markwilson.it

Securing my wireless network

Written by

Mark Wilson

in

Last week I wrote about upgrading my wireless network. It’s been running well since then, so this afternoon I decided to go ahead with stage 3 – configuring wifi protected access (WPA). As I haven’t set up a RADIUS server here, and to be honest, it would be overkill for a small network like mine, I decided to implement WPA-PSK (pre-shared key), as detailed in Steve Lamb’s post (and blogcast) on the subject.

Initially, it all went well, simply setting the access point to use WPA-PSK and defining a passphrase. Within a few minutes, I had entered the passphrase on two of my notebook PCs and all was working well (one using a Compaq WLAN MultiPort W200 and one using an Intel PRO/Wireless 2200BG network connection) but then I hit some real problems. My wife’s PC (the whole reason for us having a wireless network) and my server were refusing to play with the access point displaying the following message when I selected the wireless network and entered the network key:

Wireless configuration

The network password needs to be 40 bits or 104 bits depending on your network configuration.

This can be entered as 5 or 13 ASCII characters or 10 or 26 hexadecimal characters.

This seemed strange to me – there was no mention of any no such restrictions when I set up the WPA-PSK passphrase (the network key). With one machine running Windows XP SP2 and the other running Windows Server 2003 SP1, WPA support shouldn’t have been a problem (I double-checked the server with the D-Link AirPlus DWL-520+ wireless PCI adapter and once I’d manually switched the properties to WPA-PSK using TKIP, I was able to enter the network key and connect as normal).

It seems that for some reason, the D-Link card had defaulted to using WEP, and sure enough, once I set it to use WPA-PSK, the network description changed from security-enabled wireless network to security-enabled wireless network (WPA).

So, three machines working, one to go.

I read in Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article that WPA is “both more secure and easier to configure than WEP, but most network cards made before mid-2003 won’t support it unless the manufacturer has produced a firmware update”. The problem machine was using a Compaq WL110 Wireless PC Card, which I was given around 2002/3 (when we first put in the 802.11b network) so it sounded plausible that I might need a firmware update. A little more googling turned up the does/can the WL110 support WPA? thread on the HP IT Resource Center which gave me the answer. No, there is no firmware upgrade (card support was dropped before the WPA specification was finalised), but if you download the Agere version of the drivers, and tell Windows XP that the WL110 is a 2Wire Wireless PC Card, WPA is available and it works (even inside the WL210 PCI adapter)!

So, that’s all done – a working, (hopefully) secure, wireless network, all for the price of a new access point.

Comments

19 responses to “Securing my wireless network”

  1. Anonymous avatar
    Anonymous

    Dear Mark,

    thanks a lot. It worked really good!

    Best Reagards Andreas

  2. Don Thompson avatar
    Don Thompson

    I’ll be interested to see how your WPA-PSK secured network holds up over time. I’ve had problems with Intel “Centrino” wifi chipsets (the 2100 and 2200) in both FSC Lifebooks and Sony Vaio laptops where they finally refuse to connect on the WLAN after about 2 weeks. I gave up on the Lifebook (the 2100 card was only 802.11b), opting for a Netgear PCbus card, but the Vaio did return to operation with a driver update from intel.com. In both instances the AP was a Netgear DG834G (different units with different fw loads) & the Airport Express on the same WLAN kept working fine. I googled many similar experiences suggesting the cause to be some power mgmnt feature that only Intel implements so my instinct is to keep away from Intel wifi chips.

  3. Mark avatar
    Mark

    Hi Don,

    Initial experiences are that it’s all a bit flaky – I’m trying to get some help via the Microsoft community newsgroups right now as my clients seem to be losing communications with the server that gives them DNS (hence Internet name resolution) and DHCP (hence an IP address) – pretty important stuff on a TCP/IP network!

    At the moment it looks like the clients (mixture of 802.11b and g) are okay accessing the network (until their DHCP leases expire of course!) but periodically lose contact with the server (802.11b D-Link enhanced to 22Mbps but now throttled back to 11Mbps). The server thinks it’s online, but doesn’t receive any traffic from the clients. Resetting the access point usually solves the problem, but sometimes I also have to disconnect/reconnect the clients to force things back into life.

    It’s probably a key synchronisation issue so I might have to get a D-Link 54G card for the server (to match it up with the access point – more expense), or perhaps going for a RADIUS solution will help me with the key exchange (need to do some more reading on that first).

    Mark

  4. Mark avatar
    Mark

    It was interesting to read Don Thompson’s comment above on using WPA-PSK with Intel wireless cards. I’ve had some problems over the last few weeks, but think (hope) I’ve got somewhere now…

    Strangely, my wired, and wireless clients were losing contact with the server at the other end of the wireless link. The clients couldn’t ping the server but if I pinged the clients from the server, things jumped back into life.

    That wasn’t sustainable, and it’s a bit disappointing (given that one of the reasons for using a D-Link access point was that I already had a D-Link card in my server) but I finally swapped out the server’s D-Link DWL-520+ for a DWL-G122. After initial problems the next time the clients needed to renew their IP addresses (fixed by a restart of the DHCP server service) and one access point reboot, things have been pretty stable all week.

    I’ve had no noticeable issues with the Intel PRO/Wireless 2200BG adapter in the Fujitsu Siemens Lifebook S7010D that I use for work, but I have removed the Compaq WLAN MultiPort W200 adapter from my notebook so the only 802.11b equipment on the network now is one Compaq WL110 Wireless PC Card (which disconnects occasionally but seems to reconnect again without too much effort and doesn’t seem to bother the rest of the network).

    If I’d known that I would need to replace most of my wireless hardware and fully upgrade to 802.11g, I’d have gone for the Linksys WAP54G and bought a few new Linksys PC cards. Ho hum. At least I seem to have a working, secure, almost single-brand wireless network now.

    Just to add insult to injury, I read in this week’s IT Week that the IEEE has approved the first draft of the 802.11n standard (so my 802.11g kit will soon be as worthless as my old access point and pile of 802.11b cards).

  5. Seth avatar
    Seth

    Hi, we’re in a small office trying to get our wireless network to work on PCs. We are all Mac users except one of us. Our airport password is 7 letters, but when typed in from a PC it gives an error “The network password needs to be 40 bits or 104 bits depending on your network configuration. This can be entered as 5 or 13 ASCII characters or 10 or 26 hexadecimal characters.” Our Mac tech guy has thrown his arms up on this one as it is a PC issue apparently. I don’t know what a WPA is, nor do I understand the error. Somebody please help.

    I can be reached at “seth@deepmix.com”

    Thank you!
    – Seth

  6. Mark Wilson avatar
    Mark Wilson

    Seth, I imagine that the Macs pad out the 7-character password to 104 bits without telling you; however the message is pretty descriptive – the password needs to be a particular length and yours isn’t. Suggest you change your WiFi password to 13 characters (and make it hard to guess). Probably worth checking that your security is up to scratch too… i.e. not WEP.

    Mark

  7. Seth avatar
    Seth

    Thank you Mark, I did what you recommended – changed the 7-character password to a 13-character one.
    This eliminated the error, but we are still not able to connect. Or that’s what it looks like anyway, but it gives conflicting messages about whether it’s really connected or not and no web pages can be viewed, so obviously it’s not really connected even if it thinks it is.

    It is set to WEP, whatever that means. I’m not too concerned with changing the security settings as we’ve never had any problems with security. But whatever it takes to get this thing functional, I will do.

    Thanks,
    Seth

    seth@deepmix.com

  8. Seth avatar
    Seth

    Let me be more specific. Maybe this will give you a better idea about where I’m stumped:

    In the network’s properties, there is a pulldown menu for network authentification. The options are: Open, Shared, WPA, WPA-PSK. The default is “Open”. I have no idea what any of these mean.

    In the adaptor properties there is a value of 802.11b/g. I think this is OK…Again, not sure what G is. Not sure what B is. But that seems like plenty. :)

    I guess I don’t know whether something is wrong with the adaptor hardware configuration, the network configuration, or the computer’s wireless configuration. But I think it’s a problem with the computer’s wireless configuration, because the Macs have always been able to connect just fine. But then I never would have guessed that Mac and Win machines have different preferences about the number of letters in their network passwords either. If reading this is frustrating, believe me, experiencing it is much more so.

    Any help whatsoever is appreciated.
    Thanks,
    Seth

  9. Seth avatar
    Seth

    One more point of clarification: when I said “it gives conflicting messages about whether it’s really connected or not”, what I meant is, in the list of detected wireless networks it shows up with “Not Connected” next to the star and yet the description reads “This network requires a network key. (duh, and I entered it!) You are currently connected to this network. (I am?) To disconnect from this network, click Disconnect below.”
    wow…if I’m so connected why can’t I browse the web and why is this network described as “Not Connected” next to the star?! Excuse me while I lose my mind…

  10. Mark Wilson avatar
    Mark Wilson

    Hi Seth,
    I’m going to avoid the whole Mac vs. PC thing here as it’s actually nothing to do with that. The issue here is WiFi security.

    Your access point (Airport) appears to be running an old WiFi security protocol called WEP. This is no longer considered secure (it can be cracked in under a minute) and if you are not bothered by security it would be easier to have an open access point (i.e. no password).

    If you do want your wireless network secured (I suggest that would be a good thing), then your Mac administrator, or whoever looks after the Airport, needs to change the configuration to WPA-PSK (WiFi Protected Access – Preshared Key). This is intended for home and small business use and is far more secure than WEP but still uses a password/passphrase as a key.

    Once this has been done (and it will also involve changing the configuration on the Macs and the PC), you should find that everything can communicate – you have already written that your PC offers WPA-PSK as a connection option. Also, whereas I had problems with key length on WEP (the 7 or 13 character password message), I have no such issues with WPA – I guess that’s all down to how the WiFi security is implemented within the operating system’s network stack, although even Windows seems to be confused about whether it is connected or not – try using the ping command to see if you can contact any other devices on the network (e.g. the router).

    Final point is re: 802.11b or g. IEEE 802.11b is the old (11Mbps) WiFi standard, largely superceded by IEEE 802.11g (54Mbps). Your Airport administrator should know which of these you use (and 802.11g is backwards-compatible with 802.11b) but if you have even a single 802.11b device on the network, all of the connected devices will drop to the lower speed – so it’s worth having everything operating at the same level.

    That’s about all the support I can offer! Hopefully that’s been useful. Your Mac administrator should understand all of this in any case. The only thing that’s different is that you have one PC running Windows. It still uses the same wireless networking protocols as the Mac.

    HTH, Mark

  11. Seth avatar
    Seth

    Mark, thank you for sharing your expertise on this. We’re giving it a shot.

    – Seth

  12. Mark Wilson avatar
    Mark Wilson

    Good luck Seth – hope you get everything working :-)

  13. Janet avatar
    Janet

    This isn’t helpful when it comes to using wireless at cafes, schools, libraries, towns etc. And it *is* a windows/mac issue, because I open up my mac laptop and it connects, whereas my daughter’s pc laptop just keeps saying “you are currently connected” and “not connected” at the same time.

    The only solution you have, and the only solution I can find on the web, is to go to the cafe/school/etc. owner, and demand that they get an IT person to change their password; which is absurd if their own machines work fine and they are only offering access as a courtesy.

    Please someone, anyone, any kind of work-around?

  14. Mark Wilson avatar
    Mark Wilson

    @Janet – Sorry to hear that you are having problems but I’m not sure what your issue is here. For Internet cafes, libraries, etc., there will be open access – it’s a public network. For schools, colleges, etc. (just as for workplaces), there is probably a mix of secure and unsecure networks. This (old) blog post (3 years is a long time in IT) is about securing the network – and the technology it describes is equally applicable to Macs and PCs (I’m writing this on a Mac, but the PC next to me is working fine too) – the only reason the Mac vs. PC issue came up was because a previous commenter was having problems when colleagues could connect. When one person has a problem and the rest don’t, rule number 1 of troubleshooting is to work out what’s different about the problem machine(s). The only reason I suggested changing the network key was because the problem appeared to be configuration of the access point itself. That’s unlikely to be an issue with a school, library, Internet cafe, etc.

    Incidentally, my MacBook connects fine to my Wi-Fi network but drops the connection frequently whereas Windows PCs on the network have worked flawlessly for years… in the end I changed the wireless access point (because the old one died) and the MacBook was much happier with the new one!

    Forget the Mac vs. PC part and think about what’s not working here. Your device – be it a Windows PC, Mac OS PC, Linux PC, phone, etc. – is trying to connect to a Wi-Fi service which will either be open or secure. If it can’t connect, think about whether a network key is required, whether the OS is patched up-to-date, whether the device drivers are up-to-date, and whether there is a known problem with a particular technology in use.

  15. Mark Wilson avatar
    Mark Wilson

    Re: the 5 or 13 character issues, I found a Linksys forum post and an Apple support article that might help explain why it occurs – if not how to get around it. It seems that the real answer is to get the administrator of the Wi-Fi hotspot to use something more modern than WEP for security (and WEP is not really secure these days) or at the very least to change the password length.

  16. Mark Wilson avatar
    Mark Wilson

    For anyone struggling to get WPA to work on a Mac, I found a possible solution in a comment on this blog post which may be worth investigating (I have not confirmed it):

    […] with some 11g access points/routers OS X requires that you enter the WAP personal password as a 64 hex string. Not only that, it requires it as the pre-shared key that is generated by combining the SSID of the access point WITH the passphrase. The following site can help you to generate the proper 64 hex string which you then need to enter into the passphrase field.

    http://www.badtech.org/tools/wpa/

    The string must also be preceded by a $ symbol.”

  17. Zli Mare avatar
    Zli Mare

    I have similar problem. I put a password on my wireless, and I have problems when I try to connect on it, whit other computer. My laptop(Vista) has no problems connecting on it, I just typed password once and it is cool, but when my other PC asks me for Network key, I type it and it doesn’t work, I get this message from above:

    Wireless configuration

    The network password needs to be 40 bits or 104 bits depending on your network configuration.

    This can be entered as 5 or 13 ASCII characters or 10 or 26 hexadecimal characters.

  18. George The Web Developer avatar
    George The Web Developer

    In my experience, the longer the pre-shared key, the better. I believe it goes up to 48 characters, and if a user includes numbers and letters and makes it as random as possible, it would be virtually impossible to break the security on the network. May I also suggest setting up MAC Address Filtering to allow only known devices to connect to the network.

    A couple more points if I may.

    WEP is considered not as secure as WPA-PSK. Nobody should use WEP now.

    Setting up Radius server is very easy and doesn’t require any particular knowledge.

  19. Mark Wilson avatar
    Mark Wilson

    @George – Setting up a RADIUS server may be easy… but not for people who don’t run an entire IT infrastructure at home (as I do, and I imagine you do too).

    You’re perfectly correct that WEP is now considered insecure – indeed WPA is too. WPA2 should be used where available, along with other security mechanisms.

    The benefit of MAC address filtering is debatable – it’s security by obscurity and MAC addresses are easily spoofed. It’s also a management nightmare for all but the smallest of networks (although I do use it on mine).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More posts