The WEP Key
The WEP static network key is similar to IP Security's (IPSec's) preshared key—it's a shared secret between two wireless devices that want to communicate with each other (e.g., wireless client to AP). WEP uses a network key, 40 or 104 bits in length, for authentication and data encryption. Confusing matters, vendors might specify a 40-bit key as 64 bits in length or a 104-bit key as 128 bits. In each set, the systems are the same; the actual key lengths are 40 bits and 104 bits, respectively. The remaining 24 bits are for an initialization parameter that isn't user configurable.
Most systems support a hexadecimal network key, but some support an ASCII key—important to remember if you're mixing vendor products. You can store four keys in an 802.11b wireless device and set the key index to specify the active key. The key index also varies according to vendor: Some vendors prefer to number the key index 03, whereas others use 14.
The 802.11b standard specifies that the network key be installed on each network device independent of the wireless medium. Most vendors require the user to install the keys manually (or store them on the wireless device). Therefore, most users must type a key into their AP and type the same key into their wireless client. An example of a 128-bit WEP hex key is AB 02 1F 1A 93 2C DF FF 71 AB 29 F5 D9. (Encryption and decryption use the same key.) Inexpensive 802.11b systems don't offer a slick means of managing these keys. Imagine running around to your wireless users and typing in this key—and imagine changing it frequently! (Remember that regular and frequent key rotation is important to maintaining security in your basic 802.11b WLAN.)
I recommend using 128-bit encryption. If both your AP and wireless adapter support ASCII keys, consider them an alternative to the more difficult-to-remember hex keys. Also, consider devices that support automatic key management, although such devices are typically more expensive and often proprietary in nature.
Open System or Shared Key
Authentication is the process of validating a user or system before communication can occur; 802.11b connections support Open System and Shared Key authentication. Open System authentication, as its name implies, permits any wireless device to communicate with another wireless device.
Shared Key authentication uses the WEP network key to authenticate the client. The process is simple: The AP sends the wireless client a clear-text challenge; the client uses the network key to encrypt the challenge, then sends it back to the AP. If the client uses the wrong key, or no key, the AP denies access to the user. Although Shared Key authentication keeps unauthorized devices from associating with your AP, both the encrypted and unencrypted challenges are vulnerable to eavesdropping, which makes deciphering the WEP key easier. However, Shared Key authentication prevents random unauthorized users from connecting to your AP. So unless your AP supports a stronger (probably proprietary) authentication mechanism, and until we're all using 802.1x (or its future superior), I recommend that you use 802.11b's Shared Key authentication. However, you need to understand this weakness and remember to rotate your WEP keys frequently.
Set Up a Secure AP
Inexpensive APs that strictly adhere to the 802.11b feature set might offer 64-bit or 128-bit WEP and Shared Key or Open System authentication. (Some vendors might extend security features—for example, by limiting the media access control—MAC—address of specific authorized wireless NICs.)
AP configuration varies according to vendor, but you can count on following these basic steps:
- Physically connect the AP to the LAN, and—if the AP supports direct cable management—connect the USB or serial cable to the management computer. Otherwise, you might use HTTP/HTTPS, Telnet, SNMP, or a vendor-specific network client to manage your AP. For maximum security, consider using a direct connection or a secure protocol (e.g., HTTPS, if your AP supports it) for managing your AP.
- Load the AP management software onto the management computer. Run your management software and scan for the AP. If you have other APs on the network from the same vendor, you might also see them. (These APs are often denoted by their configured name, SSID, or MAC address.) Some vendors configure the AP's IP address to a default static address (e.g., 192.168.1.1), whereas others default to DHCP. So, to connect to it, you might need to change your management computer's IP address so that it's on the same subnet (e.g., 192.168.1.2) or be sure it can communicate with a DHCP server. After you successfully connect to the AP, follow the AP management software's documentation to change the AP's IP address to be on your LAN.
- Because the AP is likely set with a common set of users and passwords, you need to change the default Administrator password and review any other default users who can manage the AP. (For example, some APs allow guest access for remote management.)
- Select a descriptive word for your wireless network and set your SSID (or Extended SSID—ESSID—depending on the model of your AP) to this word. Every wireless client that wants to be a part of this logical network must use the same SSID. Figure 2 shows an AP setup screen in which the ESSID is set to Blackstatic.
- Enable Shared Key authentication. Figure 3 shows the setup of an AP with Shared Key authentication enabled.
- Enable WEP. Specify the hex network key. (Some AP models support ASCII keys in addition to hex keys.) Write down the network key; for static basic WEP implementations, you'll need to enter this key manually on every machine. The 802.11b standard supports four network keys, which are indexed. Some devices require you to enter the three other network keys (thereby defining all four). To specify the default (active) key, refer to your AP management software documentation for instructions about how to set the index to that key.
Register
heikki kivistö March 27, 2003