 |
| The realities of wireless security include knowing the difference between WEP and WPA, along with how access points and authentication work. Once you have the basics in this section under your belt, you can learn more specific information about the different security technologies in the Plan it section of this guide. |
|
 |
|
|
|
| In a wired network, physical access is required to intercept traffic. In a wireless network, anyone within a few hundred feet of a transmitter can capture traffic. The 802.11 standard originally defined WEP to "protect authorized users of a WLAN from casual eavesdropping." However, WEP is not a strong form of protection and is subject to numerous exploits. |
|
| WEP is based on a stream cipher called RC4, which is a symmetric encryption algorithm. The same key used to encrypt WEP traffic is also used to decrypt that same traffic and, for that reason, is called a shared secret key. As long as that shared key is known only to the sender and receiver, eavesdroppers cannot make sense of the encrypted traffic. |
|
| Whereas stream ciphers are easy and efficient to implement in hardware, WEP includes no provision for managing keys between sender and receiver. Over time, criminals can use many messages encrypted with the same shared key to guess (that is, crack) the key. The keys used by WEP can be cracked by a cybercriminal in far less time than keys used by more robust alternatives like WPA and WPA2. |
|
| WPA and Wi-Fi Protected Access 2 (WPA2) are Wi-Fi Alliance certifications for products that support the security enhancements defined by 802.11i. The 802.11i update to the original 802.11 standard adds a pair of security protocols that offer more robust data protection, based on stronger authentication and dynamic encryption keys. |
|
| WPA was defined to simplify upgrades to existing Wi-Fi products that used WEP, because they both use RC4 to encrypt data. WPA overcomes many WEP vulnerabilities by using a better security protocol, called the Temporal Key Integrity Protocol (TKIP). Instead of encrypting all data with the same shared key, TKIP uses "temporal" keys to encrypt data for just a limited period. At the end of that period, a new temporal key is generated, starting from a master key that's known to the sender and receiver. As long as no two messages are ever encrypted with the same temporal key, criminals cannot crack WPA-encrypted data. |
|
| WPA2 refers to a more efficient and effective approach that uses the Advanced Encryption Standard (AES) block cipher as a replacement for RC4. WPA2 uses AES to encrypt data in a robust fashion and provides cryptographic protection against data forgery and replay. Because of this strength, WPA2 has become the standard requirement for government agencies and some corporations. |
|
| Old WEP products didn't have the horsepower to support AES and couldn't easily be upgraded to WPA2. However, all new Wi-Fi certified products have been required to support WPA2 since March 2006. |
|
|
|
|
|
| WPA and WPA2 both offer user authentication, an important security step that's generally missing with WEP. With WEP, everyone using a wireless network used the same shared secret key to encrypt data. A criminal who cracked the key—or a guest who was given the key—could use the network just like anyone else. |
|
| 802.11i specifies two authentication options that make it easier to control wireless network access: pre-shared keys (PSKs) and 802.1X port access control. These options are commonly referred to by their Wi-Fi Alliance certifications, WPA/WPA2-Personal and WPA/WPA2-Enterprise, respectively. |
|
| As the name suggests, WPA/WPA2-Personal is designed for home and small office use, where everyone trusts everyone else and deserves the same access. In this case, everyone authenticates to your access point by presenting the same secret passphrase—technically called a PSK. Unlike WEP keys, PSKs aren't used to encrypt data and cannot be cracked in the same way. |
|
| Most businesses should use WPA/WPA2-Enterprise to provide individual user authentication based on 802.1X and Remote Authentication Dial-In User Service (RADIUS). 802.1X works like an on/off switch, applied at the access point. Whenever unauthenticated users try to send data, the access point requires proof of identity by authenticating that user to a RADIUS server. |
|
| RADIUS is a client/server protocol and software that enables remote servers to communicate with a central server to authenticate users and authorize their access to the requested service or system. In the past, RADIUS was used for dial-in services but today this same authentication capability is exploited to secure WLAN as well. |
|
| An access point using 802.1X sends each wireless access request to a central RADIUS server. That RADIUS server decides whether or not to grant access, based on user-supplied credentials, for example, a user name and password combination or a digital certificate, unique to each individual. The server also returns a unique master key for each successfully authenticated session. |
|
| In this way, WPA/WPA2-Enterprise not only controls individual access, but provides fresh keys to be used by TKIP or AES encryption. There's no need to entrust everyone with the same PSK, and authenticated users can no longer decrypt other users' traffic. However, 802.1X requires your business to have a RADIUS server and a process for giving everyone their own authentication credentials. |
|
|
|
|
|
| Wi-Fi access points use a special value called a service set identifier (SSID) to distinguish wireless networks from one another. Access points are preconfigured with SSID defaults set by the manufacturer. If these values (which are well known) aren't changed, it's easy for outsiders to accidentally try to access a nearby neighbor's network. |
|
| To avoid accidental connections, you should always reset the factory default SSID to a value that's unique to your network. A SSID is a "welcome" sign that makes it possible for your users to connect to your access points and not to those belonging to nearby businesses or hotspots. |
|
| However, everyone within a few hundred feet of your network will be able to "hear" the SSID advertised by your access point. SSIDs aren't passwords and cannot be relied upon to keep outsiders away. Preventing unauthorized wireless network use requires 802.1X (WPA/WPA2-Enterprise), PSKs (WPA/WPA2-Personal) or some other access control mechanism. |
|
|
|
|
|
| Whereas it's convenient for mobile employees to grab a cup of coffee while they work, public Wi-Fi hotspots (or public WLANs) aren't considered safe for anyone handling proprietary information unless you take the precaution of adding transport encryption such as virtual private networks (VPNs). These public WLANs generally offer no WPA/WPA2 encryption or filtering protection for users, making them a common place for cybercriminals to hang out as they look for everything from credit card numbers to your company's sensitive data. |
|
| Without a secured network transport, your company information is at risk. Consider implementing a VPN, which establishes a private network or protected "tunnel" between your mobile employees and your network. This tunnel ensures that no one can intercept the data as it's transmitted. Today, most companies allow mobile employees to connect to the corporate network as long as they use a VPN. |
|
| Later in this guide, you'll learn more about setting up your router for the best wireless protection. |
|
|
|
Rate this information |
|
| To download the latest Adobe® Reader®, please go to the Adobe website at http://www.adobe.com. Adobe and Reader are trademarks of Adobe Systems Incorporated. |
|
|
|
Practical Wi-Fi security |
|
|
Related links |
|
|
Printable version
