If you are like most people, your home or small office wireless router probably is running without any encryption whatsoever, and you are a sitting duck for someone to easily view your network traffic.
Some of you have put encryption on your wireless networks but aren't using the best wireless security methods. This means that you are running your networks with inferior protocols that offer a false sense of protection because these protocols are very easily broken into. It is the difference between using a deadbolt and a simple lock on your front door. For instance, Tom's Networking has a three-part series that shows you how easy it is to crack Wired Equivalent Privacy.
If you want to keep your neighbors out of your business, then you need to use Wi-Fi Protected Access version 2 (WPA2) encryption. This is now showing up on a number of routers and is worth the extra few steps involved to make sure your communications are secure. It is currently the best encryption method but getting it going isn't so simple. This recipe will show you how to make it work.
How does WPA2 differ from earlier versions? First, it supports the 802.11i encryption standards that have been ratified by the IEEE. These are the commercial-grade encryption products that are available on enterprise-class products.
Second, there are two encryption methods that WPA2 adds: one called Advanced Encryption Standard (AES) and one called Temporal Key Integrity Protocol (TKIP). Both of these allow for stronger encryption, and while the differences between the two aren't that important for our purposes, you should pick one method when you set up your network as you'll see in a moment.
Finally, the protocol creates a new encryption key for each session, while the older encryption standards used the same key for everybody -- which is why they were a lot easier to crack.
Also part of the new standard is Pairwise Master Key caching, where faster connections occur when a client goes back to a wireless access point to which the client already is authenticated. There is one more acronym I'll mention, and that is Pre-Shared Key or PSK. The WPA2 standard supports two different authentication mechanisms: one using standard RADIUS servers and the other with a shared key, similar to how WEP works. We'll get back to this in a moment, but let's show you how to get this train going.
Step 1: Windows OS: First make sure your operating system is up to date. If you are running Windows XP, you'll need service pack 2 and you'll need to download the WPA2 patch that's located here.
If you're using a Mac, you need to be running OS X 10.4.2 or better. Apple calls its version WPA2 Personal. While Linux is outside the scope of this article, you can get more information here.
Step 2: Wireless Adapter: While you are updating your Windows OS, you might want to make sure that the wireless adapter in your laptop is also up to the task of supporting WPA2. The Wi-Fi Alliance maintains an online database of products that is somewhat difficult to use. Go to their Web site, check the WPA2 box and then select which vendor you are interested in.
If you have a built-in Intel wireless adapter, it needs to be running Intel's ProSet version 7.1.4 or better, excluding versions 8.x. You can get more information on this page on Intel's Web site.
Step 3: Wireless access point/router: Next, make sure your router/gateway can support WPA2. If you have purchased it in the last year, chances are good that it does, but you might need to update your firmware as well. For the Belkin Pre-N router model 2000, I needed to update the firmware to version 2.01. An older model 1000 didn't support WPA2 and couldn't be upgraded. How can you tell the difference when you are buying one? You can't, other than opening the box and looking at the label on the bottom of the unit.
Here is how you set up the wireless security section of your router to support WPA2. In our examples here, we chose WPA2-AES. Here's a screenshot for the Belkin router:
You'll notice that you can obscure the key from being shown on the screen, which is a nice feature. That is the PSK that we mentioned earlier. Keep track of this; you'll need it later.
With this recipe, I also tried a Netgear WNR854T router, which didn't need any firmware update to support WPA2. Here is the screenshot from the Netgear router, where you can see the shared passphrase on the screen in the clear:
If you are using Apple's Airport router, you need to download the patch for Airport 4.2 here.
Step 4. Finishing the configuration: Now comes the fun part. Once you have your routers set up, you need to get the clients working properly. I'll show you the screens for Windows, but the Mac is similar.
The biggest issue is that you have to remember the PSK that you used to set up the router and enter it when prompted by the OS. You can enter any phrase from 8 to 63 characters, and obviously the longer the better. Don't forget to match the right combination of acronyms that you chose when you set up your router to match what is required in Windows' Wireless Properties Association dialog box, as shown in this screenshot:
Do this for all of the client computers on your network. Once you get everything working, if you take a look at your wireless connections screen, you should see something like this, where the wireless3 access point is showing that it has WPA2 security enabled:
OK, now you should be done. If you aren't getting a connection, chances are there is a mismatch between your router and your client. Check all the steps and make sure that the WPA2 choices are showing up in the right places and that you have chosen the appropriate encryption method (AES or TKIP) for both router and client pairs. You might also have to use the wireless management software from your adapter vendor, rather than Microsoft's, to set up your connection. Once you have a working connection, you don't have to go through all these steps and should be connected securely automatically.
David Strom is a writer, editor, public speaker, blogging coach and consultant. He is a former editor in chief of Network Computing and Tom's Hardware and has his own blog at http://strominator.com. He can be reached at firstname.lastname@example.org.