Wireless network security

More security-conscious network operators may choose from a variety of security measures to limit access to their wireless network, including:

• MAC address authentication in combination with discretionary DHCP server settings allow a user to set up an "allowed MAC address" list. Under this type of security, the access point will only give an IP Address to computers whose MAC address is on the list. Thus, the network administrator would obtain the valid MAC addresses from each of the potential clients in their network. Disadvantages to this method include the additional setup. Methods to defeat this type of security include MAC address spoofing, detailed on the MAC address page, whereby network traffic is observed, valid MACs are collected, and then used to obtain DHCP leases.

• IP security (IPsec) can be used to encrypt traffic between network nodes, reducing or eliminating the amount of plain text information transmitted over the air. This security method addresses privacy concerns of wireless users, as it becomes much more difficult to observe their wireless activity. Difficulty of setting up IPsec is related to the brand of Access Point being used. Some access points may not offer IPsec at all, while others may require firmware updates before IPsec options are available. Methods to defeat this type of security are computationally intensive to the extent that they are infeasible using readily-available hardware, or they rely on social engineering to obtain information (keys, etc) about the IPsec installation.

• Wired Equivalent Privacy (WEP) can be used on many Access Points without cumbersome setup, but offers little in the way of practical security. It is cryptologically very weak, so an access key can easily be stolen. Its use is often discouraged in favor of other more robust security measures, but many users feel that any security is better than none. In practice, this may simply mean your neighbors' non-WEP networks are more accessible targets. WEP is sometimes known to slow down network traffic in the sense that the WEP implementation causes extra packets to be transmitted across the network. Some claim that "Wired Equivalent Privacy" is a misnomer, but this is untrue in most cases because wired networks are not particularly secure either.

• Wi-Fi Protected Access (WPA) is more secure than WEP but is not yet very widespread. Many Access Points will support WPA after a firmware update.

• VPN options such as tunnel-mode IPSec or OpenVPN can be difficult to set up, but often provide the most flexible, extendable security, and as such are recommended for larger networks with many users.

• Wireless intrusion detection systems can be used to detect the presence of rogue access points which expose a network to security breaches. Such systems are particularly of interest to large organizations with many employees.