Getting Serious

As mentioned earlier, the wireless standards specify authentication and encryption methods to secure the link. While these are no barrier to somebody wishing to obtain access, they will stop the accidental neighbour connecting up. In fact, the steps applied in the previous page (not broadcasting ESSID and limiting MAC addresses allowed access) will stop the accidental user.

For the sake of completeness, however, using WEP and authentication will be covered next.

Enabling WEP

Wired Equivalent Privacy requires setting a key at both the access point and the client. The LinkSys access point will generate a key from a string. However, there are many ways to generate the key, for example the command md5sum /var/log/messages will generate a 32 hex digit number, likely not guessable from some other machine and/or the same machine at a different time.

The highest common key length supported among the hardware used here is 128 bits. Which means that 104 bits, or 26 hex digits, are required. Thus, the md5sum program provides more than needed.

NetGear ME-102

Start the configuration program and select Configure/Privacy to set the WEP mode and keys. Set the Standard encryption mechanism to WEP128 then set the Default WEP Key to 1 Fill in the first key with the value determined above. Finally, type W to send the values to the access point, and then go to Commands/Upload to apply the changes to the access point operation.

LinkSys WAP-11 v2.2

Point your browser to the access point, and the default first page is the Setup tab. About mid page is the WEP line. Select Mandatory then click on the WEP Key Setting which creates a pop-up window for setting the WEP keys. Set the 128Bit value, and Hex for the Mode field.

Then enter the 26 hex digits of the key into the Key 1 field. There is no need to fill in the other keys, but make sure that the Default TX Key is set to 1. Finally, click Apply to set the values into the access point and make it active.

Laptop

Changing the client is quite simple. Edit the file /etc/pcmcia/wireless.opts and add the following line to the section which defines the card in use:-
    KEY="xxxxxxxxxxxxxxxxxxxxxxxxxx"
Add this before the line containing the two semi-colons. The stirng of "x" above should be replaced by the 26 hex digits set into the access point as its key. By default, these will be key 1 on the wireless card.

Remove the wireless card and re-insert. The link should come back to life, but now with encrypted traffic. Success can be determined using the ping program. The output from iwconfig may also be useful. If you are root, the output will now also show the key in use. If the link does not start, the most likely cause is mistyping of keys.

Current Status

The link is now more secure from the nosy neighbour, but not a determined attacker. It is also possible to set authentication, but I could not make this work with the Orinoco card. Using Authentication explains how to do this.


Tightening Up
Real Security


Version: $Revision: 1.6 $; Updated at 15:47 EST on Tue Apr 11, 2006
Copyright (C) 2002 - 2006, Lindsay Harris