McAfee Wireless Home Network Security - Articles / Reviews

Articles

Event Coverage | Editorials | Guides

McAfee Wireless Home Network Security

Author:
Editor:
Sponsor:
Published:

Richard Poelling
Kurtis
McAfee
Nov. 2, 2005

<< Previous

Next >>

Testing

For testing purposes, I will be using a wireless router supplied by McAfee which is the Linksys WRT54G running BIOS version 4.20.7. The router was shipped unopened and still shrink wrapped so I got a true "out-of-the-box" experience. The wireless client will be an older machine running an Athlon 1400 with 512MB RAM and running Windows 2000. It contains the D-Link DWL-540 PCI wireless network interface card. A secondary machine running Windows XP with an Actiontec wireless USB adapter was also used.

The WRT54G router shipped with a BIOS version which was not supported by McAfee as listed in their hardware compatibility list. Therefore, I had to upgrade it. I ran into a slight problem when I discovered that the current Linksys firmware was 4.20.7 and the latest SUPPORTED firmware was 4.20.6. Since Linksys did not have older firmware available, I took a chance and upgraded the device. I got lucky and it appeared to work. Previously I had attempted to use a D-Link DI-624 rev C as well as a Belkin dual A+G, but without luck. I will get back to why those failed later.

Normally I would not install a router on my network which had not been thoroughly hardened and locked down, but this time was different. I plugged the WRT54G in the wall and essentially disregarded every single installation tip provided by Linksys. The router was going to be Plug-N-Play whether it wanted to be or not. After successfully broadcasting my internet connection to everyone within range, I was ready to begin setting up the software. Upon booting my computer I was notified that an unsecured wireless connection was present. Clicking this connection, I next chose to protect it. After a minute I was informed that the connection was successfully protected. I was unable to connect any other devices to the router without the supplied WEP key or the permission of this machine.

I now had a secure wireless connection, although I can see a problem if you have any non-computer wireless devices. These might include a wireless printer, PDA, or possible a wireless gaming adaptor for a gaming console. Since the software changes the key every three hours, you will also need to change the key on your device. This feature can be disabled such that the keys are not rotated, but you will be reducing your overall security level by doing so. Disabling key rotation can also be handy if you want to host a LAN party and don't want to re-key everyone's computer every 3 hours. Once the connection was established, I had no problems maintaining it through numerous reboots.

An item to note is that the software, by default, secures the connection using the less secure WEP protocol. This is done for backward compatibility since some older devices may not support the newer WPA security protocol. This can be changed after the connection has been set up. Navigating to the advanced settings you are able to change not only the security protocol in use, but also the username and password of the router as well as the SSID of the router. The fact that the username and password are seen in clear text does make me nervous. I would have liked to see this obfuscated. Basically if you let someone else on your network, you are not only giving them access to the key, but also to your entire setup.

To add another computer to the network, you first install the software on the machine you wish to add. The software is licensed for 5 machines so there is no need to worry about licensing issues for most people. In the network list, the newly protected network now shows up. Choosing to join the network, I then began to wait. The machine which was initially set up on the network will get a popup window asking permission for the new machine to join the network. Granting access lets the procedure continue. Upon successful negotiation of the protocol, two playing cards are shown on each computer screen. This is a further step to ensure that each machine is who it says it is. Checking both machines, I determined that the two cards were identical and continued the process which finished thus allowing my second machine onto the network.

If you do not want to use the software to join the network, it is possible to view the existing key and then enter it into that device. As mentioned above, when the next key generation cycle takes place, that device will lose connectivity. Stopping key rotation is not recommended, but the option exists. As I mentioned previously, this will be particularly useful if you want to host a LAN party or have multiple devices hooked up without having to re-enter the keys every 3 hours. Either way, the generated network key will be far more secure than your usual password.

Once you are part of the network, you have the ability to revoke access to all machines currently not connected, this ability does lend itself to some mischief, but I will refrain from that right now. This rotates the key immediately thus leaving any machine not connected behind and therefore, not connected to the network. Any client wishing to regain access to the network will have to go through the authorization process again. This can be a good option if you have shared out your key or added other machines to the network which are no longer present.

Now that I have everything working, I really wanted to know why it wouldn't work with a router which was listed in their hardware compatibility list. A conversation with the Product Manager revealed the problem and this software's biggest limitation. In order for the software to control a router, it uses an HTTP POST string. Therefore, if any of the static pages change on the administration page of a router, the POST string will fail. So not only is the hardware important, but the actual firmware version becomes increasingly important. This was the reason why the Linksys worked at Firmware 4.20.7 when the last supported version was 4.20.6. Since Linksys did not change any of the HTML code and only changed the internal program code, the POST string was successful. Unfortunately, this limits the software's potential use greatly, although the current routers supported are chosen due to market share. As more and more routers are released, McAfee must write new POST strings for each hardware AND firmware version. There currently is work being done in the WiFi Alliance, which McAfee is a member, for a central control protocol which could avoid all this headache, but for now, you are stuck with very limited compatibility.

Since this product is aimed at the "average" user, they will not have any idea what firmware or even what version they are running. Interestingly enough, routers don't show their firmware revision on the box. Even though I had a Linksys router which was on the compatibility chart, the shipped firmware was not compatible. Had Linksys changed just a simple page on their administration page, I would have been out of luck. My D-Link DI-624 was already at Firmware 2.53 when I attempted to use the product initially. My gut response when the router failed was to upgrade the firmware to the latest version which at the time of this writing was version 2.70. Anyone who has ever dealt with routers or motherboards knows that one of the standard questions is usually "Do you have latest drivers/firmware/BIOS?" My Belkin A+G router isn't even on the compatibility list; instead most of the newer Pre-N products are supported. McAfee really needs to make this list easily available in the system requirements on the top of their page. Currently it lists "Standard wireless router or access point, including most Linksys, NETGEAR, D-Link, and Belkin models" On the lower portion of the page it does link to the compatibility list, but the stress is on the router model, not the firmware. I do find it ironic that the compatibility list is right below the 30-day money back guarantee which I am sure will get used quite often with this software.

The compatibility list can be found here.

<< Previous

Page 3 of 4

Next >>

Page 1: Introduction / First Looks
Page 2: Installation / User Interface
Page 3: Testing
Page 4: Licensing and Availability / Conclusion

Subscribe to Editorials [more info]

Add Comment

0 User Comments

Add Comment

To add a comment without being a member, you may omit the password field, but you must enter your name (or nickname) along with your comment. * Denotes required fields.