While WPA and WPA2 eliminate many of the problems associated with WEP, they are still vulnerable to attack, particularly in their PSK form. Many people have already cracked WEP and Parts 1 and 2 of this series provided a step-by-step procedure.

Breaking the pre-shared key of WPA and WPA2 "Personal" is much harder and time consuming - especially if you are using AES encryption - but it is possible.

Countermeasure 8: Add Authentication

To address this emerging threat, users should implement authentication. Authentication adds another layer of security by requiring a client computer to "sign-in" to the network. Traditionally this has been done with a mix of certificates, tokens, or hand-typed passwords (also called Pre-Shared-Keys) that are negotiated with an authentication server.

802.1X provides the access control framework used by WEP, WPA and WPA2 and supports several EAP (Extensible Authentication Protocol) types that do the actual authentication. George Ou's excellent article on Authentication Protocols contains probably more than you'd ever want to know about EAP, WPA and WPA2!

Configuring authentication can be a daunting and expensive task for networking professionals, let alone home networkers. At this year's RSA conference in San Francisco, for example, many attendees didn't bother to set up their wireless connection because of the full page of instructions they had to follow to do it!

Thankfully, things are getting better, and you don't need to buy a full-blown RADIUS server, as there are a number of easier-to-implement alternatives. LucidLink offers a free fully-functional version of its namesake product through the end of 2005, which supports wireless security and authentication setup for up to three users.

A similar product is Wireless Security Corporation's (recently purchased by McAfee) WSC Guard. It's a subscription-based product starting at $4.95 per user per month with discounts for volume purchases. A free 30 day trial download is available here.

Another free option worth investigating for more experienced networkers is TinyPEAP, which adds a small RADIUS server supporting PEAP-based authentication into Linksys WRT54G and GS wireless routers. Note that since this firmware isn't officially supported by Linksys, you're on your own if you mess up your router while installing TinyPEAP.