Navigation |
Wireless Security
Technology Overviews
Wireless Security
Wireless is preferred for networks that are temporary, require flexibility, and in which high security is not needed. Because it's particularly vulnerable to attacks, security is a primary concern when installing wireless. Hackers looking for a wireless network go "war-driving"-cruising around looking for a wireless signal to exploit. Usually war drivers are just looking for free Internet access, but sometimes they?re looking for confidential information such as credit card numbers. And many war drivers, when they locate a wireless network, will post the GPS coordinates of that network on the Internet. Although a wireless network can never be totally secure, there are important steps you can take to minimize the risk:
Know where you?re signaling. When you install a wireless network near public areas, it's very important to know where your signal is going. If it's easily picked up on the sidewalk outside your business-perhaps from a parked car across the street or from the building next door-then you?ve got a security problem. If you send a strong wireless signal into the coffee house next door to your business, chances are someone is going to try to take advantage of it. A wireless analyzer can help you map exactly where your access points are sending their signals. This can help you arrange the access points in your network in order to minimize signals in public areas and maximize signals to your users. A wireless analyzer can also spot unauthorized wireless access points attached to your network as well as other nearby wireless networks broadcasting in your area. Separate wireless from wired to increase security. Once you separate the wireless from the wired network, insist that anything that needs to be kept secure stay on the wired network. This includes confidential data such as credit card numbers, sensitive financial data, or corporate secrets of any kind. You can, however, freely use the wireless network for less-sensitive applications such as laptops for taking notes at meetings, PCs for temporary workers, computer hookups for trade show booths, and bar-code readers for inventory. An important step in wireless security is to connect your wireless access points to switches rather than hubs. A hub connected to an access point will broadcast all data it receives on that access point to all connected devices. However, a switch isolates each port onto its own LAN segment and will only broadcast data intended for a wireless node on the access point. Another way to isolate your wireless network is to gather all access points into a separate LAN connected to the DMZ port of your firewall. This makes the wireless network accessible, yet safely outside of your main wired LAN. Hardware and software firewall systems control the flow of data in both wired and wireless networks. Use a firewall to intercept, analyze, and stop a wide range of hackers. Another security option is to use a Virtual Private Network (VPN), which works with both wired and wireless networks. A VPN protects remote access users by increasing the security of information transferred over the Internet. A VPN works by creating a private, encrypted "tunnel" from the end user's computer through the access point, the Internet, and all the way to the corporate servers. Most IT professionals are already familiar with VPNs and can modify their existing systems to incorporate a wireless network. Lock it up. WEP. The current 802.11x Ethernet standards include a security protocol called Wired Equivalent Privacy (WEP). WEP encrypts each 802.11 packet separately with an RSA RC4 cipher stream generated by a 64- or 128-bit RCA key. But several cryptanalysts have identified weaknesses in the RC4's key scheduling algorithm that make the network vulnerable to hackers. Software tools such as AirSnort have already been developed to enable hackers to crack WEP and gain access to wireless networks. These software tools are widely available on the Internet. WEP encryption can keep out casual hackers but is clearly not adequate where high security is required. Fortunately, WEP is not the only encryption method for your wireless network-other available security protocols operate at the higher Network and Transport layers. These protocols are more difficult to crack than WEP and usually rely on a digital certificate issued by a certification authority (an organization that issues digital certificates, such as X.509 certificates, and vouches for the binding between the data items in the certificates). WEP also does not provide authentication. EAP-TLS. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is the latest version of the Secure Socket Layer (SSL) protocol. EAP-TLS uses X.509 certificates for both user and server authentication and for dynamic session key generation. Because EAP-TLS requires both the user and the authentication server to have certificates, it's quite resistant to attacks. This protocol does, however, require that you distribute certificates to users before they are granted network access. EAP-TTLS. Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS) authentication uses a two-stage authentication process, which eliminates the need for a certificate on the user side. EAP-TTLS establishes the identity of the server using EAP-TLS; then, in the second stage of the authentication process, it authenticates the user using other authentication protocols such as PAP, CHAP, MS-CHAP, or RADIUS (Remote Access Dial-Up User Service). Because EAP-TTLS does not require that you distribute certificates to users, it's a far more convenient protocol to use than EAP-TLS. i-Fi Protected Access (WPA) was introduced in 2003 to enhance wireless security, and to augment and strengthen WEP's vulnerabilities. WPA improves data encryption and user authentication, and is software upgradable for existing WEP certified products. Although no security solution is absolute, WPA is a vast improvement over WEP. It was also designed to be backward compatible with WEP and forward compatible with 802.11i. EAP through Temporal Key Integrity Protocol (TKIP). This WPA enhancement improves the data encryption of WEP. It adds four algorithms to WEP: per-packet key mixing function, message integrity code (MIC), rekeying mechanism, and an IV sequencing discipline to remove replay attacks. Enterprise-level User Authentication. To strengthen user authentication in WEP, WPA uses 802.1x and EAP. This framework uses a central authentication server, such as RADIUS, to authenticate each user on the network. WPA is available for home and enterprise networks. WPA-Personal is an encryption method that guards against unauthorized network access via a password system. WPA-Enterprise provides stronger network security. It verifies users through a server. It also employs 128-bit encryption keys and dynamic session keys to enhance security. Wi-Fi Protected Access 2 (WPA2) is the next generation of security. Introduced in September 2004, it builds on WPA. It enhances security through stronger data protection and network access control. It's designed to provide a higher level of security so that only authorized users can access their wireless network. When compared to WPA, WPA2 uses more advanced encryption called Advanced Encryption Standard (AES). WPA2 is based on IEEE 802.11i. It also is compliant with U.S. government FIPS 140-2 security requirements. WPA2 is backward compatible with WPA. So if you already are using WPA, you can move to WPA2 at your own pace. WPA2 comes in two versions: WPA2-Personal and WPA2-Enterprise. WPA2-Personal is designed for the home or SOHO wireless network. It builds on WPA2, and it provides stronger data protection and prevents unauthorized access through a pass phrase. WPA2-Enterprise. This system also provides stronger data protection than WPA. It also prevents unauthorized network access by verifying network users through a server. Wi-Fi Multimedia (WMM) is another security system introduced in September 2004. It's designed to bring wireless into the mainstream of consumer electronics, phones, etc. WMM enhances and improves the use of audio, video, and voice applications over a wireless network. It's based on a subset of the IEEE 802.11e WLAN QoS draft standard. WMM prioritizes streams of content and optimizes how the network allocates bandwidth among competing applications. Another standard element of many wireless security systems is Remote Access Dial-Up User Service (RADIUS) Authentication and Authorization. RADIUS allows only approved users, via user name and password, access to the network. The server verifies the user before access is given. Different levels of access can be set up as well. Pay attention and weigh the risks. With a wireless network, as in any other network, it's important to have a security plan and then implement it. The biggest problem with wireless security is that network administrators often fail to take even the simplest of steps to ensure security, do not deploy WPA or WPA2, fail to change the default passwords and network name, and don't place access points in secure positions. When you fail to take these basic precautions, you leave your wireless network extremely vulnerable to casual hacking. Weigh risks against benefits when you decide whether wireless is worth implementing. Depending on your situation, the convenience of wireless might outweigh the risk-you may decide that your wireless network is secure enough to take a chance with sensitive information. An example of benefit outweighing risk is that of a large theme park that regularly sends credit card information over 802.11b. Wireless enables the park to move sales locations quickly and easily. The park feels safe with wireless because it has a high level of physical security on and around its premises-anyone hanging around with a laptop computer would be quickly spotted and investigated-and also because it has a proprietary encryption scheme developed just for its enterprise. Need Help? |