Turn on your wireless-equipped laptop in almost any urban area,
and chances are you'll find a wireless network just waiting to
serve you. These "unsecured" networks are a tremendous boon when
out and about, but who hosts these things? Why are they free? What
are the dangers? And, the most important question of all, am I one
of them?
Welcome to Wireless Networking 101, where you will learn enough
about WiFi to talk about WPA2 encryption on your 802.11g access
point and sound fairly intelligent doing it. Of far greater
importance than sounding intelligent, however, is keeping your
network and your data safe. So let's look at the various flavors of
WiFi (wireless fidelity), the security options, and what it means
to you, both at home on your own network and in the wild on someone
else's.
First off, all forms of WiFi are a variant of the 802.11
networking protocol, a system by which radio transceivers are used
to connect computers and other devices to one another. 802.11 has
been around for well over a decade, although it was Apple's
original AirPort base station and card, introduced in 1999 for
the original iBook, that made it
popular with the general public.
A, B, G, and N
Before AirPort, which uses the "B" version (meaning
802.11b), there was the faster 802.11a, which has longer
range and higher speed but requires more expensive hardware. On
paper, 802.11b is as fast as old-fashioned 10Base-T ethernet, but
in actual use it's slower, with speed dropping quickly as distance
increases. Still, while hardly fast by modern standards, an 802.11b
connection is faster than many DSL lines, giving few performance
reasons for 802.11b users to upgrade for Internet use.
Where the reasons to upgrade come in is when using your wireless
connection for non-Internet functions, like file exchange. 802.11g
(also known as "G" and AirPort Extreme) is about five times faster
than 802.11b, has longer range, and tends to hold its speed better
over more of its range. The real benefits to G over B come when
copying files to and from network shares.
802.11n (or "N") wireless is the emerging standard, promising up
to five times greater speed and better range than G - that's up to
25 times faster than B. Again, B is fast enough to take full
advantage of most Internet connections, so N will benefit local
networks more than anything else.
Mixing Standards
Here's where it gets interesting: mixing standards. Most newer
access points and wireless routers support current as well as older
standards. My AirPort Express (Extreme - G) network at home runs on
802.11g, and in its configuration program I have the option to
allow 802.11b connections as well.
Why would I enable or disable support for the older standard?
Simple - a pure G network will run at full speed, but the second an
802.11b device logs on, the network will slow down for
everyone.
I like to play with older PCs and Macs, many of which have
built-in 802.11b network cards, so I leave my home network open to
802.11b clients. In the office, I disabled that option on the
Linksys wireless access point (WAP) on my network.
At home, we mostly use the wireless network for Internet access,
so a slight slowdown when I connect with an older computer doesn't
interfere with that, while at work we have all computers connected
wirelessly not only to the Internet, but to the server and its
resources, so we need all of the speed we can get.
Open Access Points
Now that you know all about B, G, and N networking, let's talk
about those open access points that we find so convenient when
traveling.
Most of the open networks you find will have names like
"Linksys", "Netgear", or perhaps "Smith Family". The first two are
defaults on routers sold by, you guessed it, Linksys and Netgear,
while the third and names similar will typically be Apple AirPort
networks set up in the early days of WiFi when nobody thought much
about security.
The easiest way to know if a network is open or not is to try to
connect to it. On a Mac, you'll be asked for a password if the
network is secured, and Windows XP makes it even easier by showing
a lock symbol for protected networks (and none for open networks)
with the words "Security Enabled" or "Open" provided for good
measure.
Simply put, you need a password or other means of authentication
to log onto a secured network, and you don't need anything but a
WiFi card to connect to an open network.
Before I get into the various types of security, I'd like to
talk a bit about open networks. There are the truly open networks
and the paid type, both of which lack password authentication of
the access point itself and will allow your computer to connect and
obtain an IP address freely. A truly open network will give you
immediate access to whatever the access point is connected to,
while a paid access point will give you free access only to a
preselected IP range - usually the corporate website of the
provider and their pay facility - allowing you to pay for an
account or day pass. This is what companies like Starbucks
(T-Mobile Hotspot) use, and it's a great way to get online when
away from home.
A true open network usually belongs to an individual, family, or
a very small business that lacks the networking savvy to lock
things down.
Security and Privacy
My DSL connection at home is quite fast, and the office
connection is even faster, so why shouldn't I share with those in
need? Simple: Giving the masses Internet access also gives the
masses access to everything else connected to my access point,
including my computers and the data stored on them.
Sure, I've got firewalls and run protection software, but there
are some very smart people out there with very devious plans, so in
my opinion it's best to just lock down your network.
It's even more important in the office. My server is exposed to
the Internet through both hardware and software firewalls, and the
wireless router is connected behind the server, meaning it's
firewall protected through the server and the hardware firewall but
lacks a firewall of its own. If that access point wasn't secured, a
"guest" would have unfettered access not only to the Internet as
filtered by my server but also to the server itself and all of the
sensitive information it contains. Not good.
One last word about unsecured networks: They are not
secure.
Well duh, but this really does matter. If you're connected to
the Internet through somebody's unsecured network, it means that
everything you do is out in the open, unencrypted. A clever hacker
can sit back and intercept the packets leaving your computer and
reconstruct them, thereby recreating your emails, online forms, the
credit card information you entered to buy that book, or the words
from your instant messages.
I'm not saying not to use an unsecured network, just don't have
an expectation of privacy when you're using that unsecured
network.
WEP and WPA
Okay, so you want to secure your network. What level of security
do you really need?
I'll leave out high-end enterprise level security, most of which
requires an authentication server (either your own or a remote
service) and concentrate on the simple ones that most routers and
access points include right from the box.
WEP and WPA are the two main choices, with subchoices within
those two systems. WEP, short for Wireless Encryption Protocol, is
a simple password protection system. Put the right password into
the system, and you're connected. WPA, or Wireless Personal
Authentication, is also a password system, but the password itself
is encrypted as it goes between the client (computer) and server
(access point).
What that means is that a clever hacker with the right tools can
sit near a WEP-protected network and "sniff" the password the first
time someone logs on. While WPA isn't perfect, it's a lot harder to
break (and even harder on the newer WPA2).
WEP comes in 40-, 64-, and 128-bit encryption levels, but the
only difference is the length of the password. WPA gives more
choices, with two types of passwords and two levels of encryption,
WPA and WPA2. Whether you use the TKIS or AES password is a matter
of choice or the limitations of your wireless hardware; there are
no real differences in security for non-server systems.
The Problem
You might wonder why everyone doesn't just use WPA2 with a long
and complex password, and the answer is simple - not every network
component supports it. Generally speaking, any access point,
wireless router, and wireless network card made in the last three
years supports WPA, but only so-called "enterprise" cards of the
last two years and the very latest consumer cards support WPA2.
Most access points also don't support WPA2. I have an old Apple
AirPort base station that only supports WEP, while my AirPort
Extreme home setup supports WPA and the Linksys Access Point
(business model) in the office supports full WPA2.
Likewise, the Intel 3495 WiFi card in my Toshiba Portegé
Tablet PC (a business model) supports WPA2, but the wireless card
(an Intel 2200) in a friend's consumer model Toshiba Satellite
Tablet PC only supports the weaker WPA.
The problem come when you have a mixed environment of different
brands and ages of wireless networking components. Apple tends to
stay fairly current, with most AirPort Extreme cards in recent Macs
supporting WPA2, but older AirPort-equipped Macs only support
WPA.
It's even more confusing when using non-Apple hardware, which
includes not only PCs but wireless print servers, range extenders,
and also PDAs and video game consoles. PCMCIA "PC Card" wireless
adapters are the worst, with many supporting WPA, but only a
handful supporting WPA2. Worse still are some of the cheap cards
that only support WEP - and in the case of some older cards, only
the very weak 40-bit WEP or no wireless security at all.
When setting up wireless security you must
choose a protocol supported by the least secure device that you
will attach to your network.
When setting up wireless security you must choose a protocol
supported by the least secure device that you will attach to your
network. If you have an older AirPort Mac for example, WPA2 is out
of the question, as you are limited to WPA at best - and possibly
even WEP, depending on the age of the computer and your
software.
As a general rule, 128-Bit WEP is adequate for home use in a
detached house, but probably not in an apartment complex. If your
hardware all supports it, go with WPA, and if everything you have
is very modern, go ahead and use WPA2.
I'm still using regular WPA both at home and in the office
because of a few computers that don't support WPA2, but as those
are phased out, I plan to upgrade my wireless security.
Most importantly, whether you are using WEP or WPA, pick a long
and complex password that includes both upper and lower case
letters, as well as numbers and, if your password protocol supports
it, symbols. Make your passwords a long, unintelligible jumbled
mess, and be sure to change it once in a while. My old WEP password
was "kl4hs9H32vB4r", which really rolls off the tongue (and which I
will never use again).
Cheap vs. Low Cost
The last thing I can suggest is to avoid cheap networking
components. Cheap does not mean inexpensive; it means cheap, as in
poor quality garbage.
I purchased a number of PCI wireless cards for my desktop PCs
that only cost $17 at Fry's, but they are excellent cards that use
the same Atheros chipset as Apple used in many of its AirPort
Extreme cards. So close is it that my 7-year-old Power Mac G4 thinks it's a
built-in AirPort Extreme and uses the native OS X drivers with
it. These wonderful cards were sold under the Gigabyte name and had
the Atheros logo on the box, which told me that, despite the price,
these were premium cards. The model is GN-WP01GT and usually sell
for about $50; the ones I bought were brown-box "OEM" models at
$16.99.
What I would avoid are cards from names you've never heard of,
unless it's clearly labeled as having an Atheros (fast and good
range) or Intel chip. For Macs, you can find generic Atheros cards
that will work natively with OS X, but there are no
guarantees. Of course, you could always get an $80 Sonnet Aria
Extreme, which is just a standard Atheros card, but guaranteed
to work natively with OS X (what I bought for my Power Mac
before I found the cheap Gigabyte cards).
There you have it. Be sure to set up your wireless network with
the fastest protocol you can use and block out slower "B" wireless
unless you want to use an older machine. Set up WPA2 (if you can)
or WPA security and use a complex password if you can. Finally,
connect with quality network adapters with either chipsets from
known brands (Atheros, Intel) or sold by companies you trust and
that support your system.
Follow that simple advice, and your wireless network will be
both fast and secure. 
Further Reading
Andrew J Fishkin, Esq, is a laptop using attorney in Los Angeles, CA.
