Getting Serious
As mentioned earlier, the wireless standards specify authentication
and encryption methods to secure the link. While these are no
barrier to somebody wishing to obtain access, they will stop the
accidental neighbour connecting up. In fact, the steps applied
in the previous page (not broadcasting ESSID and limiting MAC
addresses allowed access) will stop the accidental user.
For the sake of completeness, however, using WEP and authentication
will be covered next.
Enabling WEP
Wired Equivalent Privacy requires setting a key at both the access
point and the client. The LinkSys access point will generate a
key from a string. However, there are many ways to generate the
key, for example the command
md5sum /var/log/messages
will generate a 32 hex digit number, likely not guessable from
some other machine and/or the same machine at a different time.
The highest common key length supported among the hardware used
here is 128 bits. Which means that 104 bits, or 26 hex digits,
are required. Thus, the md5sum program provides more than needed.
NetGear ME-102
Start the configuration program and select
Configure/Privacy
to set the WEP mode and keys. Set the
Standard encryption mechanism
to
WEP128
then set the
Default WEP Key
to
1
Fill in the first key with the value determined above.
Finally, type
W
to send the values to the access point, and then go to
Commands/Upload
to apply the changes to the access point operation.
LinkSys WAP-11 v2.2
Point your browser to the access point, and the default first page is
the
Setup
tab. About mid page is the
WEP
line. Select
Mandatory
then click on the
WEP Key Setting
which creates a pop-up window for setting the WEP keys.
Set the
128Bit
value, and
Hex
for the
Mode
field.
Then enter the 26 hex digits of the key into the
Key 1
field. There is no need to fill in the other keys, but make sure
that the
Default TX Key
is set to 1. Finally, click
Apply
to set the values into the access point and make it active.
Laptop
Changing the client is quite simple. Edit the file
/etc/pcmcia/wireless.opts
and add the following line to the section which defines the card in use:-
KEY="xxxxxxxxxxxxxxxxxxxxxxxxxx"
Add this before the line containing the two semi-colons.
The stirng of "x" above should be replaced by the 26 hex digits
set into the access point as its key. By default, these will be
key 1 on the wireless card.
Remove the wireless card and re-insert. The link should come
back to life, but now with encrypted traffic. Success can be
determined using the
ping
program. The output from
iwconfig
may also be useful. If you are root, the output will now also show
the key in use.
If the link does not start, the most likely cause is mistyping of keys.
Current Status
The link is now more secure from the nosy neighbour, but not a
determined attacker. It is also possible to set authentication,
but I could not make this work with the Orinoco card.
Using Authentication
explains how to do this.
Tightening Up
Real Security
Version: $Revision: 1.6 $;
Updated at 15:47 EST on Tue Apr 11, 2006
Copyright (C) 2002 - 2006, Lindsay Harris