Linux All-in-One For Dummies, 5th Edition (2014)
Book III. Networking
Chapter 3. Going Wireless
In This Chapter
Understanding the wireless Ethernet network
Setting up your wireless hardware
Finding out how to configure a wireless access point
Configuring a wireless network
If you have laptop computers on your LAN — or if you don’t want to run a rat’s nest of wires to connect a PC to the LAN — you have the option of using a wireless Ethernet network. In a typical scenario, you have a cable modem or DSL connection to the Internet, and you want to connect one or more laptops with wireless network cards to access the Internet through the cable or DSL modem. This chapter shows you how to set up wireless networking for connecting to an Ethernet LAN and accessing the Internet.
Understanding Wireless Ethernet Networks
You’ve probably heard about Wi-Fi. Wi-Fi stands for Wireless Fidelity — a short-range wireless network similar to wired Ethernet networks. A number of standards from an organization known as IEEE (the Institute of Electrical and Electronics Engineers) define the technical details of how Wi-Fi networks work. Manufacturers use these standards to build the components that you can buy to set up a wireless local area network (WLAN for short).
The standard governing Wi-Fi networks has evolved swiftly. What started as 802.11a gave birth to 802.11b — and the two combined to make up 802.11g, which was superseded by 802.11n — but the purpose of every one of these standards was the same: to specify how the wireless Ethernet network works at the physical layer. You don’t have to fret the details of all those standards to set up a wireless network, but knowing some pertinent details is good so that you can buy the right kind of equipment for your wireless network.
The three wireless Ethernet standards you’ll commonly encounter today have the following key characteristics:
· 802.11b: Operates in the 2.4 GHz radio band (2.4 GHz to 2.4835 GHz) in up to three nonoverlapping frequency bands or channels. Supports a maximum bit rate of 11 Mbps per channel. One disadvantage of 802.11b is that the 2.4 GHz frequency band is crowded — many devices (such as microwave ovens, cordless phones, medical and scientific equipment, as well as Bluetooth devices), all work within the 2.4 GHz frequency band. Nevertheless, 802.11b is popular in corporate and home networks.
· 802.11a: Operates in the 5 GHz radio band (5.725 GHz to 5.850 GHz) in up to eight nonoverlapping channels. Supports a maximum bit rate of 54 Mbps per channel. The 5 GHz band isn’t as crowded as the 2.4 GHz band, but the 5 GHz band isn’t approved for use in Europe. Products conforming to 802.11a standard are on the market, and some wireless access points are designed to handle both 802.11a and 802.11b connections.
· 802.11g: Supports up to 54 Mbps data rate in the 2.4 GHz band (the same band that 802.11b uses). 802.11g achieves the higher bit rate by using a technology called OFDM (orthogonal frequency-division multiplexing), which is also used by 802.11a. Equipment that complies with 802.11g is on the market. 802.11g has generated excitement by working in the same band as 802.11b but promising much higher data rates — and by being backward-compatible with 802.11b devices. Vendors currently offer access points that can support both the 802.11b and 802.11g connection standards.
In all cases, the maximum data throughput that a user sees is much less than the channel’s total capacity because all users of that radio channel share this capacity. Also, the data-transfer rate decreases as the distance increases between the user’s PC and the wireless access point.
To play it safe, though, go with 802.11n with its supported data rates five times the existing throughput and double the range of previous standards.
An 802.11g access point can also communicate with older (and slower) 802.11b devices. You can also consider a MIMO (multiple-input-multiple-output) access point, which supports multiple 802.11 standards and implements techniques for getting higher throughputs and better range.
To find out more about wireless Ethernet, visit www.wi-fi.org, the home page of the Wi-Fi Alliance, which is the nonprofit international association formed in 1999 to certify interoperability of wireless LAN products based on IEEE 802.11 standards.
Understanding infrastructure and ad hoc modes
The 802.11 standard defines two modes of operation for wireless Ethernet networks: ad hoc and infrastructure. Ad hoc mode is simply two or more wireless Ethernet cards communicating with each other without an access point.
Infrastructure mode refers to the approach in which all the wireless Ethernet cards communicate with each other and with the wired LAN through an access point. For the discussions in this chapter, I assume that you set your wireless Ethernet card to infrastructure mode. In the configuration files, this mode is referred to as managed mode.
Understanding Wired Equivalent Privacy (WEP)
The 802.11 standard includes Wired Equivalent Privacy (WEP) for protecting wireless communications from eavesdropping. WEP relies on a 40-bit or 104-bit secret key that’s shared between a mobile station (such as a laptop with a wireless Ethernet card) and an access point (also called a base station). The secret key is used to encrypt data packets before they’re transmitted, and an integrity check is performed to ensure that packets aren’t modified in transit. The 802.11 standard doesn’t explain how the shared key is established. In practice, most wireless LANs use a single key that’s shared by all of its mobile stations and access points. Such an approach, however, doesn’t scale up very well to an environment such as a college campus because the keys are shared with all users — and you know how it is if you share a secret with hundreds of people. That’s why WEP typically isn’t used on large wireless networks, such as the ones at universities. In such wireless networks, you have to use other security approaches, such as SSH (Secure Shell), to log in to remote systems. WEP, however, is good to use on a home wireless network.
WEP has its weaknesses, but it’s better than nothing. You can use it in smaller wireless LANs where sharing the same key among all wireless stations isn’t an onerous task.
Is the WEP stream cipher good enough?
WEP uses the RC4 encryption algorithm, which is known as a stream cipher. Such an algorithm works by taking a short secret key and generating an infinite stream of pseudorandom bits. Before sending the data, the sending station performs an exclusive-OR operation between the pseudorandom bits and the bits representing the data packet, which results in a 1 when two bits are different and 0 if they are the same. The receiver has a copy of the same secret key and generates an identical stream of pseudorandom bits — and performs an identical exclusive-OR operation between this pseudorandom stream and the received bits. Doing so regenerates the original, unencrypted data packet.
This stream-cipher method has a few problems. If a bit is flipped (from a 0 to 1 or vice versa) in the encrypted data stream, the corresponding bit is flipped in the decrypted output, which can help an attacker derive the encryption key. Also, an eavesdropper who intercepts two encoded messages that were encoded with the same stream can generate the exclusive-OR of the original messages. That knowledge is enough to mount attacks that can eventually break the encryption.
To counter these weaknesses, WEP uses some defenses:
· Integrity check (IC) field: To make sure that data packets aren’t modified in transit, WEP uses an integrity-check field in each packet.
· Initialization vector (IV): To avoid encrypting two messages with the same key stream, WEP uses a 24-bit IV that augments the shared secret key to produce a different RC4 key for each packet. The IV itself is also included in the packet.
Experts say that both these defenses are poorly implemented, making WEP ineffective. IC and IV have two main problems:
· The integrity-check field is implemented by using a checksum algorithm called 32-bit cyclic redundancy check (CRC-32); that checksum is then included as part of the data packet. Unfortunately, an attacker can flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.
· The 24-bit IV is sent in the clear (unencrypted). There are only 224 possible initialization vectors (no big challenge for a fast machine), and they have to be reused after running through them all. In other words, the IV is repeated after sending 224, or 16,777,216, packets. The number may sound like a lot, but consider the case of a busy access point that sends 1,500-byte packets at a rate of 11 Mbps. Each packet has 12,000 bits (8 x 1,500). That means the access point sends 916 packets (11,000,000/12,000) each second. At that rate, the access point sends 16,777,216 packets in 5 hours (16,777,216/916 = 18,315 seconds = 5 hours). That means the IV is reused after 5 hours or less because many messages are smaller than 1,500 bytes. Thus an attacker has ample opportunities to collect two messages encrypted with the same key stream — and perform statistical attacks (which amount to trying the possible combinations really fast) to decrypt the message.
Over a decade ago, the Wi-Fi Alliance published a specification called Wi-Fi Protected Access (WPA) that replaced the existing WEP standard and improved security by making some changes. For example, unlike WEP, which uses fixed keys, the WPA standard uses Temporal Key Integrity Protocol (TKIP), which generates new keys for every 10K of data transmitted over the network. This makes WPA more difficult to break. In 2004, the Wi-Fi Alliance introduced a follow-on to WPA called Wi-Fi Protected Access 2 (WPA2 — the second generation of WPA security). WPA2 is based on the final IEEE 802.11i standard, which uses public key encryption with digital certificates and an authentication, authorization, and accounting RADIUS (Remote Authentication Dial-In User Service) server to provide better security for wireless Ethernet networks. WPA2 uses the Advanced Encryption Standard (AES) for data encryption.
Setting Up Wireless Hardware
To set up the wireless connection, you need a wireless access point and a wireless network card in each PC. You can also set up an ad hoc wireless network among two or more PCs with wireless network cards, but that is a standalone wireless LAN among those PCs only. In this section, I focus on the scenario in which you want to set up a wireless connection to an established LAN that has a wired Internet connection through a cable modem or DSL.
In addition to the wireless access point, you also need a cable modem or DSL connection to the Internet, along with a NAT router and hub, as described in Chapters 1 and 2 of this minibook. Figure 3-1 shows a typical setup for wireless Internet access through an existing cable modem or DSL connection.
Figure 3-1: Typical connection of a mixed wired and wireless Ethernet LAN to the Internet.
As Figure 3-1 shows, the LAN has both wired and wireless PCs. In this example, either a cable or DSL modem connects the LAN to the Internet through a NAT router and hub. Laptops with wireless network cards connect to the LAN through a wireless access point attached to one of the RJ-45 ports on the hub. To connect desktop PCs to this wireless network, you can use a USB wireless network card (which connects to a USB port).
If you haven’t yet purchased a NAT router and hub for your cable or DSL connection, consider buying a router and hub that has a built-in wireless access point.
Configuring the Wireless Access Point
Configuring the wireless access point (commonly referenced as either an AP or WAP) involves the following tasks:
· Setting a name for the wireless network. (The technical term for this name is the ESSID.)
· Setting the frequency or channel on which the wireless access point communicates with the wireless network cards. The access point and the cards must use the same channel.
· Deciding whether to use encryption.
· If encryption is to be used, setting the number of bits in the encryption key and the value of the encryption key. For the encryption key, 24 bits are internal to the access point; you specify only the remaining bits. Thus, for 64-bit encryption, you have to specify a 40-bit key, which comes to 10 hexadecimal digits. (A hexadecimal digit is an integer from 0–9 or a letter from A–F.) For a 128-bit encryption key, you specify 104 bits, or 26 hexadecimal digits.
· Setting the access method that wireless network cards must use when connecting to the access point. You can opt for either open access or shared key. The open-access method is typical (even when using encryption).
· Setting the wireless access point to operate in infrastructure (managed) mode. You use this mode to connect wireless network cards to an existing Ethernet LAN.
The exact method of configuring a wireless access point depends on the device’s make and model; the vendor provides instructions to configure the wireless access point. Typically you work through a graphical client application on a Windows PC to do the configuration. If you enable encryption, make note of the encryption key; you have to specify that same key for each wireless network card on your laptops or desktops.
Configuring Wireless Networking
On your Linux laptop, the PCMCIA or PC Card manager recognizes the wireless network card and loads the appropriate driver for the card. Linux treats the wireless network card like another Ethernet device and assigns it a device name such as eth0 or eth1. If you already have an Ethernet card in the laptop, that card gets the eth0 device name and the wireless PC Card becomes the eth1 device.
You do have to configure certain parameters to enable the wireless network card to communicate with the wireless access point. For example, you have to specify the wireless network name assigned to the access point, and the encryption settings must match those on the access point. You can usually configure everything using a graphical network-configuration tool that’s available for your Linux distribution — just select the Wireless Network option and fill in the requested information, such as that shown in Figure 3-2.
Figure 3-2: Configuring a new wireless connection.
The Network Configuration tool saves your wireless network settings in a text file. The name of the text file depends on the wireless network device name. If the wireless network device name is eth0, the configuration is stored in the text file /etc/sysconfig/network-scripts/ifcfg-eth0. If the wireless device name is eth1, the file is /etc/sysconfig/network-scripts/ifcfg-eth1. This configuration file contains various settings for the wireless network card. Table 3-1 explains the meaning of the settings. Here is a slightly edited version of the /etc/sysconfig/network-scripts/ifcfg-eth1 file from my laptop PC:
IPV6INIT=no
USERCTL=no
PEERDNS=yes
TYPE=Wireless
DEVICE=eth1
HWADDR=00:02:2d:8c:f9:c4
BOOTPROTO=dhcp
ONBOOT=no
DHCP_HOSTNAME=
NAME=
ESSID='HOME'
CHANNEL=6
MODE=Managed
RATE=auto
Table 3-1 Settings in Configuration File for a Wireless Ethernet Network Interface
|
This Parameter |
Means the Following |
|
BOOTPROTO |
The name of the protocol to use to get the IP address for the interface. The protocol used is either dhcp or bootp for an Ethernet interface. |
|
CHANNEL |
Channel number (between 1 and 14 in United States and Canada). Must be the same as that set for the wireless access point. In managed mode, you don’t need to specify the channel. |
|
DEVICE |
The device name for the wireless Ethernet network interface (eth0 for the first interface, eth1 for the second, and so on). |
|
ESSID |
Extended Service Set (ESS) Identifier (ID), also known as the wireless network name. It is case-sensitive and must be the same as the name specified for the wireless access point. Provide the name within single quotes (for example, ‘HOME’). |
|
HWADDR |
The hardware address (also called the MAC address) of the wireless network card (six pairs of colon-separated hexadecimal numbers; for example, 00:02:2d:8c:f9:c4). The wireless card’s device driver automatically detects this address. |
|
IPV6INIT |
When set to yes, this parameter initializes IPv6 configuration for the wireless interface. Set it to no if you’re not using IPv6. |
|
MODE |
The mode of operation of the wireless network card. Set to Managed for a typical network that connects through a wireless access point. |
|
NAME |
A nickname for your wireless network. If you don’t specify it, the host name is used as the nickname. |
|
ONBOOT |
Set to yes to activate the wireless interface at boot time; otherwise set to no. |
|
PEERDNS |
Set to yes to enable the interface to modify your system’s /etc/resolv.conf file to use the DNS servers obtained from the DHCP server (the same server that provides the IP address for the interface). If you set this parameter to no, the /etc/resolv.conf file is left unchanged. |
|
RATE |
Bit rate for the wireless connection (set to one of the following options: 1M, 2M, 5.5M, 11M, or auto). The M means Mbps, or a million bits per second. Set to auto to use the maximum possible transmission rate. |
|
TYPE |
Set to Wireless for wireless network interface. |
|
USERCTL |
When set to yes, a user who isn’t logged in as root can control the device. Set it to no so that only root can control the device. |
In some Linux distributions, the encryption key is stored separately. For a wireless Ethernet card whose device name is eth1, the encryption key is stored in the /etc/sysconfig/network-scripts/keys-eth1 file. Here is what this file contains for my example:
KEY=1fdf3fdefe
The key has 10 hexadecimal digits for a 40-bit key (for example, 1fdf-3fde-fe) or 26 hexadecimal digits for a 104-bit key. The keys are 64-bit and 128-bit, respectively, but the encryption algorithm automatically generates 24 bits of the key, so you need to specify only the remaining bits. The longer the key, the more secure the encryption.
If you ever manually edit the parameters in the wireless Ethernet configuration file, type the following command to reactivate the wireless network interface after editing the configuration file:
/etc/init.d/network restart
In SUSE Linux, use YaST to configure the wireless network. SUSE stores the wireless configuration parameters in a file whose name begins with ifcfg-wlan, followed by a number such as 0 or 1, depending on the sequence number of the wireless network interface.
The configuration file is stored in the /etc/sysconfig/network directory. Here’s a typical list of wireless configuration parameters from a configuration file in SUSE Linux:
WIRELESS_MODE='Managed'
WIRELESS_ESSID='HOME'
WIRELESS_NICK=''
WIRELESS_RATE='auto'
WIRELESS_AUTH_MODE='open'
WIRELESS_KEY_0='0123-4567-89'
To check the status of the wireless network interface, type the following command:
iwconfig
Here’s a typical output from a laptop with a wireless Ethernet PC card. (The output should be similar in other Linux distributions.)
lo no wireless extensions.
eth0 no wireless extensions.
sit0 no wireless extensions.
eth1 IEEE 802.11b ESSID:"HOME" Nickname:"localhost.localdomain"
Mode:Managed Frequency:2.437 GHz Access Point: 00:30:AB:06:E2:5D
Bit Rate=11 Mb/s Sensitivity:1/3
Retry limit:4 RTS thr:off Fragment thr:off
Encryption key:1FDF-3FDE-FE Security mode:open
Power Management:off
Link Quality=51/92 Signal level=-40 dBm Noise level=-91 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:27
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Here the eth1 interface refers to the wireless network card. I edited the encryption key and some other parameters to hide those details, but the sample output shows you what you’d typically see when the wireless link is working.