Router Security
Anyone connecting to the Internet needs a Router. The Router can provide direct connection by an Ethernet cable (RJ-45) or through Wi-Fi. Wi-Fi is, of course, wireless and does not require any cables. Because the connection is made without cables anyone with nearly any device can see your network. All data can be ‘sniffed’ with a program like Wireshark. Encrypted data is not as easily read but can still be seen. The main trick for anyone with a Router is to make your network as secure as possible. For initial security each device should be authenticated before connecting.
Authentication
When a device needs to attach to the Internet the device must first connect to the Router. When connecting to the Router the connecting device can be authenticated to continue the connection. To start, you can set up a Router with no security which will not require any type of security authentication. Of course, with no security the wireless network is open for anyone to connect to your network. With no security set up the authentication type is an ‘Open System Authentication’. In an ‘Open System Authentication’ network, the client will perform the following:
Another authentication method is the Extensible Authentication Protocol (EAP). With EAP the Router will interact with an EAP-compatible RADIUS server. The RADIUS server is used to perform authentication.
The client will send a request to the Router for connection. The Router then sends an ‘Identity Request’ to the client. The client responds with a user name and password. The Router sends the response to the RADIUS Server which responds with a request for an Authentication Challenge. The Authentication Challenge is sent to the client which produces a Response and sends it to the Router. The Response is encrypted with a one-way encryption method using the supplied password. The Router sends the response on to the RADIUS Server which uses its password in the database for the user and compares the encrypted message. If the messages match then the password is correct. The RADIUS Server responds with an Authentication Success to the Router which forwards it to the client. The client then sends an Authentication Challenge to the Router to authenticate the Server. The Router passes on the Challenge to the Router which gives an Authentication Response. The Response is sent on to the client which gives an Authentication Success message to the Router. This client authentication of the Server is the exact reverse of the Server authenticating the client. The Router sends on the Authentication Success frame to the RADIUS Server and a connection is established. Once established, the RADIUS Server sends a Session Key to the client. The key is encrypted by the RADIUS Server and is sent to the Router. The Router will encrypt the broadcast key with the session key. The client will receive and decrypt the broadcast key with the session key and communication can continue with the client and Router in an encrypted format.
Another authentication type is ‘MAC Address Authentication’. When a system sends a message to the Router (gateway) for the first time the Router checks the MAC Address of the device. If the MAC Address is included in a ‘white list’ then the device is allowed access to the Internet.
It is possible to include the MAC Address white list on a RADIUS Server. When the Router is notified of a new device the MAC Address is checked against the list on RADIUS Server.
Protocols
There are three basic protocols used to provide connections between a device and the Router. The three are:
Each protocol provides different security features. Keep in mind that various devices may not support all the protocols. Check your devices to see what will be required for you to use.
WEP
WEP is a protocol that has been cracked. It is fairly easy with the right equipment to determine a WEP passphrase (password).
There are four settings for WEP when setting it up:
If you set WEP to ‘off’ then there is no security at all and any device can connect to your Wi-Fi.
Setting the encryption to 64-bit, 128-bit or 256-bit does not gain much in security since either can be cracked with tools available on the Internet. Performance may degrade when using 256-bit or 128-bit encryption so it may be best to use 64-bit if you must use WEP.
A ‘passphrase’ is used to allow authentication of devices on the wireless network. The ‘passphrase’ is a hexadecimal string made up of numbers (0-9) and letters (a-f). The length requirements are as follows:
WPA
WPA is an improvement of WEP because it was created to ‘fix’ the security issues with WEP.
WPA uses a 128-bit encryption key and has dynamic sessions to provide better authentication security. A password can be used and should preferably be eight or more characters in length. WPA password can be found easily if they are short or the password is a regular dictionary word. Random letters tend to work best.
There are two types of WPA, WPA-Personal and WPA-Enterprise. The WPA-Personal uses a password and users are authenticated with a Shared Key. WPA-Personal Shared Key is sometimes referred to as WPA-PSK.
The second type of WPA is WPA-Enterprise. WPA-Enterprise uses a Shared Key but a RADIUS Server is required to provide authentication.
The WPA Protocol can use one of two types of encryption:
WPA2
As with WPA being improved over WEP, WPA2 is an improvement over WPA. WPA2 is version 2 of WPA.
Similar to WPA, WPA2 allows for both WPA2-Personal and WPA-Enterprise. The requirements are the same since the Enterprise needs a RADIUS Server to provide authentication. WPA2 can use a Shared Key when using the WPA2-PSK.
WPA2 allows for the use of TKIP, AES and TKIP+AES.
For extra security, the AES encryption standard uses Counter Mode CBC-MAC Protocol (CCMP) to improve on data security.
As you may have noticed, the use of WPA2 is preferred over the other two types. The issue as stated before is that older devices may not support WPA or WPA2. Some devices may support WPA or WPA2, but not AES or TKIP. For example, some Play Station 4 consoles will only use TKIP when connecting to a wireless network. If you have a PS4 not connecting to the Wi-Fi then simply change the router to use TKIP and it should work.
Anyone connecting to the Internet needs a Router. The Router can provide direct connection by an Ethernet cable (RJ-45) or through Wi-Fi. Wi-Fi is, of course, wireless and does not require any cables. Because the connection is made without cables anyone with nearly any device can see your network. All data can be ‘sniffed’ with a program like Wireshark. Encrypted data is not as easily read but can still be seen. The main trick for anyone with a Router is to make your network as secure as possible. For initial security each device should be authenticated before connecting.
Authentication
When a device needs to attach to the Internet the device must first connect to the Router. When connecting to the Router the connecting device can be authenticated to continue the connection. To start, you can set up a Router with no security which will not require any type of security authentication. Of course, with no security the wireless network is open for anyone to connect to your network. With no security set up the authentication type is an ‘Open System Authentication’. In an ‘Open System Authentication’ network, the client will perform the following:
- The wireless client sends an authentication management frame that contains its MAC Address
- The Router checks the MAC Address and sends back an authentication verification frame
- The client sends an authentication request to the Router
- The Router replies with a clear-text challenge
- The client encrypts the challenge-text using the configured password and sends it back in another authentication request
- The Router decrypts the response and compares the password. If they are a match then the Router allows the connection
Another authentication method is the Extensible Authentication Protocol (EAP). With EAP the Router will interact with an EAP-compatible RADIUS server. The RADIUS server is used to perform authentication.
The client will send a request to the Router for connection. The Router then sends an ‘Identity Request’ to the client. The client responds with a user name and password. The Router sends the response to the RADIUS Server which responds with a request for an Authentication Challenge. The Authentication Challenge is sent to the client which produces a Response and sends it to the Router. The Response is encrypted with a one-way encryption method using the supplied password. The Router sends the response on to the RADIUS Server which uses its password in the database for the user and compares the encrypted message. If the messages match then the password is correct. The RADIUS Server responds with an Authentication Success to the Router which forwards it to the client. The client then sends an Authentication Challenge to the Router to authenticate the Server. The Router passes on the Challenge to the Router which gives an Authentication Response. The Response is sent on to the client which gives an Authentication Success message to the Router. This client authentication of the Server is the exact reverse of the Server authenticating the client. The Router sends on the Authentication Success frame to the RADIUS Server and a connection is established. Once established, the RADIUS Server sends a Session Key to the client. The key is encrypted by the RADIUS Server and is sent to the Router. The Router will encrypt the broadcast key with the session key. The client will receive and decrypt the broadcast key with the session key and communication can continue with the client and Router in an encrypted format.
Another authentication type is ‘MAC Address Authentication’. When a system sends a message to the Router (gateway) for the first time the Router checks the MAC Address of the device. If the MAC Address is included in a ‘white list’ then the device is allowed access to the Internet.
It is possible to include the MAC Address white list on a RADIUS Server. When the Router is notified of a new device the MAC Address is checked against the list on RADIUS Server.
Protocols
There are three basic protocols used to provide connections between a device and the Router. The three are:
- Wired Equivalent Privacy (WEP)
- Wi-Fi Protected Access (WPA)
- Wi-Fi Protected Access 2 (WPA2)
Each protocol provides different security features. Keep in mind that various devices may not support all the protocols. Check your devices to see what will be required for you to use.
WEP
WEP is a protocol that has been cracked. It is fairly easy with the right equipment to determine a WEP passphrase (password).
There are four settings for WEP when setting it up:
- Off
- 64-bit
- 128-bit
- 256-bit
If you set WEP to ‘off’ then there is no security at all and any device can connect to your Wi-Fi.
Setting the encryption to 64-bit, 128-bit or 256-bit does not gain much in security since either can be cracked with tools available on the Internet. Performance may degrade when using 256-bit or 128-bit encryption so it may be best to use 64-bit if you must use WEP.
A ‘passphrase’ is used to allow authentication of devices on the wireless network. The ‘passphrase’ is a hexadecimal string made up of numbers (0-9) and letters (a-f). The length requirements are as follows:
- 64-bit – 10 hex characters
- 128-bit – 26 hex characters
- 256-bit – 58 hex characters
WPA
WPA is an improvement of WEP because it was created to ‘fix’ the security issues with WEP.
WPA uses a 128-bit encryption key and has dynamic sessions to provide better authentication security. A password can be used and should preferably be eight or more characters in length. WPA password can be found easily if they are short or the password is a regular dictionary word. Random letters tend to work best.
There are two types of WPA, WPA-Personal and WPA-Enterprise. The WPA-Personal uses a password and users are authenticated with a Shared Key. WPA-Personal Shared Key is sometimes referred to as WPA-PSK.
The second type of WPA is WPA-Enterprise. WPA-Enterprise uses a Shared Key but a RADIUS Server is required to provide authentication.
The WPA Protocol can use one of two types of encryption:
- Temporal Key Integrity Protocol (TKIP)
- Advanced Encryption Standard (AES) [not supported by all hardware]
WPA2
As with WPA being improved over WEP, WPA2 is an improvement over WPA. WPA2 is version 2 of WPA.
Similar to WPA, WPA2 allows for both WPA2-Personal and WPA-Enterprise. The requirements are the same since the Enterprise needs a RADIUS Server to provide authentication. WPA2 can use a Shared Key when using the WPA2-PSK.
WPA2 allows for the use of TKIP, AES and TKIP+AES.
For extra security, the AES encryption standard uses Counter Mode CBC-MAC Protocol (CCMP) to improve on data security.
As you may have noticed, the use of WPA2 is preferred over the other two types. The issue as stated before is that older devices may not support WPA or WPA2. Some devices may support WPA or WPA2, but not AES or TKIP. For example, some Play Station 4 consoles will only use TKIP when connecting to a wireless network. If you have a PS4 not connecting to the Wi-Fi then simply change the router to use TKIP and it should work.
