<a name="top"></a>
<p><b>Wireless Security FAQ</b></p>
<p><b>Questions</b></p>  
<p><b>•</b>  <a href="#32">What's the difference between Open System and Shared Key authentication?</a></p>
<p><b>•</b>  <a href="#33">What's the difference between 40 and 64 bit WEP?</a></p>
<p><b>•</b>  <a href="#46">How do I prevent unknown users from using my wireless LAN?</a></p>
<p><b>•</b>  <a href="#47">Is 802.11a more secure than 802.11b?</a></p>
<p><b>•</b>  <a href="#68">How should I set up 2 routers to provide untrusted wireless users access to WAN but not expose my internal LAN?</a></p>
<p><b>•</b>  <a href="#120">How do I keep wireless clients from using my wireless router?</a></p>
<p><b>•</b>  <a href="#198">Does WEP impact the ability to hold a wireless connection?</a></p>
<p><b>•</b>  <a href="#235"> If I disable SSID (or ESSID) Broadcast on my Access Point or wireless router, is it true that only users who I've given my SSID to will be able to connect?</a></p>
<p><b>•</b>  <a href="#242">How do I let someone access my wireless network, but only when I want them to?</a></p>
<p><b>•</b>  <a href="#435">What is WPA?</a></p>
<p><b>•</b>  <a href="#440">Which is more secure, 64 or 128 bit WEP?</a></p>
<p><b>•</b>  <a href="#459">If a product is 802.11g spec-compliant or 11g Wi-Fi certified does it include Wi-Fi Protected Access (WPA) support?</a></p>
<p><b>•</b>  <a href="#460">Is Wi-Fi Protected Access (WPA) supported in wireless bridges and wireless-to-Ethernet adapters?</a></p>
<p><b>•</b>  <a href="#477">Is there a way to improve security above WEP in IBSS (Ad Hoc) mode, since WPA is not supported in that mode?</a></p>
<p><b>•</b>  <a href="#480">Does WEP have a negative impact on an 802.11b wireless network throughput?</a></p>
<p><b>•</b>  <a href="#525">Is traffic on a Wireless Distribution System (WDS) bridge more secure than other wireless data?</a></p>
<p><b>•</b>  <a href="#569">Do any products support Wi-Fi Protected Access (WPA) over a WDS bridged connection?</a></p>
<p><b>•</b>  <a href="#583">What security precautions should I take when using wireless hotspots?</a></p>
<p><b>•</b>  <a href="#594">Should I consider buying a wireless device that doesn't support WPA?</a></p>
<p><b>•</b>  <a href="#628">Can WPA be used with Windows versions other than Windows XP?</a></p>
<p><b>•</b>  <a href="#640">How do keep wireless users connected to my wireless router from accessing my wired network?</a></p>
<p><b>•</b>  <a href="#674">Does software exist that will allow someone to monitor my Wi-Fi Lan to display the same screens I am seeing on my computer in real time?</a></p>
 
<p><b>Answers</b></p>
<a  name="32"></a><p><b>•  What's the difference between Open System and Shared Key authentication?</b></p>
<p>Wireless authentication is the process of performing a security check on clients that request access to awireless network. The 802.11b standard presently supports these two methods of authentication, although many vendor proprietary (and non-interoperable) methods are also in use.</p>
<p><b>Open System Authentication</b> might better be called <b>No</b> authentication, since it allows any device to join a network without performing any security check.</p>
<p><b>Shared Key Authentication</b> requires that the Station and the Access Point use the same WEP Key to authenticate. This basically means that WEP must be enabled and configured the same on the AP and client. <a href="http://www.wirelessdevnet.com/articles/80211security/" target="_offsite"><b>This article</b></a> has a good explanation of each method, along with a description of the general weaknesses of 802.11b authentication.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="33"></a><p><b>•  What's the difference between 40 and 64 bit WEP?</b></p>
<p>They are the same. The confusion comes from the way different manufacturers interpret the WEP specification. WEP actually has two parts, a "secret key" (user settable), and a 24 bit "Initialization Vector" which is not under user control. </p>
<p>Some manufacturers specify the length of the "secret key", i.e. user programmable, part of the WEP key, and others use the "secret key" plus "initialization vector" length. Curiously, this confusion is only seen on the lowest level, i.e. 40/64 bit, of WEP... probably for historical reasons.
<p>Since all 802.11 products support 128bit (and sometimes higher) levels of WEP, this problem is moot. If you enable WEP, you should always use the highest bit length available, since there's no performance penalty from using the higher number of bits.</p>
<a  href="#top"><b>Top</b></a>
<hr>
<a  name="46"></a>
<p><b>•  How do I prevent unknown users from using my wireless LAN?</b></p>
<p>In spite of all the negative things you may have heard, the fastest, easiest, and most effective first step to take is to <b>enable WEP encryption</b>. Although WEP <b>can</b> be broken, it takes time and tools that most folks don't have. Think of it as pushing in the knob-type lock on a door. Yes, someone can break down the door or jimmy the lock, but most 'doorknob rattler' type would-be wireless freeloaders will just move on to the next WLAN that isn't encrypted. </p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="47"></a><p><b>•  Is 802.11a more secure than 802.11b?</b></p>
<p>Not really. Although it can be set to use a non-standard 152 bit WEP encryption (vs. 802.11b's 64 and 128 bit WEP), it's still WEP, and can be broken, given enough time.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="68"></a><p><b>•  How should I set up 2 routers to provide untrusted wireless users access to WAN but not expose my internal LAN?</b></p>
<p>The easiest way is to connect your wireless router (#1) to the WAN, then connect the WAN port of Router #2 to one of Router #1's LAN ports. Make sure the two routers are set to different subnets (base addresses). </p>
<p><b>Setup Tips:</b></p>
<p>- Router #2 can be either a wired or wireless router.</p>
<p>- If Router #2 is wireless <b>take the following precautions on Router #2:</b></p>
<p>* Use a different clear channel (1, 6, or 11)<br>
  * Use a different, non-obvious, non-descriptive ESSID<br>
  * Enable the highest level WEP you have and don't use an easy-to-guess key like all 1's or 0's<br>
  * Enable MAC address association control<br>
* Disable ESSID broadcast or use a "closed network" option if you have it</p>
<p>- Set Router #2 to be a DHCP client (obtain IP address automatically) on its WAN port.</p>
<p>- Your wired LAN clients should all connect to the second router, and you can set them to obtain their IP address information automatically, or use static IP addressing if you wish.</p>
<p>- If you forward any ports on the second router, remember that this will <b>allow any computers on the Router #1 LAN to potentially access the computer that the ports are forwarded to</b>.</p>
<p>If you need to run Internet accessible servers, you should connect them to Router #1, <b>but lock them down tightly</b>, i.e. don't keep anything else on them, use strong passwords for admin accounts, don't enable any more services than necessary, etc.</p>
<a  href="#top"><b>Top</b></a>
    <hr>
<a  name="120"></a><p><b>•  How do I keep wireless clients from using my wireless router?</b></p>
<p>It depends on what you mean by "using". Most routers have the ability to prevent groups of users from accessing Internet-based programs and services. This feature goes by different names including, <b>Port Filtering</b>, Access Control, Outbound Firewall Access rules, and others. But they all allow you to <b>block Internet access</b> to things like Web browsing, file transfers, mail, newsgroups, etc. by blocking the <b>port</b> used by the application for particular IP addresses that you program. The Port Filtering feature, however, does not prevent users from connecting to each other through the router's switch for File and Print sharing services. All it does is block access to the Internet-based services that you specify. </p>
<p>Many Wireless Access Points, which are technically <a href="http://www.tomsnetworking.com/Sections-article15-page2.php"><b>bridges</b></a> and not routers, have a feature called <b>Mac Address Filtering</b> or <b>Association Control</b>. This basic form of this feature allows you to enter a list of MAC addresses for clients that will be <b>blocked from assessing the wired LAN</b> that the AP is connected to. Sometimes you get two lists, one for blocked users and one for allowed users. Note that this feature controls <b>LAN access</b>, leaving decisions about Internet access up to whatever is providing your LAN's connection to the Internet, i.e. your router.</p>
<p>So what happens on a Wireless Router, which is conceptually the combination of a router and wireless Access Point? Well, it all depends on how the router's designed. As we described above, the <b>router's Port Filtering feature</b> is primarily focused on Internet access control and <b>probably doesn't prevent wireless clients from accessing your wired LAN</b>. </p>
<p>So what's a wireless router buyer to do? The best advice we have is to look for a feature in the <b>wireless</b> section of the router's administration screens that lets you enter <b>MAC addresses</b> of wanted or unwanted clients. Chances are, you'll have found the ability to control wireless client AP association. If your wireless router only provides <b>IP address-based</b> Port Filters or Access controls located in the router's firewall or other non-wireless admin sections, your <b>product probably does not have wireless Association controls</b>, and will let wireless clients access wired LAN clients unless you <b>enable WEP encryption</b> to block wireless client access.</p>
<p>Note that MAC Address filtering doesn't guarantee that blocked clients won't connect. Knowledgeable users can watch wireless traffic, grab the MAC address of an authorized user and change the MAC address on their own wireless card to match it. This is known as MAC address "spoofing".</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="198"></a><p><b>•  Does WEP impact the ability to hold a wireless connection?</b></p>
<p >It shouldn't. It may, however, slow down the connection, sometimes as much as <b>40 to 50%</b>. This effect has been virtually eliminated in most, but not all current wireless product designs.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="235"></a><p><b> • If I disable SSID (or ESSID) Broadcast on my Access Point or wireless router, is it true that only users who I've given my SSID to will be able to connect?</b></p>
<p >No. Disabling an AP's SSID Broadcast function just prevents it from transmitting the SSID. The AP will still respond to any client that wants to associate with it <b>and</b> that sends a matching SSID.</p>
<p>For example, WinXP's built-in "Zero Config" wireless utility automatically stores every SSID that it receives. If your AP is using the same SSID as one that the client previously stored, the client will be able to connect to your AP, even if you have SSID Broadcast disabled.</p>
<p>Since the SSID is <b>always</b> sent "in the clear", i.e. unencrypted, it's also possible for anyone using freely available "sniffing" tools to monitor traffic near an AP and grab the SSID from clients that already know it.</p>
<p>In spite of all this, it's still good security practice to change the default SSID for your wireless LAN and use the same techniques used for choosing a <b>strong password</b> to keep your WLAN secure from casual snoopers.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="242"></a><p><b>•  How do I let someone access my wireless network, but only when I want them to?</b></p>
<p>Once someone is given (or finds) your wireless LAN's ESSID, and if you are not running WEP encryption, that person can use your WLAN whenever they want. You can block them, however, by enabling WEP, using a non-obvious WEP key, and not giving out the WEP key information. You can also use your AP or wireless router's <b>MAC Address filtering</b> controls and allow access only to desired clients. </p>
<p>Unfortunately, these capabilities have no time-of-day controls in presently available equipment. So you'll have to manually enable and disable them when you want to control access.</p>
<p>However a very low-tech solution is to <b>shut off your router and Access Point when you're not around</b>, or simply put it on a timer (yup, just like the ones you buy to turn lamps on and off).</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="435"></a><p><b>•  What are WPA and WPA2?</b></p>
<p>WPA stands for <b>Wi-Fi Protected Access</b> and is a subset of the <b>IEEE 802.11i</b> draft standard intended to replace WEP (Wired Equivalent Privacy) as the primary means of securing 802.11-base wireless networks.</p>  
<p>WPA consists of methods to <b>strengthen data encryption</b> (Temporal Key Integrity Protocol [TKIP], message integrity check [MIC], extended initialization vector [IV] with sequencing rules, and a re-keying mechanism) and to <b>provide user authentication</b>. There are actually two authentication mechanisms, one for "enterprise" users using 802.1x and Extensible Authentication Protocol (EAP), and another for home users using a Pre-Shared Key (PSK) method.</p>
<p>WPA2 is the implementation of the full 802.11i standard and adds stronger AES (Advanced Encryption Standard) encryption and a few other improvements to WPA. Both WPA and WPA2 are much more secure than WEP.</p>
<p>To use WPA or WPA2, you may need a firmware update for your older Access Point or wirless router, and new driver (and maybe firmware) for each wireless adapter on your network. Note that manufacturers may not offer WPA upgrades for all their existing products, especially older 802.11b-only products. You also won't be able to get upgrades for 802.11a-only products. You may also experience a loss of throughput when WPA is enabled on some older products.</p>
<p>See the <a href="http://www.tomsnetworking.com/Sections-article35.php"><b>TomsNetworking Wireless Security for the Rest of Us</b></a> article and the <a href="http://www.wi-fi.org/OpenSection/protected_access.asp" target="_offsite"><b>Wi-Fi Alliance's WPA website</b></a> for more information.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="440"></a><p><b>•  Which is more secure, 64 or 128 bit WEP?</b></p>
<p>Neither should be considered secure for business use since both can be cracked within a matter of minutes. See the <b><a href="http://www.tomsnetworking.com/Sections-article118.php">TomsNetworking How to Crack WEP series</a></b>.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="459"></a><p><b>•  If a product is 802.11g spec-compliant or 11g Wi-Fi certified does it include Wi-Fi Protected Access (WPA) support?</b></p>
<p>Generally, yes. But you'll need to check the Wi-Fi certification details printed on the product box, or look up the product in the <a href="http://certifications.wi-fi.org/wbcs_certified_products.php?TID=2" target="_offsite"><b>WiFi Alliance's Certification database</b></a> to be sure.</p>
<p><a  href="#top"><b>Top</b></a></p>
<hr><br><a  name="460"></a><p><b>•  Is Wi-Fi Protected Access (WPA) supported in wireless bridges and wireless-to-Ethernet adapters?</b></p>
<p>Generally not due to the way these products work.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="477"></a><p><b>•  Is there a way to improve security above WEP in IBSS (Ad Hoc) mode, since WPA is not supported in that mode?</b></p>
<p>You could try setting up a VPN tunnel, which would require running a VPN client on one station and VPN gateway/server on the other.</p>  
<p>For larger networks, however, this would get impractical since each station would need to run both VPN client and server so that it could initiate or terminate a tunnel to each other station.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="480"></a><p><b>•  Does WEP have a negative impact on an 802.11b wireless network throughput?</b></p>
<p>Older 802.11b products can show a throughput reduction of up to <b>40 - 50%</b> with either 64 or 128 bit WEP enabled. However, this problem has been pretty much eliminated in current generation 11b products and those using the 802.11a or 11g standards.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="525"></a><p><b>•  Is traffic on a Wireless Distribution System (WDS) bridge more secure than other wireless data?</b></p>
<p>No. Although data in a WDS connection can be WEP encrypted, WDS requires the MAC addresses in each packet's header to be unencrypted. </p>
<p>Also, the current version of Wi-Fi Protected Access (WPA) does not handle WDS.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="569"></a><p><b>•  Do any products support Wi-Fi Protected Access (WPA) over a WDS bridged connection?</b></p>
<p>No. In general, you won't find products that support WPA through a WDS-bridged connection. The reason is that WDS uses MAC addresses to communicate, and WPA is designed to encrypt the MAC addresses. [Thnx to Buffalo Technology for their help on this question.]</p><a  href="#top"><b>Top</b></a>
<hr><br><a  name="583"></a><p><b>•  What security precautions should I take when using wireless hotspots?</b></p>
<p>First, be aware that any data you send or receive can be monitored by any other wireless user unless you are using a VPN, secure web browser (HTTPS) or other secured connection. This includes login information, account numbers, etc., so be sure that you use the secured option for webmail, on-line ordering, etc..</p>
<p>The other important precaution to take is to <b>disable File and Printer sharing and Client for Microsoft Networks</b> on your wireless adapter if you have them enabled. Not all public wireless hotspots use technology that prevents wireless client-to-client communication. This writer recently used the free wireless in the food court of Pittsburg's airport and found via a quick browse of My Network Places that the entire drives of numerous fellow wireless users were totally accessible. Both settings can be found in the wireless adapter's Network Properties.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="594"></a><p><b>•  Should I consider buying a wireless device that doesn't support WPA?</b></p>
<p>In our opinion, no. Manufacturers have had enough time to incorporate this greatly improved wireless security capability into their products. Any new wireless product that you purchase should support at least WPA-PSK (Pre-Shared Key) / TKIP capability.</p><a  href="#top"><b>Top</b></a>
<hr><br><a  name="628"></a><p><b>•  Can WPA be used with Windows versions other than Windows XP?</b></p>
<p >Yes, but only WinXP has a built-in WPA "supplicant" (a small application that performs the client-side duties for WPA authentication).</p>
<p>For other OSes, you will need to use the supplicant that should be in the client utility that came with your wireless adapter. You may need to go to your adapter manufacturer's website to download an updated client that includes the supplicant.<p>If your adapter doesn't have a WPA-capable client utility, you can purchase a third-party application such as <a href="http://www.funk.com/radius/wlan/wlan_c_radius.asp" target="_offsite"><b>Funk's Odyssey client</b></a>.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="640"></a><p><b>•  How do keep wireless users connected to my wireless router from accessing my wired network?</b></p>
<p >There are a couple of ways to do this. The simplest would be to use a switch or router with <b>VLAN</b> (VirtualLAN) capability. This would allow you to assign wireless and wired clients to different VLANs which would prevent any communication between them. Unfortunately, consumer-priced products with VLAN capability still are not available.</p>
<p>If all you need is protection in one direction, i.e. keeping wireless users off the wired LAN, you can use the router-cascading technique described in the <a href="http://www.tomsnetworking.com/Sections-article51.php"><b>TomsNetworking Setting up File and Printer sharing between two routers How To</b></a>. Just make the wireless router the one connected to the Internet and the wired router WAN port connected to one of the wireless router's LAN ports.</p>
<p>If you want both wireless and wired users from reaching one another you can use <b>three routers</b>, as described in the <a href="http://www.tomsnetworking.com/Sections-article55.php"><b>TomsNetworking One Internet connection—Two Private LANs How To</b></a>. Only one of the routers, needs to be wireless, the others can be Ethernet-only.</p>
<a  href="#top"><b>Top</b></a>
<hr><br><a  name="674"></a><p><b>•  Does software exist that will allow someone to monitor my Wi-Fi Lan to display the same screens I am seeing on my computer in real time?</b></p>
<p>There is software (both open-source and commercial) that will display information flowing through a wireless network. eEye Digital Security sells their <b><a href="http://www.eeye.com/html/products/iris/index.html" target="_offsite">Iris</a></b> vulnerability scanner that will reconstruct web pages in real-time, by following conversations from computers.</p>
<p> The <b><a href="http://www.monkey.org/%7Edugsong/dsniff/" target="_offsite">dsniff</a></b> suite written by Dug Song is a collection of open source utilities that can capture URLs, Emails, Instant Messaging and other interesting bits of information. Webspy, one of the programs in the suite, will capture URLs and then input them into a browser. This will let an attacker "follow"users surfing the web.</p>
<p><b><a href="http://www.ex-parrot.com/%7Echris/driftnet/" target="_offsite">Driftnet</a></b> is an open-source program that will rip pictures from wireless networks. As users surf the web, each picture will be captured and displayed on the attacking computer.</p>
<p> All of this assumes that the wireless traffic is <b>not</b> encrypted using WEP or preferably WPA or WPA2.</p>
<a  href="#top"><b>Top</b></a> <hr>

Can someone please reformat this so it's readable? Thanks