Key Points in Configuring Wireless Network Security

 

Procedures for setting up WEP (“Wireless Equivalent Privacy”) security on Senao 802.11b wireless network equipment.

 

Quick start

1.       Initial connection

Install the NIC (Network Interface Card) in a computer as documented, power up the Access Point (AP), use a web browser to connect from the PC to the AP at 192.168.1.1, and proceed to configure the AP and NIC as described below.  Forget about trying to use the serial cable to configure the AP before connecting to it via the wireless NIC; the serial console connection configuration isn't documented, and nothing obvious works.

 

·         As a troubleshooting tip, when installing the NIC, select the option to have connection status displayed in the toolbar.  It helps monitor the NIC's offline intervals following configuration changes.  An alternative would be any other display (e.g., Network and Dial-up Connections” in Details display mode) that displays connection status.

2.       Initial configuration

If you're planning to use WEP security, you should configure that BEFORE trying to configure anything else.  If you screw it up and can't set your NIC to match the AP, you will loose all access to the AP.  In order to recover, you'll have to wipe the AP back to factory defaults and start over.

 

• Enter the WEP keys. Currently, the only WEP key length that currently works between Senao USB NICs and APs is 40/64 bit (see below for explanation).  On the AP, you don't get a choice.  On the NIC, set it to 64 bit – but wait until the AP has been configured.

 

o        Using the Advanced -> Wireless section, configure all four keys on the AP.  Settings are in hexadecimal, five two-digit hex fields per key.  If you don't manually set them all, at least write them all down or save a screen shot.  Note that single-digit entries are zero-filled on the left.  These keys to not become active until you enable WEP, save, and reboot the AP – at which point you're committed.

 

o        Configure the same keys to the same values on the NIC.  Unlike the AP, the NIC key entry fields are single fields per key that accepts up to 26 hex digits each.  You will enter only 10 digits per key: the same 10 digits you entered for each corresponding key number on the AP.  Enter them in the same sequence shown in the AP's five fields per key, disregarding the separation between them.

 

o        You may, if you choose, work with only key #1 on both NIC and AP, in which case it is essential that the "default key" or "key to use" field left at "1" for both. 

 

o        On the AP, click the "WEP" radio button.  Leave the NIC's WEP security at "optional" for now.

3.       Save your settings

In the AP interface, click on "Finish" to have the AP check the key values, zero fill, etc.  On the NIC, click OK, and then go back and check those fields.  Double-check they are identical, and that all NIC key fields are exactly 10 digits long.

 

o        In the AP Utilities section, select "save", then go back and select "restart". 

 

o        While the AP is rebooting, set the NIC encryption level to 64-bit. 

4.       Test your changes

The NIC should re-establish wireless connection with the AP in under 30 seconds.  At that point, try pinging 192.168.1.1 (the AP's default IP address).  If that fails, see the “troubleshooting tip” below; perhaps you couldn’t resist making other changes during the above process.  You may need to use the serial interface to wipe the AP mack to factory defaults and start over.

The following instructions assume all is well, which they should be unless you've messed with other stuff.

5.       Lock the NIC

Set the NIC's WEP mode to mandatory, and test as above.  No AP reboot required; the NIC should re-establish connection within 10 seconds.

6.       Tune your WEP settings

At this point, you have established basic WEP security.  If you want to tweak or enhance it, do it now and return to step 2; otherwise, continue onward and set other parameters.

7.       Set the SSID

Set the SSID/ESSID on both NIC and AP.  Save and restart the AP, testing as before.  If these are mismatched, the connection will fail.  Fortunately, you can copy and paste this value between interfaces, so typos are unlikely, and in any case, Senao NICs support the use of  “ANY” to allow them to connect to the AP regardless of how it is configured.  Note that SSID values are transmitted unencrypted regardless of WEP configuration; don’t rely on them for security.

8.       Other settings

Most other wireless settings aren't so likely to cause you to loose connection with the AP.  Now you can go ahead and do them.  Don't forget to change the administration ID and password, as well as disabling any service that you aren't using.

 

Details

 

If certain settings are not configured compatibly between the Access Point (AP) and the host network interface card (NIC), connectivity between them will be lost.  If a compensating change cannot be made on the host NIC, or a non-network connection made to the AP to change its configuration, the AP will have to be reset.  Unless the AP supports "temporary" setting, that means erasing all configuration back to factory defaults.

 

Note that a NIC may actually be an external device connected via USB port, and that this document refers only to Senao products.

 

The following are settings that are susceptible to this problem:

 

1.       SSID (also called ESSID)

Must be the same on both AP and NIC, unless the NIC is set to "ANY".  To improve security, should not be left at either "ANY" or the factory AP default.  Not encrypted.

2.       WEP/Encryption on/off/mandatory/optional.

APs allow WEP encryption to be set either on or off.  NICs (at least USB NICs) allow it to be either mandatory or optional.  If WEP is enabled on the AP, it is effectively mandatory for all NICs; if any of the WEB settings on the AP are such that the NICs cannot connect, the AP will have to be erased and reconfigured. 

 

It follows that WEP configuration needs to be carefully configured and documented.  If the AP is set to "off", the NIC must be set to "optional"; if "on", the NIC may be set to either mandatory or optional. 

 

You might think that encryption should be left optional on the NICs until after it has been enabled and tested on the AP.  However, NIC settings are easy to change and test; AP settings are one-way: you get it wrong, you wipe and start over from scratch.   Make sure all the related settings below are set correctly on the AP, and well documented, before enabling its WEP.

 

CAUTION:  The default key configuration on USB NIC and APs are NOT compatible.  If WEP security is enabled on the AP without setting these keys, you're hooped.  Back to square one.

3.       Encryption level   

AP encryption length is configured in key length (40 bits), and offers only one choice; NIC encryption is configured in bits, and offers a choice of 0, 64, or 128 bits.  It turns out that a 40-bit key provides 64-bit encryption, and a 104-bit key (configurable on the NIC only) provides 128-bit encryption.  Apparently there is a 24-bit overhead in both cases.  If WEP is enabled on the AP, the NIC must be set to 64-bit encryption, or communication cannot be established.

4.       WEP keys and key length

Both NICS and the AP currently support only the direct entry of WEP keys in hexadecimal format.  Both support the entry of four keys.  The AP requires each WEP key to be entered in 5 groups of one or two hexadecimal digits each (producing a single 8-bit byte value per two-digit group), and requires a valid hex/byte value in each of the five fields.  The USB NIC requires each key to be entered in a single hexadecimal string of one to 26 digits, and places no restriction, guideline or suggestion on its length versus encrytion level. 

 

It is unclear what happens when one enters other than exactly 10 or 26 hex digits in a USB NIC's key field, or how this interacts with the chosen encryption level.  Since only 40/64 bit encryption is supported by both devices, the safe policy would be to always use exactly 10 digits in the USB NIC's key field, exactly matching the 10 digits entered across the AP's five fields, zero filling where necessary.  From observation it appears that both the AP and NIC key fields are assembled into a key in the sequence in which they are displayed, despite the AP's form being split into five segments.

5.       Default WEP key/key to use

The AP has a field called "default key", which selects one of the four WEP keys.  The USB NIC has a field called "key to use" which is similar, and may be the same. 

 

There is no requirement for both NIC and AP to use the same default key.

 

Some documentation states that only those keys configured as default by either NIC or AP need to be configured identically on both.  Testing, however, indicates that both the NIC-specified default key and all lower-numbered keys must match on both the NIC and AP.  E.g., if the default key is three, keys one and two must also match on both systems.  This implies that maximum security might be obtained using key four as the default; however, there is no other evidence that is true.

 

Troubleshooting Tip

 

If WEP or other security-related settings are such that communication fails, the NIC status may still report that it is connected to the AP.  It can be difficult to distinguish between layer two (802.11b/WEP) and layer 3 (e.g., IP) configuration issues.  In both cases, pings fail.  However, an "arp" address display (e.g., "arp -a") may list MAC addresses even if IP connectivity fails.  In that case, the problem is probably not specific to wireless networking or WEP, so one should check such items as DHCP, IP addressing, gateway addresses, etc.

 

Some Wireless Non-encryption related fields

·        Regulatory Domain

The default is US.  Can be set only on the AP.  Other options have not been tested.

Unclear whether this is significant and/or should be set. 

·        Channel

Appears to have no effect.

·        Shared Key v/s Open System

Only the latter currently works.

·        Station name

Can be set only on the AP.  Appears to have no effect.  Unclear whether this is significant and/or should be set. 

 

A note on WEP security

 

WEP is not currently industrial-grade encryption.  Improvements are being developed; in the mean time, motivated crackers with suitable software can decrypt WEP-encrypted network transmissions.  Depending on your level of paranoia (and assuming your physical and other security is already in good shape), you may want to look into using VPN connections over your wireless network.  Configuration of such connections is beyond the scope of this document.