Friday, July 13, 2007

WLAN security

What about security for WLAN? Today wireless networks are at least secure as wired. You only have to use right tools and configurations. Physical security is most important part of security. If you do not have physical access to network, you can not use it. If you can not plug cable you do not have network. This is situation in wired word.
The biggest security problem, in any type wireless network, is lack of physical security.
802.11 standards use Authentication as replacement for physical security. Problem is that application uses WEP as encryption.
WEP - Wired Equivalent Privacy has never deserved its name. It does not take more than 2 minutes, with cracking tools, to break WEP.
First WEP versions have used 64-bit shared key. 40 bits are for a shared secret and 24 bits are for IV (initialization vector). IV is used that receiver could decrypt the frame.
Next improvement of first WEP key was 128-bit shared WEP key. With that WEP version 104 bits are used for shared key and 24 for initialization vector.
IEEE proposed in 2004 new version of WEP - WEP2. It uses the same RC4 algorithm with 128-bit initialization vector. WEP2 has not improved significantly security. It only increases time for cracking.
Next step in wireless security is WPA - Wi-Fi Protected Access.
What is WPA encryption? Wi-Fi Alliance launched in October 2003 Wi-Fi Protected Access - WPA, the next generation in WLAN security. Wi-Fi Protected Access does not require a hardware upgrade in 802.11 equipment.
Only software and firmware upgrade is needed and it makes minimal degradation in network performance.
WPA was designed as an answer for all WEP weaknesses. It uses Temporal Key Integrity Protocol (TKIP) with Message Integrity Check (MIC). It also has mutual pre-shared key (PSK) authentication scheme using 802.11X/EAP.
WI-Fi Alliance launched WPA2 in September 2004. It is certified interoperable version of WPA. WPA2 besides PSK 802.1X/EAP authentication, use advanced encryption mechanism.
This new mechanism is Counter-Mode/CBC-MAC Protocol (CCMP) called Advanced Encryption Standard (AEP).
WPA and WPA2 have 2 certification modes.

  1. Enterprise
  2. Personal
You have 4 different versions of Wi-Fi CERTIFIED devices:
1) WPA-Personal
2) WPA2-Personal
3) WPA-Enterprise
4) WPA2-Enterprise
Personal Mode is designed for home and office (SOHO) environment. You do not need authentication server (Radius or IAS).
It uses manually entered PSK (pre-shared key or pass-phrase). Security level of your wireless network is based on this PSK.
So, use mix of letters, numbers and non-alphanumerical characters.
Personal mode uses methods of encryption as Enterprise-per-user, per-session, per-packet encryption with TKIP (WEP) or AES (WEP2).
Enterprise Mode operates in managed mode with authentication servers (Radius or IAS). With this mode you can meet rigorous requirements of enterprise security.
Most of access points and wireless routers have option of MAC filtering. With MAC filtering, you can restrict access to stations that you have entered in MAC filtering list.
The main key to wireless security is to put as many obstacles as you could. If you simultaneously use WEP, WPA, MAC filtering, and if you use IPsec tunnel and SSH then your wireless network is secure like it's wired.
If you want to find out more about wireless security and wireless technology visit Home WLAN

I am working as Network Specialist,

Article Source:

No comments: