you at the same time. You may already have one. It's easy to check.

The answer's not as obvious as a lot of people are thinking. Yes, much of the time a NAT router is an additional box ... a device that you plug your computer into that, in turn, plugs into your internet connection. And that box will typically say "router" on it.

But that's not the only way you can end up behind a router.

Summary: Zone Alarm is a popular firewall you install on your machine. If you also have a NAT router you may - or may not - need a firewall such as Zone Alarm.

As you've seen, there differing opinions on this. In reality it does, indeed, depend on how you use your system and how "safe" your safe computing really is.

Wireless LAN Technologies and Microsoft Windows

IEEE 802.11 wireless LAN technology is a popular option for network connectivity on organization intranets, home networks, and for accessing the Internet. This article describes the benefits of wireless LANs, the support for 802.11 wireless LAN and wireless LAN security standards in Microsoft® Windows®, and general guidelines for wireless LANs in medium to large organizations and small office/home office networks.

On This Page

	Benefits of Wireless LANs
	Support for IEEE 802.11 Standards
	Support for IEEE 802.11 Security Standards
	Checklists and Resources

Wireless Router Guide

After getting started and comparative reviews, this page has links to articles on wireless security, networking utility and security software, and wireless vendors and product reviews.

Security -- Wireless routers are not as secure as hard wired. If you want wireless and security, read the security articles on this page and be prepared to spend some time setting up the security features of your wireless network.

Testing -- We recommend that you test the firewall features of a wireless router after installation. See our Firewall Testing page for more information.

Firmware -- Router vendors offer updates for their firmware to add new features and to resolve problems found by their customers.

Prices -- See our custom Wireless Firewall Router Price List powered by Amazon.com

Getting Started

• How to Buy Home Networking Products [guide], PC World, June 4, 2007
• Home Networking Made Simple(r), Joseph Moran, Wi-Fi Planet, January 26, 2007
• Getting rid of wires is easy & Lots of options for novices, Patrick Marshall, Seattle Times, May 27, 2006
• CNet Editors' Wireless Network Buying Guide
• PC Magazine Networking: The Essential Buying Guide

Comparative Reviews

• Review: 6 New 802.11n Wi-Fi Routers -- Is It Time To Switch From 802.11g? Don Reisinger, Information Week, October 2, 2007
• It's now safe to splurge on faster Wi-Fi equipment, Dwight Silverman, Houston Chronicle, May 15, 2007 -- Netgear RangeMax Nex Wireless-N Router & Apple AirPort Extreme Wireless Base Station
• Draft N (802.11n) Routers Redux, Robert Lipschutz, PC Magazine, April 23, 2007
• Review: 4 Routers Take Wi-Fi To Nth Level, Marc Spiwak, CRN, January 29, 2007 -- D-Link, Linksys, Netgear & Trendnet.
• Wireless Router Reviews, Consumer Search, updated January 2007, a summary of 25 reviews of 37 products.

Wireless Security

• Beyond WEP: Beef Up Your Wi-Fi Security, John Brandon, PC Magazine, September 12, 2007
• The Woes of WiFi, Part 1: Insecure by Default, Jack Germain, TechNewsWorld, August 11, 2007
• 35 easy fixes for network problems, Becky Waring, PC World NZ, July 2, 2007
• Flying under the radar, Dwight Silverman, Houston Chronicle, May 21, 2007
• Say No to WEP, And Yes to WPA, Joseph Moran, Wi-FiPlanet, April 18, 2007
• How to Secure Your Wireless Network, Becky Waring, PC World, April 9, 2007
• Seven Steps to Safer WiFi, Kelly Higgins, Dark Reading, March 14, 2007
• Don't Fall Victim to the 'Free Wi-Fi' Scam, Preston Gralla, ComputerWorld, PC World, February 16, 2007
• How To Secure Your Home Wireless Network: Part 1, Part 2, Part 3, Part 4 & Part 5, Jim Doherty & Neil Anderson, CMP & Information Week, February 7, 9, 12, 14 & 21, 2007
• How I survived configuring and securing a wireless LAN - Part 1, Part 2 & Part 3, Robert Mitchell, ComputerWorld, February 1, 9 & 20  2007
• I hacked my secure wireless network: here's how it's done, George Gardner, Tech.Blorge, February 6, 2007
• Wireless hot spot protection, Preston Gralla, Computer World, January 8, 2007

Networking Utility and Security Software

• AirDefense Personal Lite 2.1
• AnchorFree Hot Spot Shield
  • AnchorFree Helps with Hotspot Security, Eric Griffith, Wi-Fi Planet, June 7, 2006
• HomeNet Manager 2.0, Joseph Moran, Practically Networked, July 14, 2005
• JiWire Hotspot Helper
  • Practically Networked review, Joseph Moran, November 14, 2006
• JumpStart, Atheros Communications
• McAfee Wireless Security, (formerly WSC Guard from the Wireless Security Corporation), $50/year
• NetTrooper, Sereniti
  • Practically Networked review, Joseph Moran, March 14, 2007
• Network Magic $40, one license key for one network with up to five computers
  • Network Magic 4.1, Robert Lipschutz, PC Magazine, February 21, 2007
  • Network Magic 4 [review], Joseph Moran, Wi-Fi Planet, February 16, 2007
• Packet Protector
• WiTopia.net SecureMyWiFi, Joe Moran, Practically Networked, June 28, 2005

Wireless Routers

D-Link Xtreme N Gigabit Router DIR-655: Supports WEP™, WPA™, and WPA2™ encryption security standards and utilizes dual SPI and NAT firewalls.

• D-Link Xtreme N Gigabit Router:Draft 2.0 arrives [recommended], Tim Higgins, SmallNetBuilder, July 09, 2007
• CNet review, Matthew Wood, April 30, 2007
• PC Magazine review [editor's choice], Robert Lipschutz, April 10, 2007
• Practically Networked review [recommended], Craig Ellison, March 26, 2007

Linksys WRT150N Wireless-N Home Router: Supports WEP™, WPA™, and WPA2™ encryption security standards and utilizes dual SPI and NAT firewalls.

• LaptopMag review, John Brandon, May 10, 2007
• PC Magazine review, Robert Lipschutz, April 10, 2007
• CNet review, Felisa Yang, March 5, 2007

Netgear Super-G Wireless Router WGT624: SPI and NAT firewalls, WEP and WPA, DoS Attack Detection/Logging, Dropped Packet Log, Security Event Log, E-mail Log, multiple VPN Tunnels (Pass-Through, 2 IPSec, and multiple L2TP & PPT.

• PC Magazine review, Oliver Kaven, May 18, 2005
• Jiwire review, Becky Waring, September 8, 2004
• CNet review, Allen Fear, December 9, 2003
• About.com review, Bradley Mitchell (no date)

D-Link DSL-2640B ADSL2/2+ Modem/Wireless Router 4-Port Switch includes SPI and NAT firewalls plus WEP, WPA, and WPA2 encryption.

Linksys Wireless-G Cable Gateway Cable Modem with Built-In Wireless-G Router WCG200: SPI and NAT firewalls, WPA encryption includes parental control features like Internet access time limits and key word blocking.

NetGear DG834G Wireless ADSL Firewall Router (54 Mbps) includes SPI and NAT firewalls, WEP, WPA, WPA2, VPN, intrusion logging and reporting, denial-service (DoS) protection.

• Thinkbroadband review, Andrew Ferguson, August 3, 2004
• ZDNet UK review, Roger Gann, May 20, 2004

No doubt you've got a home wireless network or you've connected to hotspots at the local coffee shop or airport—but are you getting the most out of your Wi-Fi? Whether you want to strengthen, extend, bridge, secure, sniff, detect, or obscure your signal, today we've got our top 10 best Wi-Fi utilities and tweaks for the power wireless user. Photo by thms.nl.

WEP was originally demonstrated to be broken back in 2001 and it was broken even worse by a factor of 20 in early 2005 and then broken again by another factor of 20 last month by German researchers.  WEP 104-bit encryption can now be cracked in under a minute on an 802.11g network using active ARP-replay packet-injection techniques.  Since the TJX breach started around mid 2005, the attackers could have easily cracked the network within half an hour using second-generation of WEP cracking tools.

What's most alarming about this is that most of the major retailers during that time were running WEP and many are STILL running some form of WEP.  There's no reason to believe the same attackers didn't try this sort of attack on many other retailers and are still actively attacking networks today.  Many businesses and organizations including hospitals are STILL running WEP or some other useless form of security.  Some are running a slightly better enterprise version of WEP which uses per-session per-user dynamic keys that supposedly rotates every hour but even that's worthless since the third generation of WEP cracking tools can break WEP in under a minute.

When I worked as a security consultant for major retailers and organizations during 2004 to 2005, I knew this was a time bomb waiting to go off because the vast majority of businesses and retailers were running bad Wireless LAN security with blatantly weak security.  Many businesses refused to fix their security and refuse to this day through a combination of ignorance and denial.  Some businesses and retailers listened and upgraded their security to WPA, others flat out refused.  I actually had one client to go the extra mile to buy all-new WPA-capable equipment only to be told in the end that they will only implement WEP because that was the "standard" their corporate head quarters used.

Getting people to upgrade their security and educate them was hard enough as it was, but the fact that many security professionals and security training courses are still recommending the worst kinds of wireless LAN security exacerbated the situation.  I've done my best to spread the word about wireless LAN security and even published a 10-article Guide on enterprise wireless LAN security which is essentially a free eBook.  It is essential that businesses and organizations implement the kind of security I mentioned in my enterprise guide.

For homes and small home offices, wireless LAN security summed up in a single paragraph. All you need to do is use WPA-PSK security with a RANDOM alpha-numeric pass-phrase that has a MINIMUM of 10 characters. I estimated that a truly random alpha-numeric 10-character WPA-PSK pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack.  If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it.  If the hardware can't be upgraded, businesses can't afford a breach in their data security and they must buy WPA-compliant gear regardless of the cost.  Cost shouldn't ever be used as an excuse to have poor security and it won't help you in court when you're getting sued.  WPA-compliant access points and wireless cards can be acquired for less than $50 per device.

Having trouble with networking Windows Vista? Here are some solutions. By Nick Peers.
Published on Wednesday, June 13, 2007

Article Contents

Article Contents

1. Turn off UPnP
2. Change your admin password
3. Deactivate SSID broadcast
4. Turn on the DMZ
5. Filter MAC addresses
6. Customize the SSID
7. Update your firmware
8. Reset the factory default
9. Engage WEP
10. Activate WPA
11. Conclusion

Page 1 of 11Next >

• Print
• E-mail
• Discuss

Andy Walker

Learn more…

• Articles
• Store
• Blogs

Optimizing a Sluggish Windows Vista System

Sep 28, 2007

Home Network Router Security Secrets

Apr 7, 2006

How and Why Hackers Want to Get Inside Your Machine

Dec 9, 2005

Windows Lockdown!: Your XP and Vista Guide Against Hacks, Attacks, and Other Internet Mayhem (Rough Cuts)

Dec 5, 2007

Microsoft Windows Vista Help Desk

Aug 27, 2007

Microsoft Windows Vista Help Desk, Adobe Reader

Aug 6, 2007

Absolute Beginner's Guide to Security, Spam, Spyware & Viruses

Nov 9, 2005

Sorry, this author hasn't posted any blogs.

Absolute Beginner's Guide to Security, Spam, Spyware & Viruses

Ever delve inside your home network routers and use the hidden security settings that can lock down a network nice and tight? Most people never do. Andy Walker reveals 10 secrets on how to easily access your router's security settings.

Most people who install a home network never delve inside the netherworld of security settings on their router. Who can blame them—it’s about as frightening as putting your hand in a shoebox full of rabid gerbils. Nevertheless, it’s worth the effort if you know what you’re doing.

That said, here are 10 router settings you can use to make your network more secure. For the purposes of this article, I used a popular router, the DLink DI-524, to show you how to engage the features, because this router doesn’t bite—usually.

To use these features, you need to get inside your router and access its control panel. To do this, type the router’s internal IP address into your web browser on a computer on your network like this address for DLink routers: http://192.168.0.1. For Linksys routers, it’s http://192.168.1.1, and http://192.168.2.1 for several other brands. Check your router’s manual if none of these work for you, or look for the Default Gateway IP address when you use the ipconfig /all command (mentioned in tip #5).

1. Turn off UPnP.

UPnP, or universal plug and play, is a handy feature that lets devices on your network self-configure on a network, but it’s also a security hazard. A Trojan horse or virus on a computer inside your network could use UPnP to open a hole in your router’s firewall to let outsiders in. So it’s a good idea to turn off UPnP when not in use. To do that, click the Tools tab then the Misc button, and click Disabled next to the UPNP listing. Be sure to click Apply to update the router with this new setting. See Figure 1.

Figure 1 Turn off UPnP in your router to stop malware on an infected computer from opening holes in the router’s firewall.

 Dated, with errors like WEP, SSID beacon, MAC address filtering, but useful.

 Windows XP

 Windows Vista

1. Open a terminal window and type the following.

2. Change to the DNS tab and enter the following two addresses in the top of the first field labeled DNS Servers.

Instructions courtesy of Daniel Aleksandersen

 Ubuntu

One of the many Microsoft security blogs makes the point today that disabling SSID broadcast as a security measure is futile and will only defeat the unsophisticated trespasser.

It turns out that SSIDs are easily detected even if broadcast is off, if you have the right tools. It's true that if you have an "attacker" who isn't clever enough to use these tools, like some teenager who just wants to use your network, then perhaps they won't notice it and will attack somewhere else. But a well-secured network using WPA or, even better, WPA2, and a non-trivial password, will take care of those people, as well as more capable hackers.

I won't embarrass myself by looking them up and linking to them, but I'm sure I've written tips in the past to disable SSID broadcast. Then a few years ago I realized that there were easily-available tools to detect SSIDs even if they weren't broadcasting, and I gave it up. All it does is make life harder for honest people.

While he's at it, the author (Steve Riley, a senior security strategist in Microsoft's Trustworthy Computing Group). points out that MAC address filtering is also easily defeated. The only wireless security worth doing is the stuff that's easy - use WPA or WPA2.

ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell people sniffing wireless network traffic a lot about your computer--and about you.

Soon after a computer powers up, it starts looking for wireless networks and network services. Even if the wireless hardware is then shut-off, a snoop may already have caught interesting data. Much more information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security.

Updated 4/2/2007 - follow-up article here] For the last three years, I've been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths. If that weren't bad enough, many "so called" security experts propagated these myths through speaking engagements and publications and many continue to this day. Many wireless LAN equipment makers continue to recommend many of these schemes to this day. One would think that the fact that none of these schemes made it in to the official IEEE 802.11i security standard would give a clue to their effectiveness, but time and time again that theory is proven wrong. To help you avoid the these schemes, I've created the following list of the six dumbest ways to secure your wireless LAN.

Wireless LAN security hall of shame

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person's name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You dont need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

LEAP authentication: The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack. Cisco still tells their customers that LEAP is fine so long as strong passwords are used. The problem is that strong passwords are an impossibility for humans to deal with. If you doubt this, try a password audit of all the users in your organization and see how long it takes to crack 99% of all passwords. 99% of organizations will flunk any password audit for most of their users within hours. Any attempt to enforce strong passwords will result in passwords written on sticky notes. Since Joshua Wright released a toolthat can crackLEAP with lighting speed, Cisco was forced to come out with a better alternative to LEAP and they came up with an upgradeto LEAP calledEAP-FAST. Unfortunately, EAP-FAST still falls short in security with its default installation. Although Cisco makes LEAP and EAP-FAST freely available to partners for the client end, the same is not true for Access Points.LEAP and EAP-FAST are essentially two proprietary protocolsthat Cisco employs as a strategy to monopolize the Access Point market. There are open standards based EAP mechanisms like EAP-TLS, EAP-TTLS, and PEAP which are all much more secure than either LEAP or EAP-FAST and they work on all Access Points and client adapters, not just Cisco. Cisco does support open standard EAPs just like everyone else so you should always use open EAP standards to get better security and avoid the hardware lock-in.

Disable DHCP: This is much more of waste of time than it is a security break. DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn't know what they're talking about.

Antenna placement: I've heard the craziest thing from so called security experts that actually tell people to only put their Access Points in the center of their building and put them at minimal power. Antenna placement does nothing to deter hackers. Remember, the hacker will always have a bigger antenna than you which can home in on you from a mile away. Making a wireless LAN so weak only serves to make the wireless LAN useless. Antenna placement and power output should be designed for maximum coverage and minimum interference. It should never be used as a security mechanism.

Just use 802.11a or Bluetooth: Fortunately, I haven't heard this one for a while. There were so called security experts that went around telling people that they simply needed to switch to 802.11a or Bluetooth to secure their wireless LAN. 802.11a refers to a physical transport mechanism of wireless LAN signals over the air, it does not refer to a security mechanism in any way.

Dishonorable mention:  Some of you might be wondering why I didn't put WEP in as one of the six dumbest ways to secure a wireless LAN. In light of recent developments within the last 6 months, it takes only a few minutes to break a WEP based network which makes WEPcompletely ineffective and a good potential future candidate for the wireless LAN security hall of shame.  Where it currently fails to be in the hall of shame is that it still holds up for a few minutes, requires a little skill to launch the packet injection attacks, and isn't propagated as an urban legend for a secure wireless LAN.  The top six require no skills, takes less than a minute to crack, and are propagated asurban legend.  However, that doesn't mean you should use WEP in any form or shape.

This blog wasn't just meant to be funny, it's serious business that so many organizations waste their time and money on worthless security schemes that give them a dangerous false sense of security.  If you fall in to any of these six categories, it's time to wake up and implement some real wireless LAN security.  For those interestested in some simple advice for their homes and small offices, check out my last blog.

Myth vs. reality: Wireless SSIDs

Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.

Folks, there are fundamental differences between names, which are public claims of identities, and authenticators, which are secrets used to prove identities, and I've written extensively about this before. An SSID is a network name, not -- I repeat, not -- a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won't provide your network with any kind of protection if you try to hide it. It's a violation of the 802.11 specification to keep your SSID hidden; the 802.11i specification amendment (which defines WPA2, discussed later) even states that a computer can refuse to communicate with an access point that doesn't broadcast its SSID. And, even if you think your SSID is hidden, it really isn't. Let me explain.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

Both Windows XP and Vista work best when your access points broadcast their SSIDs. XP really doesn't behave well at all with nonbroadcasting SSIDs. Vista has some added smarts to improve this a bit. Normally, Vista continually sends probe requests for nonbroadcasting networks. These probes are similar to unencrypted 802.11 association frames, and will generate clear-text responses from the access points if a nonbroadcasting network is present. You can reduce, but not entirely eliminate, these probes by configuring the wireless client to probe only for automatically-connected nonbroadcasting networks.

Both these behaviors make it very easy for an attacker to discover your SSID. The bad guy, perhaps a contractor or a guest in your facility, could run one of many wireless sniffer programs and simply capture the hundreds of association frames or probes that litter your air. No amount of "hiding" configured in your access points can prevent this kind of traffic interception.

So there you have it, simple SSID discovery. The old axiom remains true: security by obscurity is no security at all. Hiding an SSID will not hide a wireless network, so ignore any such advice -- and it's amazing how often I continue to see this. By the way, also ignore any advice that says to use MAC address filtering. It's amazingly trivial to spoof the MAC address of an allowed supplicant -- simply sniff the traffic, look at the MAC addresses, and use the neat little SMAC utility to change your MAC to one that's permitted.

Nonbroadcasting networks are not secure networks. The right way to secure a wireless network is to use protocols that are designed specifically to address wireless network threats. If you're still using WEP, either static or dynamic, I encourage you to move to WPA2 as soon as possible. For those of you at home running XP and have kept it updated, or if you're running Vista, then, you simply need to enable WPA2. We've got some additional guidance for home/small offices and for enterprise networks with certificate services or without. If you have hardware that's more than two years old and you can't upgrade it, check to see whether it supports WPA (an interim specification released before WPA2 was ratified). Both WPA and WPA2 are built on sound cryptographic principles, they're proven in the field, and they'll keep the bad guys out -- even when you're broadcasting your SSID to the world.

This article gives a good implicit understanding of administering WiFi networks. By implication you should set up WPA first, then change your admin password, but only using a wired port.

Wireless LAN security myths that won’t die

+53

141 votes Worthwhile?

Summary: More and more hotels are offering both wired and wireless internet, but along with those connections comes a security risk most folks don't consider.

Yes.

Hotel network security is one of the most overlooked risks travelers face. And I'm not just talking wireless, I'm talking any internet connection provided by your hotel.

In fact, I'm actually writing this in a hotel room, and yes, I have taken a few precautions.

•

It's a topic c|net blogger Michael Horowitz has also written about: Ethernet connections in a hotel room are not secure and the title says it all.

I'll put it another way: hotel internet connections are just as unsafe as an unsecured wireless hotspot.

 Good stuff on what to do about it follows online...

Be careful of using public wireless hotspots, even if they claim to be secure. There's a good chance they are still vulnerable to hacking and your personal data could be stolen, according to wireless security manufacturer AirDefense. The company monitored wireless access points at stores and other retail outlets in Atlanta, Boston, Chicago, Los Angeles, New York City, San Francisco, London, and Paris as part of an annual wireless security survey and found that a quarter of the 4,748 access points surveyed had no encryption whatsoever.

Another 25 percent of the access points used Wired Equivalent Privacy (WEP) to protect against outsiders. AirDefense was not impressed, however, describing it as "one of the weakest protocols for wireless data encryption." Indeed, the largest incident of consumer data theft to date is being blamed on WEP, which has been notoriously easy to hack since as far back as 2001. Just under half (49 percent) of the surveyed hotspots used WiFi Protected Access (WPA) or WPA 2, which AirDefense was much happier about because the protocols offer much stronger encryption than WEP.

How Windows Firewall affects network locations

The “Public place” location blocks certain programs and services from running, to help protect your computer from unauthorized access while you are connected to a network in a public place. If you are connected to a "Public place" network and Windows Firewall is turned on, some programs or services might ask you to unblock them (allow them to communicate through the firewall) so that they work properly.

When you unblock a program, Windows Firewall unblocks it for every network with the same location type as the network you are currently connected to. For example, if you connect to a network in a coffee shop and choose "Public place" as the location type and then you unblock an instant messaging program, that program will be unblocked for all networks in the "Public place" location.

If you unblock multiple programs while you're connected to a public network, consider changing the network location to "Home" or "Work." It might be safer to change this one network than affect every public network you connect to. But remember that if you make that change, your computer will be visible to others on the network.

 From Vista Help & Support

In Windows Vista, you connect to a wireless network by first clicking the network icon in the System Tray, then selecting "Connect or disconnect." The "Connect to a Network" screen shows up, with a list of nearby wireless networks. You see the name of each and whether the network is encrypted or not; to get more details about any, hover your mouse over it, as shown in the nearby figure. But those details don't include whether the network is a true hot spot or an ad hoc network.

Before you connect to a new wireless network, the only way to tell the difference between an ad hoc network and one in infrastructure mode is to look at the network icon next to it on the "Connect to a Network" screen. As you can see in the nearby figure, the icon for a normal Wi-Fi network is one computer, while the icon for an ad hoc network instead is several computers. That's it; there's no other way to distinguish between the two.

Here's another oddity: If you right-click the list of available networks, on the menu that appears, some of them have a Properties menu item and others don't. Only those networks that you've previously visited and saved to your network list will have the Properties menu item. If you choose Properties, select the Connection tab and look next to Network Type, you'll see whether it's an ad hoc network or an access point (a normal hot spot).

But if you haven't yet connected to the network (or if you have connected previously but haven't saved it), it won't have the Properties menu item. So you can't use that method of distinguishing between ad hoc and normal Wi-Fi networks when you're looking for a hot spot on the road.

Other Steps You can Take

There are other steps you can take to keep yourself safe, including turning off file sharing and running your company's VPN when at a hot spot. You can also pay to use a VPN such as HotSpotVPN. For details and many other tips for keeping yourself safe, see "How to protect yourself at wireless hot spots".

In addition, Authentium is working with financial institutions to create a product called VirtualATM, which will help protect you when you connect to a financial institution. It's expected to be released later this year.

Preston Gralla is a contributing editor for Computerworld.com and PC World.com, and the author of more than 35 books, including How the Internet Works.

Wireless Networking in Windows Vista

Brief Description

June 12, 2007

One of the numerous changes and enhancements in Windows Vista is the range of networking features. Microsoft tried to increase networking performance and security, though users will have to get used to a new look and interface. Therefore, this series of tutorials will introduce you to some of the enhancements and changes in Windows Vista involving networking, compared to its predecessor, Windows XP, and will show you how to perform common networking configuration tasks.

Network and Sharing Center

The new Network and Sharing Center (below) provides a one-stop shop for all your networking and Internet configuration needs.

You can access the Network and Sharing Center via many methods:

• Right-click on the network status icon in the system tray.
• Double-click on the network status icon in the system tray.
• Double-click on the Network and Sharing Center icon in the Control Panel.
• Click on the Network and Sharing Center button on the tool bar when viewing your Network.

As you can see, this center provides visual maps of your home or office network. The full map that’s accessible from this center provides an easy way to access any shared resources of other PCs and devices on the network.

Just below the network map on the Network and Sharing Center, you can view and access your connection information. The Customize link allows you to change the name of the network connection, the type (private or public), and the icon given to the network connection, such as the briefcase you see in figure 1.

Next, you’re provided with the status of all the main sharing and discovery settings and the ability to make quick changes, which is a big enhancement from XP.

Another exceptional improvement is the set of links on the bottom of the window, showing you all the files and folders your account and computer are sharing on the network.

The integrated task pane on the left side of the window provides access to familiar connectivity settings and tasks, as well as a shortcut to the Internet Options and Wireless Firewall settings.

New Network Classification Scheme

In Windows Vista, the first time you connect to a network, you must classify its location/type: Home, Work, or Public.

Here’s the window that pops up after you connect to a new network:

This new feature is extremely useful as it automatically modifies the appropriate network settings based upon the location type you choose. For example, say you connect to the Wi-Fi hotspot at your local café; you would choose Public location. Then Vista will automatically disable all network discovery and sharing to protect your documents and privacy while on the unsecured network. Then, say you went back home and connected to your home network, naturally classified as a Home location. Windows Vista then would allow network discovery and sharing, because you trust the other users on the network.

Support for Non-Broadcasting Wireless Networks

Windows Vista makes it easier to use wireless networks that do not broadcast their SSID (define) (also known as the network name). In Windows XP, these types of networks didn’t appear on the list of available wireless networks; however, they now appear as unnamed networks in Windows Vista.

Instead of having to manually add a non-broadcasting wireless network to the preferred network list in order to connect, all you have to do in Vista is select the Unnamed Network, click Connect, and when prompted, enter the SSID.

You may think that this degrades the security that hidden networks offer; however, the SSID is still needed in order to connect to the network. Additionally, not broadcasting your SSID doesn’t offer a whole lot of security anyway, a fact that I’ve discussed before.

Where’s My Network Places?

The My Network Places feature that has been in previous versions of Windows has simply been renamed to Network in Vista. You can access the Network on Vista’s start menu or when viewing your computer contents in Windows Explorer. Furthermore, for even quicker access, you can add the Network icon to your desktop:

1. Right-click on your desktop and select Personalize.
2. Click the Change desktop icons link, on the left in the integrated task pane.
3. Check the icons you wish to appear on the desktop, then click OK to exit.

Stay Tuned for more on networking using Windows Vista.

Eric Geier is the founder and president of Sky-Nets, Ltd., which operates a Wi-Fi hotspot network serving the general aviation community. He has also been a computing and wireless networking author and consultant for several years. Eric’s latest book is Wi-Fi Hotspots: Setting up Public Wireless Internet Access, published by Cisco Press.

July 10, 2007

As mentioned in Intro to Wi-Fi Networking Using Windows Vista, there have been many changes to the networking features in Windows Vista. Now I’ll cover exactly how to connect to wireless networks and perform other connection configuration tasks using Vista.

Although the new networking interfaces in Vista may be better organized and enhanced for the majority of consumers, most IT professionals and advanced PC users won’t care for the redesign. As you’ll see, accessing some networking configuration and connection detail windows now requires more clicks than before.

Connecting to a Wireless Network

One of the most similar networking tasks in Vista compared to XP is the process of connecting to wireless networks. The only major change is that the connecting window in Vista doesn’t provide direct access to the wireless network preferences and advanced settings. To access these items in Vista, you have to go to the Network and Sharing Center.

Here’s how to connect to a Wi-Fi network in Vista:

1. Right-click on the network status icon in the system tray, and select Connect to a network.

The connection window pops up:

2. Select the network you would like to connect to, and click Connect.

You may be informed that the network is unsecured (not using WEP or WPA), in response to which you would click Connect Anyway to proceed, or you may be prompted that the network is secured and that you need to enter a key to continue.

3. Once the connection is complete, Vista will let you know that it has successfully connected to the network, and you can click Close to exit the connection window.

Creating an Ad-hoc (Computer-to-Computer) Network

Creating an ad-hoc network in Windows XP was a bit crude. You would add a network to the preferred list and check the ad-hoc option, then you would have to do some tinkering to start getting it broadcasting as ad-hoc. However, Windows Vista includes a wizard dedicated to creating peer-to-peer ad-hoc networks.

Here’s how to access the ad-hoc setup wizard:

1. Right-click on the network status icon in the system tray, and select Connect to a network.

The connection window pops up.

2. Click the Set up a connection or network link.

The Connect to a Network window pops up.

3. Choose the Set up a wireless ad hoc (computer-to-computer) network option, and click Next. Then follow the on-screen directions.

Modifying Your Preferred Wireless Network List

Just like the majority of the other networking tasks and preferences, to prioritize your wireless networks and to configure other individual settings (such as auto connecting), you need to go to the Network and Sharing Center.

Here’s how to access the individual settings and preferences of wireless networks in Vista:

1. Right-click on the network status icon in the system tray, and select Network and Sharing Center.

2. In the Network and Sharing Center, click the Manage wireless networks link on the integrated task pane to the left.

The Manage Wireless Networks window pops up:

3. To change the priority of the wireless networks, use the move up/down arrows, which are visible after clicking on an entry. You can also double-click on an entry to configure its connectivity preferences (such as auto connecting) and security settings.

Checking Network Connection Details

In Windows XP, it was very easy to access the details of your network connections. Just hovering over the status icon in the system tray would give you the SSID or network name, data rate, signal and connectivity status; a quick double-click would give you the activity, duration and IP address information. This is not the case with Vista, however.

Hovering over the network status icon in Vista only gives you the SSID, signal and connectivity status; double-clicking only gives you links to access the Connect to a Network window and the Network and Sharing Center. Accessing the other information (IP address and data rate) takes a few more clicks.

Here’s how to access your network connection details in Vista:

1. Right-click on the network status icon in the system tray, and select Network and Sharing Center.

2. In the Network and Sharing Center, click the View status link next to the Network Name and SSID info.

The Network Connection Status window pops up:

3. You now have access to most of the network connection details; however, for the IP address information, you have to click the Details… button.

September 18, 2007

Although the new Network and Sharing Center in Windows Vista may be great for the average consumer, it can be quite a nuisance for advanced users because of the added steps to access many of the networking configuration settings. While Windows XP didn’t offer an exceptionally user-friendly networking interface, it was quick and easy to access certain network settings if you knew what you were looking for.

This tutorial will wrap up our series on networking with Windows Vista by showing some tips and tricks to help with your transition from Windows XP.

Add the Network Icon to the Desktop

The Network icon (replacement for My Network Places), like the other main system icons, isn’t placed on the desktop by default in Windows Vista. The Recycle Bin is the only desktop icon that automatically appears.

You can access the Network on Vista’s Start Menu or when viewing your computer contents in Windows Explorer. Furthermore, for even quicker access you can add the Network icon to your desktop. Here's how:

1. Right-click on your desktop and select Personalize.

2. Click the Change desktop icons link, on the left in the integrated task pane.

3. Check the icons you wish to appear on the desktop, then click OK to exit.

Quick Access to Network Connections

Disabling or enabling a connection in Windows XP only took a right-click on the network status icon in the system tray; however in Vista you have to open the Network and Sharing Center, click on a link to open the Network Connections window; then you can disable/enable a connection.

To save a few clicks each time you need to manage your network connections, you can create a desktop shortcut directly to the Network Connections window; here’s how:

1. Right-click on the desktop, select New, and select Shortcut.
2. In the location field enter the following:

explorer.exe ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}

1. Enter a name for the shortcut and click Finish.
2. If you wish, you can even apply the official Network Connections icon to the shortcut you just created:
1. Right-click on the icon and select Properties.
2. Click the Change Icon… button.
3. Enter the following into the text field:

%SystemRoot%system32netshell.dll

1. Click OK to select the icon and click OK on the shortcut properties window to exit and apply the changes.

For even quicker access to the Network Connections window, you can add the icon to the Quick Launch toolbar. Just drag the new desktop icon and drop it into the Quick Launch area.

Rename Network to My Network Places

The My Network Places from Windows XP has been renamed simply to Network in Vista. If you’re particular about the naming of your icons or you find it hard to get used to the Network icon after years of seeing My Network Places, you can change it.

Unfortunately, you can’t simply click on the icon and rename it as you can with other icons. You’ll have to do this through a more complex method—by editing the Windows Registry. Here's how:

1. Open the Start menu.
2. In the search field, type “regedit”(for Registry Editor) and hit enter.
3. If using the Classic Start menu, click on Run, type “regedit”, and click OK.
4. Navigate to the following folder:

HKEY_CURRENT_USERSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellMuiCache

1. In the righthand pane, double-click the following key:

@C:Windowssystem32NetworkExplorer.dll,-1

1. Enter your desired name in the Value data field and click OK.
2. Close the Registry Editor.
3. To activate the new icon name, right-click anywhere on the desktop and select Refresh.

The new icon name should now appear.

Add the Internet Explorer (IE) Icon to the Desktop

Along with the other main icons, the Internet Explorer icon isn’t automatically placed on the Vista desktop. In addition, the Internet Explorer icon can’t even be enabled via the desktop icon settings via the Personalization window. This can be rather bothersome when you’re used to clicking on the IE icon to surf the web. Nevertheless, there are ways to get the icon on your desktop:

Here’s the simplest way to add the Internet Explorer icon to the desktop:

1. Open the Start menu.
2. Click and drag the Internet Explorer icon (from the top of the Start menu) to the desktop.
3. To change the icon’s shortcut label, right-click on the icon, select Rename, enter the desired name, and hit Enter.

Although that was simple, you’ll have the ugly arrow on the Internet Explorer icon, unlike the other main icons like Computer, Network, and Recycle Bin. You can however go through the more advanced method of adding the Internet Explorer icon without the arrow, but this requires editing the Windows Registry:

1. Open the Start menu.
2. In the search field, type “regedit” and hit enter.

If using the Classic Start menu, click on Run, type “regedit”, and click OK.

1. Navigate to the following folder: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerHideDesktopIconsNewStartPanel
2. In the right hand pane, double-click the following key:

{871C5380-42A0-1069-A2EA-08002B30309D}

            If the key doesn’t exist, you need to create it:

a)      Right-click in the right hand pane, select New, and click on DWORD (32-bit) Value.

b)      Type the above key (including the brackets) into the entry and hit Enter.

c)      Then double-click on the new key and proceed to the next step.

3.      In the Value data field, type “0”, and press OK.

1. Close the Registry Editor.
2. To activate the Internet Explorer icon, right-click anywhere on the desktop and select Refresh.

The Internet Explorer icon should now appear on your desktop.

If you haven’t already, check out all the earlier tutorials on networking using Windows Vista:

• Sharing on a Wi-Fi Network Using Windows Vista
• Connecting to Wi-Fi Networks Using Windows Vista
• Intro to Wi-Fi Networking Using Windows Vista

August 16, 2007

Now that we've covered network connectivity tasks using the new Windows Vista, we'll discuss the differences of sharing from Windows XP. Although setting up shared resources in Vista is similar to what you may be used to in Windows XP, it can be a bit confusing at first. Therefore, I'll show you step-by-step how to perform common network sharing tasks and configurations.

Share Files Using the Public Folder

Windows Vista doesn't have the Shared Documents folder (which Windows XP offered), however the Public folder is included which offers a very easy way to share files and documents with others on the same network in addition to other user accounts on the PC.

As Figure 1 shows, you can access the Public folder from Windows Explorer or Computer.

Figure 1

You can simply drag and drop (or copy and paste) files and folders into the Public folder (or one of its subfolders) to share them with users on the same PC and others on the same network.

Although Vista automatically shares the Public folder with other network users, there is a security measure in place to help prevent unintended sharing of your Public folder when on public and other un-trusted networks, such as Wi-Fi Hotspots. As mentioned in Intro to Wi-Fi Networking Using Windows Vista, there's a new network classification scheme where you're prompted to classify the networks you connect to, as Home, Work, or Public.

For example, if you choose Public location, Vista will automatically disable all network discovery and sharing (the Public folder and any manually shared folders) to protect your documents and privacy while on the unsecured network. Then if you go back home and connect to your network (that you classified as Home), sharing will be re-enabled.

You can also easily disable the sharing of the Public folder at anytime via the Network and Sharing Center which can be accessed by right-clicking on network status icon in the system tray. Then just scroll down to the green and/or gray status lights, click the arrow to the right of the Public folder sharing light, select your desired setting, and click Apply.

Share a Specific Folder

In addition to dragging over files to the Public folder, you can also enable the sharing of just about any folder on your PC, just like you could in Windows XP. Setting up sharing for folders in Vista isn't much more difficult than in XP, though it's a bit more confusing at first. Here's how to do it:

1. Right-click on the folder you want to share and select the Share… option. The File Share window pops-up. Figure 2 shows an example.

Figure 2

The list box with the Name and Permission Level fields are those who can access the shared folder (we'll call it the Access List). The Windows account you're currently logged on is automatically added to the Access List.
2. Using the drop down list (just above the Access List), select who you want to add to the Access List and click Add. To share the folder among network users (and consequently all other user accounts on the PC), select and add the Everyone entry from the drop down list.
3. After adding an entry to the Access List, you can modify the Permission Level by clicking its arrow.
Here's the attributes of the levels:

• Reader: Can view shared files, but not add, alter, or delete them.
• Contributor: Can view or add shared files, but can only alter or delete files he or she has contributed.
• Co-owner: Can view, add, alter or delete any shared file.

4. Once you're done click the Share button to apply the changes. Then you'll see a window letting you know the folder is now shared and its path. 5. Click Done to exit.

Share a Printer

Just like in Windows XP, you can easily set up a printer that's connected to a PC to be shared among users on the network; here's how:

1. Open the Printers folder from the Control Panel.
2. Right-click on the printer you want to share and select the Share… option. The printer properties window pops up with the Sharing tab selected.
3. Click Change Sharing Options. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4. Check the Share this printer option.
5. Enter the name in the Share name field that you would like to show in the network resources.
6. Click OK.

Use a Shared Printer

Once you have enabled the sharing of a printer, you can add that printer to other PCs on the network so you can print from it. Here's how to do it in Windows Vista:

1. Open the Printers folder from the Control Panel.
2. Click the Add a printer button on the toolbar.
3. Select the Add a network, wireless, or Bluetooth printer button. It will begin searching for any shared printers on the network.
4. Select the printer and click Next. If you don't see the printer you want, click the appropriate button to manually find it.
5. Enter your desired name for the new printer.
6. If you don't want the printer to be the default one selected/used when printing from the PC, uncheck the appropriate option.
7. Click Next.
A window should appear indicating the printer was successfully added.
8. To ensure its setup correctly click Print a test page.
9. Click Finish.

If you're unable to find the shared printer during the setup, you may want to ensure that printer sharing isn't disabled on the PC hosting the printer. You can check this by opening the Network and Sharing Center and scrolling to the appropriate entry on the status light area

Enable Password Protection

In Windows Vista you can enable password protection for your shared folders. When enabled, however, your shared resources aren't shared with others on the network. The shared resources will only be available to other user accounts on the same PC; and of course access is only given by entering the password.

1. Right-click on the network status icon in the system tray and select Network and Sharing Center. The Network and Sharing Center pops up.
2. Scroll down to the green and/or gray status lights and click the arrow on the right of Password protected sharing. The settings will appear, as seen in Figure 3.

Figure 3

3. Select Turn on password protected sharing and click Apply.

View All Your Shared Folders

Unlike Windows XP, Vista allows you to easily and quickly see all the folders you're sharing. It's very easy to forget which folders you've shared over time, though this feature enables you to always know exactly what is being shared and to whom. Therefore you can better protect your data and privacy which is particularly important for those who often use un-trusted networks such as Wi-Fi hotspots.

Here's how to view the lists of shared files and folders:

1. Right-click on the network status icon in the system tray and select Network and Sharing Center.

2. Scroll all the way to the bottom of the Network and Sharing Center.

3. Click on the links, as pointed out by the red arrow in figure 4, to view the files and folders you are sharing.

Figure 4

It's a good idea to periodically check your shared folders, their permission settings, and their contents to make sure you don't unintentionally share something that's private or sensitive.

Stay Tuned for more on networking using Windows Vista.

Where to rent

Two companies that rent VPNs are Witopia and HotSpotVPN. Both offer two types of VPNs, PPTP and SSL. The pros and cons of each type of VPN are not something I'm ready to get into. Suffice it to say that a PPTP VPN is usually cheaper, probably won't require software to be installed, and is not as secure when compared to an SSL-based VPN.

The HotSpotVPN-1 service is based on PPTP, while the HotSpotVPN-2 is based on SSL. HotSpotVPN-1 is roughly $9 per month, and HotSpotVPN2 ranges from roughly $11 to $14 per month depending on the strength of the encryption. According to Steve Gibson, the cheapest encryption strength is sufficient. In both cases, yearly charges are 10 times the monthly charge. HotSpotVPN-1 is also available by the day or week.

WiTopia offers PersonalVPN (PPTP) and PersonalVPN (SSL). Their SSL-based VPN is only $40 a year (the equivalent service from HotSpot is $110 to $140 per year).

Both companies throw in a PPTP-based VPN when you order an SSL-based VPN and they both point out that Apple's iPhone supports PPTP-based VPNs.

Using a VPN is a small annoyance, but security and convenience will forever be at odds.

May 10, 2007

Configuring or reconfiguring a wireless network — or just adding a new device to an existing one — can often be a hassle. In fact, keeping configuration effort to a minimum is one of the main reasons many people choose (unwisely) to do things like use default SSIDs (define), simplistic and easily guessed encryption keys, or altogether forgo the use of encryption on their WLANs (define). This is especially true when there are lots of wireless systems that need to be set up, because few people relish the task of typing in long and cumbersome text strings over and over again.

But if you have several systems running Windows XP SP2, there is a way to avoid some of the repetitive, time-consuming and error-prone data entry. Using a built-in technology called Windows Connect Now (WCN), you can automate the wireless configuration process for many PCs and possibly for other types of wireless devices, too.

Save a Step (or Several)

Here's how WCN works in a nutshell — instead of typing your SSID and encryption key individually into multiple systems, you can enter your WLAN configuration information once into a WCN wizard. It's then automatically stored in an XML (define) file and copied to a USB (define) flash memory drive, which you can use to set up additional wireless systems and devices without having to renter the information again.

Like most technologies, WCN isn't without its limitations. It was originally intended to be built into a host of wireless-enabled devices including routers and printers, and when the feature first debuted there were a handful of such devices that supported it. These days, however, relatively few non-PC devices support WCN (there's a list of compatible devices on Microsoft's WCN web site, but most are dead links indicating a product that's been discontinued). If you have a wireless device with a USB port, check your documentation to see if it's WCN-compatible — one currently available product that supports WCN is D-Link's DNS G-120 storage adapter, as does Microsoft's own Xbox 360 game console.

In spite of the drawbacks, WCN can, at the very least, be a useful and time-saving way to configure wireless settings on multiple PCs running Windows XP SP2 — which represents a significant percentage of what people are still running. (Unfortunately, it doesn't work with previous Windows versions, nor unsurprisingly, with non-Windows systems.)

Getting Started

The first step to using Windows Connect Now is to run the Wireless Network Setup Wizard, which you'll find in the Windows Control Panel. When you launch the wizard for the first time you'll be prompted to enter an SSID for your wireless network and choose whether you want to have Windows automatically create an encryption key or manually assign one yourself. Before clicking Next, be sure to check the box labeled Use WPA (define) encryption instead of WEP (define).

If you allow the wizard to generate your encryption key, it will create one using the maximum allowed length. But if you decide to use your own, make it as long and the characters as random as possible, because when it comes to WPA keys, longer means stronger.

As you proceed through the wizard you'll be given the option to save the data to a USB flash drive (the default choice) and you'll have to specify the drive letter that corresponds to your USB device. Once you've done that and clicked Next, leave the wizard open, remove the USB device, and plug it into the another XP SP2 system you want to configure. When the pop-up menu appears select the first option — to run the Wireless Network Setup Wizard — and then confirm that you want to add the system to your WLAN. Then remove the USB drive and repeat the process on any additional systems or devices.

Note that if you use plug your USB key into a WCN-compatible device other than a PC, it will generally flash a staus LED (define) three times to indicate that it's been successfully configured. (Some additional steps are required with the Xbox 360 — for details consult xbox.

Once you've finished configuring all your systems and/or devices, plug the USB drive back into the original XP system you started at. (You'll see the same pop-up menu, which you can dismiss or use to configure that system if you haven't already done so.) Return to the Wireless Network Setup Wizard and click Next, and you'll see a list of the systems and/or devices you've configured. You'll also see a button labeled Print Network Settings, and it's not a bad idea to use it to make yourself a hard copy. The printed record (kept appropriately secured, of course) can come in handy as a reference to manually configure a device that doesn't support Windows Connect Now.

By default, there should be a check in the box next to "For security reasons, remove network settings from my flash drive." It's best to leave this option selected and delete the data than to leave your wireless security information on a device that can easily be misplaced and fall into the wrong hands. (Remember — as long as the network settings are present, the flash drive will offer to use them to configure any WCN-compatible device it's plugged into.)

However, the good news is that even if you delete the settings, you won't need to re-enter the information if you ever decide you need to use the Wireless Network Setup Wizard again. The next time you run the wizard (from the original system, of course) you'll have the choice to either set up a new network or to add additional devices to your existing one. Your original SSID and encryption key information is retained by the wizard, so if you choose the latter, the information can automatically be recopied to your USB device.

Wi-Fi Protected Access 2 (WPA2) Overview

By The Cable Guy

For a list and additional information on all The Cable Guy columns, click here

Introduction

The original IEEE 802.11 standard provided the following set of security features to secure wireless LAN communication:

• Two different authentication methods: Open system and shared key

• The Wired Equivalent Privacy (WEP) encryption algorithm

• An Integrity Check Value (ICV), encrypted with WEP, which provided data integrity

Over time, these security features proved to be insufficient to protect wireless LAN communication in common scenarios. To address the security issues of the original IEEE 802.11 standard, the following additional technologies are used:

• The IEEE 802.1X Port-Based Network Access Control standard is an optional method for authenticating 802.11 wireless clients. IEEE 802.1X provides per-user identification and authentication, extended authentication methods, and, depending on the authentication method, encryption key management dynamic, per-station or per-session key management and rekeying.

• Wi-Fi Protected Access (WPA) is an interim standard adopted by the Wi-Fi Alliance to provide more secure encryption and data integrity while the IEEE 802.11i standard was being ratified. WPA supports authentication through 802.1X (known as WPA Enterprise) or with a preshared key (known as WPA Personal), a new encryption algorithm known as the Temporal Key Integrity Protocol (TKIP), and a new integrity algorithm known as Michael. WPA is a subset of the 802.11i specification.

Weakness in Passphrase Choice in WPA Interface

By Glenn Fleishman

By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp

Use of PSK as the key establishment method

WPA and 802.11i provide for a Pre-Shared Key (PSK) as an alternative to 802.1X based key establishment. A PSK is a 256 bit number or a passphrase 8 to 63 bytes long. Each station MAY have its own PSK, tied to its MAC address. To date, vendors are only providing for one PSK for an ESS, just as they do for WEP keying.

When a PSK is used instead of 802.1X, the PSK is the Pairwise Master Key (PMK) that is used to drive the 4-way handshake and the whole Pairwise Transient Key (PTK) keying hierarchy. There is a straightforward formula for converting a passphrase PSK to the 256-bit value needed for the PMK.

This paper will look into the risks of using a PSK and particularly the risk associated with a passphrase-based PSK.

Learn The Basics Of WPA2 Wi-Fi Security

AES Encryption And AirPort Extreme

Eric Hildum
David Cain [Oct. 19] is apparently confused by the various settings. The WPA Personal setting is actually the AES encryption that he is looking for, but it is 256 bit, not 128 bits. Specifically, the WPA Personal is what is referred to more formally as WPA-PSK.

One issue that Mr. Cain may be encountering is the differences that various manufacturers have in implementing some of the details of the WPA-PSK standard, particularly with regards to the number of keys and the method by which a text string is converted to a hexadecimal key. Apple's products use only one key - if his base station has more than one, the keys will be rotated and he will have problems - symptoms of which would be intermittent no access and dropped connections.

For best compatibility, configure the wireless access point with one and only one 64 digit hexadecimal key, and enter the same key on the PowerBook. Do NOT use the optional text password/key entry in either system as they may not be converted to a hexadecimal key the same way, which would result in mismatched keys and no access.

September 30, 2005

Security is all the talk in wireless networks today, whether at home or in the office -- and for good reason. Which security is best for you? WEP (Wired Equivalent Privacy) used to be the standard, but newer and arguably better security standards have been implemented for wireless. Wi-Fi Protected Access (WPA), so named by the Wi-Fi Alliance, is taking the lead alongside an even newer version, WPA2. Both are based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i ratified amendment.

WEP was never a strong protection mechanism, and was easily broken. WPA builds upon WEP, making it more secure by adding extra security algorithms and mechanisms to fight intrusion. With WPA’s more advanced features come more options for configuring security on your network, but the added complexity can turn securing a network into a giant headache. Still, with the right approach, it needn’t be painful.

WPA allows for two kinds of security authentication types, WPA-802.1x (AKA WPA-Enterprise) and WPA-PSK (or WPA-Home). WPA-802.1x (RADIUS) signifies that there is a RADIUS (Remote Authentication Dial-in User Service) server on the network. A RADIUS server isn't just for dial-up connections — it is a certificate authenticator that only allows client stations to connect with the Access Point (AP) if it sees a valid certificate on the client, which the server provided earlier. This use of WPA is generally for medium to large businesses, and is generally not used in SOHO (small office/home office) setups.

Many APs now come with integrated Authentication Servers (AS) which act as RADIUS servers, giving SOHO users the ability to use WPA-802.1x authentication schemes if they want, even for small groups. But WPA-PSK is the better choice for SOHO users, because of its simple setup and deployment across a multi-vendor environment. WPA-PSK (Wi-Fi Protected Access with Pre-Shared Key) enables users to easily set up and manage a secured WLAN.

WPA-PSK uses a pass-phrase, which is between 8 and 63 characters long. This pass-phrase is created and entered by the user into any client station’s configuration utility, as well as into the AP. (A recommendation: do not pick a password already in use within the network, and do not use a variation of your office address.) Generally, when creating or setting up a wireless LAN, the first thing to be configured is the AP, which is then followed by the configuration of client stations. Configuring an AP depends largely upon the manufacturer’s instructions; client station configuration is where the real choices about security come into play. First, we’ll turn to setting up the AP.

Access Point Configuration

It is my solemn duty to recommend, if you are buying a new access point, that you read through the manual on how it is to be configured as you take it out of the box. Methods for configuring client stations and APs vary widely depending on the manufacturer and configuration utilities; some have their own configuration programs, others are configured by using a Web browser, and still others use a command line interface (CLI), so reading the manual is important. For ease of explanation, I will refer to APs that are configured using Web browsers, and will not go into all the features APs offer.

Most APs have a separate page for setting the Network Name, otherwise known as the SSID (Service Set Identifier). On this page, you must specify the same Network Name as on the client stations. For example, if you set the name "My Network SSID" on the client stations, you should therefore use it on the AP as well (or vice versa — most people set up the AP first).

After setting the SSID on the AP, navigate to the Security or Encryption page. This page, as shown to the left (click for larger view), holds a host of security settings. As with the client stations, we configure the AP to use WPA-PSK, and enter the exact WPA-PSK pass-phrase entered on the client station. Again, they must be exactly the same phrase.

Some APs automatically assume the use of TKIP (temporal key integrity protocol)  when WPA-PSK is selected. It is a data encryption method used for WPA-PSK which adds extra security ciphers and algorithms to the preexisting WEP encryption. If it's not automatic, specify TKIP as the encryption type. TKIP isn’t the only data encryption method that can be used, but it's best for our purposes.

On some APs, when you select WPA-PSK, a note will pop up suggesting that RADIUS be enabled. Even though WPA-PSK doesn’t require a RADIUS server, you can enable RADIUS (if needed). In these cases, leaving the RADIUS configuration blank, or leaving it as originally configured when you enabled it, should not cause any issues.

If the AP you’re configuring doesn’t show any settings for WPA (PSK or other), try upgrading the firmware on the AP. Do this by navigating to the correct location on the AP or on the manufacturer’s Web site. In any event, the user manual should include directions on how to upgrade the AP.

Client Station Configuration

Configuring the client stations and access points isn’t as daunting a task as it might seem. The ease of configuring client stations depends principally on the configuration utility you are using. Windows XP comes with its own configuration utility built in, Windows Zero Configuration Utility (WZC). However, there are other configuration utilities that offer better efficiency, easier configuration, and better wireless network monitoring. Most client cards come with their own wireless configuration utility, though others depend on Windows. Here we'll describe the configuration of client stations using WZC, which is the lowest common denominator for most users.

Despite the charms of its rivals, Windows does make the task of configuring a client station fairly painless. When configuring a station, one first needs to add a preferred network; in this case, as shown in figure 2 (right), the preferred network is called “My Network SSID.”

The next step is configuring the client station to the same settings as those on the AP; to do so, go to the ‘Properties’ button, as indicated by the yellow arrow in figure 2. This will bring up the network security properties setting screen for your preferred network (figure 3, left), with a handful of settings to choose from and empty fields to fill. The first text box shows the network name (SSID). This will already be filled in with the name you specified for your preferred network.

The next step is specifying the type of security that will be used to connect to the network. In the Network Authentication field, scroll until WPA-PSK is selected. With WZC, there are two WPA authentications listed: to use WPA with a RADIUS server (802.1x), you would pick the first option of just WPA.

The second WPA listed is WPA-PSK; for our setup, we select this to continue configuring a WPA-PSK network. The Data Encryption field below the Network Authentication field specifies the protocol that WPA-PSK will use; choose TKIP. The last step needed to configure the client station is very important, in that the Network Key entered into the client station must be the same as the network key (pass-phrase) that is entered on the AP. Network keys are case-sensitive; capitals, lower-case, numbers, non-alphanumeric symbols ($#!+, etc.) must all be exactly the same. This might sound like a walk in the park, but when setting up a wireless network, many neglect this minute but crucial detail.

In some cases, after configuring the client station, issues with connecting to the AP may still arise. In these cases, there are three things to check:

1. Whether Windows Firewall is turned on.  Even if Windows Firewall is disabled, the wireless card might still be under control of Windows Firewall. To check this, go to Windows Firewall in the Control Panel: under the Advanced tab, make sure the Wireless Connection check box is unchecked.
2. Whether multiple configuration utilities are enabled at once. This could cause configuration conflicts.
3. Whether you are trying to use the wrong type of security to connect to the WLAN. Double-check to ensure that the network you’re attempting to connect to uses the same method of authentication as the one you have selected.

In today’s age of ubiquitous SOHO networks and ever more Wi-Fi in laptops, security is a paramount concern. Unsecured or improperly set up wireless networks can leave you vulnerable to intrusion, viruses, hijacking of bandwidth, and more problems than one can list, which is why properly setting up your secured network using an authentication mechanism such as WPA-PSK is a crucial step in creating a wireless network.

Message Edited by toomanydonuts on 06-13-2007 11:12 PM