 |
 |
 |
|
|
|
| Finding the right security model means evaluating a combination of security options. If possible, select approaches already being used in your infrastructure, such as RADIUS versus Kerberos, for example. |
|
| If email is the only vehicle for moving sensitive data between users and access points, additional security mechanisms outside the email application aren't needed. If you only need to secure email communications, you can enable certificate-based encryption services in common email applications, such as Microsoft Outlook. |
|
| By observing that security concerns apply to a specific application or to a collection of applications, you can establish an appropriate security model by making those applications secure and ignoring other communications. Likewise, you can apply security to web-based applications or services at the session level, using protocols such as TLS or Secure Sockets Layer (SSL). upon which TLS is based. |
|
| Once the number of applications that must be secured grows beyond a handful, when entire connections between users and access points must be secured or when secure end-to-end connections are required, heightened security needs dictate that a combination of security technologies be applied. The following common security concerns, when combined with best-fit approaches or approaches already in use elsewhere in the organization, will apply: |
|
|
• |
Authentication: This provides reasonable proof of user or sender identity so that a packet received may be attributed to a single, verifiable sender. Where RADIUS or Kerberos are already in use, these systems work well with wireless to add secure authentication mechanisms (and other capabilities in this list). Where not already in use, platform selections or software cost will help guide appropriate choices. |
|
|
• |
Confidentiality: This provides sufficiently strong encryption to protect ongoing communications from interception and inspection. A combination of key exchange, certificate management and encryption services often applies here and mandates use of IPSec or VPN technology, augmented by authentication and access controls. |
|
|
• |
Access control: This assures that unauthorized users are not permitted to access resources, sensitive or otherwise. This generally applies at higher layers than those customary for wireless communications. However, mechanisms such as MAC address filtering, protocol filtering and authentication all come into play in this area. |
|
| Note: An authenticated user or MAC address may be mapped to a set of resource access permissions, stored in a directory, for example. |
|
|
• |
Integrity: This provides data checks so that data sent may be easily compared to data received and changes noted (and changed data rejected). This is not only an essential component in all network communications, it is also essential to securing such communications. |
|
| Let's look at a business example. A company requires secure end-to-end communications for staff attorneys to conduct confidential business on the go, such as email, writing and filing briefs and accessing confidential records from secured servers. The IT department would be well-advised to implement a solution that combines authentication through Kerberos, IPSec security associations to permit only authorized individuals to establish specific server and service links and IPSec protocols to meet necessary integrity and confidentiality requirements. |
|
| The key lies in establishing the levels of access control, authentication, integrity and confidentiality that are required. When security must apply end to end, or when it's more expeditious to apply security approaches at the connection level rather than for individual applications, multiple security approaches must be combined to meet the requirements. |
|
| Tip: When in doubt, HP Services can help establish security requirements and design appropriate, workable security solutions. |
|
|
|
|
|
|
| This section shows you the commands required to set up security on a wireless access point using the HP ProCurve 530 as an example. You can configure most of these settings by entering the access point's IP address or Domain Name System (DNS) name in a web browser address field. However, some access points require you to configure security settings other than WEP using a command-line interface (CLI). When you first install any wireless access point, you need to perform several tasks: |
|
|
• |
Set passwords. |
|
• |
Set the primary SSID. |
|
• |
Enable radio communications and select a channel. |
|
• |
Change Transmission Control Protocol/Internet Protocol (TCP/IP) settings. |
|
• |
Set radio security options. |
|
|
| HP recommends setting user authentication to WPA-802.1X, which requires an external authentication server such as a network RADIUS server or the local built-in RADIUS server on the access point. |
|
| Tip: Home users and small businesses that don't have a RADIUS server can use WPA-PSK instead of WPA-802.1X; however, you won't achieve the individual level of access control afforded by 802.1X. |
|
| Here's how to configure this type of security from the CLI: |
|
|
1. |
Log in to the CLI interface using your administrative user name and password. |
|
2. |
At the command prompt, enter security wpa-802.1X. |
|
3. |
To enable WPA and/or WPA2 security, enter wpa-allowed and wpa2-allowed. |
|
4. |
For WPA2 wireless stations to send preauthentication packets, enable preauthentication by entering rsn-preauthentication. |
|
5. |
To set the authentication server and protocols—TKIP, AES or both—enter wpa-cipher-tkip and/or wpa-cipher-aes. |
|
|
| Note: When you set TKIP and AES authentication, both TKIP and AES client stations can associate with the access point. WPA client stations must have either a valid TKIP or AES key to communicate with the access point. |
|
|
6. |
To set the RADIUS key, enter radius-accounting <primary | secondary> <ip <ip> | port <port> | key <key>>. |
|
7. |
To allow for non-WPA stations, enter radius <primary | secondary>. |
|
|
| For specific information on configuring security on your particular wireless access point, refer to your access point's configuration guide. |
|
|
|
Rate this information |
|
| To download the latest Adobe® Reader®, please go to the Adobe website at http://www.adobe.com. Adobe and Reader are trademarks of Adobe Systems Incorporated. |
|
|
|
Practical Wi-Fi security |
|
|
Related links |
|
|
Printable version
