Tuesday, September 2, 2008

Five things you should know before hooking up your wireless network

Let's face it, wireless networking is everywhere and, in most cases, it is insecure and out of control. To the average household user, they assume that it should always "just work" and just "be secure". To IT Pros like you and I, we know that while wireless networking has become a fact of life, it will always be a source of concern. So, the next time your boss asks you to put up a new wireless network, I hope that you will take pause and consider the 5 things you will learn about wireless in this article.

Why I wrote this article

Even in business today, it is tough to not use wireless. Every laptop come with it. PDA's have it. People use it at home. The CEO thinks its cool. To the users it just seem obvious to have wireless everywhere, just like it does to hook up their ipod on their work PC. I mean, if you have all these things at home, why not have them at work, right?

However, after using wireless at my office and all the research I did while creating the Train Signal Wireless Networking video series, part of me just wants to "turn it all off". As part of the TS Wireless administration video series, one of the things I did was demonstrate how to hack wireless security protocols. I demonstrated how easy it is to hack WEP with brute force. I demonstrated how easy it is to hack WPA1 with a dictionary attack. I demonstrated how easy it is to see a wireless access point even if the SSID broadcast is disabled. I showed you where you can find a list of all the default username and passwords for wireless access points and routers.

At my office, we have pulled out hair out dealing with periodic wireless disconnects, show performance, and interference.

I wrote this article for every admin out there who is about to install a new wireless network or even for the home wireless user who just wants to know more about the "gotchas" of wireless networking.

#1 Don't do it unless you have to

For all the reasons above, my approach to wireless has become "don't do it unless you have to". If you can, for a reasonable price, run a cable to the location you want to use a computer, by all means, do it. Wireless should only be installed if you have to, if there is business need, if you are willing to invest in quality hardware & troubleshooting tools, and if you have an IT Pro secure it properly. Wireless may be easier up front but it will be much more difficult to troubleshoot and maintain in the long run than that cable run would have been.

#2 Default configurations are not secure

You cannot leave wireless gear set a the default configuration. This includes- SSID name, admin username & password, wireless security method, wireless encryption key, etc. All of those need to be changed.

Lately, I have noticed that, more and more, the wireless gear manufacturers have gotten smarter and have made the default configurations with a higher level of security. While that is good, keep in mind that wireless gear doesn't work like a toaster where you can just plug it in and use it. Like any operating system or piece of network gear, it must be properly setup. Make sure you do some research on how to properly set it up and secure it. Alternatively, you might find a fellow IT Pro or consultant that has experience in doing this and contract them to do it for you the first wireless AP....

#3 Secure your wireless network with WPA2 & AES256

In the Wireless Networking video series I created, I went into al the different methods of securing your wireless network. Still, the only one that I can recommend is WPA2 with AES. If you are just using a local key this is called "WPA2 Personal". If the authentication goes back to a RADIUS server, it is called "WPA Enterprise". Also, note that there is WPA and WPA2. On many wireless APs they have WPA listed but that is not the same as WPA2.

Here is my home Linsys wireless AP:



As you can see, it doesn't offer WPA2. While it would be nice to get a new AP that supports this, an alternative and equally safe security method is to us WPA (WPA1) Personal (also called pre-shared) as long as you use a non-dictionary and lengthy key. For example, you could use "IwishIhad2dogsnamedrover!" as your key and be confident that you are secure.

WEP has proven that it can be cracked with brute force so I wouldn't recommend it at all. Still, many wireless equipment manufactures act like they are saving the day and securing your network because they enable WEP with some kind of default key.

#4 Perform a site survey

I don't care if you are about to install a new wireless network or if yours has been up for a year. If you haven't performed a wireless site survey, you need to. There are a limited number of channels and wireless interference can cause a lot of headaches, performing a site survey isn't expensive or difficult.

Ideally, you spend some money and use tool like Airmagnet Survey. It will generate a site survey that looks like this:



You could collect your data with a tool like Yellowjacket that runs on a laptop or PDA or something like a Fluke Wireless Etherscope (both shown below):



While these solutions may be ideal, they also cost a lot. There are plenty of alternative ways to perform a site survey that won't cost you anything.

You could use the wireless site survey tool that is already built into your laptop's wireless adaptor. Some wireless adaptors have descent site survey tools built in, like these that came with my laptop's built in Broadcom wireless adaptor:



#5 Buy quality gear and troubleshooting tools

Believe me, I have used price as my primary wireless gear selection factor and have regretted it later. I know there are a lot of brands of wireless gear out there. I have used all the inexpensive gear before I finally broke down and bought some Cisco gear. It was strange how, after using Cisco's gear, the interference and periodic disconnects all went away. Now, that is all I buy for business purposes.

I know it is tempting to spend $150 on a Dlink business-grade wireless AP over a $600 Cisco AP but, believe me, the more quality gear will pay off in the long run.

If you want to save some money on wireless gear, why not check some used Cisco gear on Ebay?

Summary

In summary, make sure you are very careful with how and where you user wireless networking. There are plenty of companies in the news who lost millions because they didn't have a secure wireless network. None of us want our name associated with one of those stories. Unlike a network cable, wireless networks can extend your network to the parking lot and, in some cases to the building next door. You don't want to do that unless you have to. If you have a valid business reason, then make sure you are willing to spend adequate time and money to ensure that your wireless network is almost as secure as the wired network. I hope that these tips go a long way towards ensuring that your wireless network is secure.

Open in Regedit in IE

One of the coolest tricks I saw lately came from one of my Students - Shay Levy (visit his blog at http://scriptolog.blogspot.com).

Many tips published on various websites, including articles found on the Petri.co.il site, heavily use registry modifications and additions. These articles and tips usually tell you that in order to perform this or that, you need to open Regedit.exe (the registry editing tool), navigate to this or that registry path, and create, delete or modify registry keys and values.

In order to make your life easier, Shay has created this cool Internet Explorer add-in, that allows you to easily open Regedit and point it to the exact registry path, without the need to manually open Regedit.exe and begin to look for the relevant entry.

For example:

Instead of performing these steps (this is just an example) -

1.Start Registry Editor (Regedit.exe).
2.Locate the following key in the registry:

HKEY_CURRENT_USER\Control Panel\Desktop

Do this:

1.Download and install Open In Regedit-1.4.zip (290kb)

Note: Tool has been modified due to some issues with the previous setup program that has caused Norton Anti-Virus to flag it as a Trojan.

Version Update Note: Tool has been updated to version 1.4 that now fully supports Windows Vista and Windows Server 2008.

2.Close and re-open a new Internet Explorer window.


3.Highlight the same registry path found above, then right-click it and select Open in Regedit.

Bingo!