Web Hosting by Netfirms | Free Domain Names by Netfirms

Security

WEP (wired equivalent privacy)  Is a "BASIC" encryption scrambles the communication between the access point and client devices to keep the communication private. Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt both unicast and multicast messages.

Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key.

Forms of Security

• Authentication - Proves you belong on the network
• Encryption - Protects your data flow over the Wireless Spectrum.
• 802.1X - Combines Both Authentication and Encryption

Authentication

• Shared Key: Considered LESS Secure: Because of unencrypted challenge packet
• Open: Considered MORE Secure Client and AP

Network Authentication Types
Before a wireless client device can communicate on your network through the access point, it must authenticate to the access point and to your network.

WIFI Protected Access - WPA - A security / encryption design to provide authenticated access.

WIFI Protected Access version 2 - WPA2 - An enhanced security / encryption design to provide authenticated access.

Built around AES (Advanced encryption) More hardware intensive encryption algorithms.

802.1X Network Access Control - NAC:  End user devices are not granted network access until authenticated

Requires

• Supplicant - End device, usually Laptop / Phone
• Authenticator - Proxy device, usually an Access Point AP or a cluster / gateway module.
• Authentication Server - Usually a radius server (PDC / AD)

Benefits

• TKIP - Temporal Key Integrity Protocol - Hashes data per packet, Protects again WEP vulnerabilities.
• MIC - Message Integrity Check - Protects against man in the middle.

Network-EAP Extensible Authentication Protocol
This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which uses it for all unicast data signals that it sends to or receives from the client. The access point also encrypts its broadcast WEP key (entered in the access point's WEP key slot 1) with the client's unicast key and sends it to the client.


 


In steps 1 through 9, a wireless client device and a RADIUS server on the wired LAN use 802.1X and EAP to perform a mutual authentication through the access point. The RADIUS server sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, and the client authenticates the RADIUS server.

When mutual authentication is complete, the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the logon session.

During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the access point. The access point encrypts its broadcast key with the session key and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and access point activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.

There is more than one type of EAP authentication, but the access point behaves the same way for each type:

• It relays authentication messages from the wireless client device to the RADIUS server
• And from the RADIUS server to the wireless client device.

EAP-TLS  "Extensible Authentication Protocol Transport Level Security"

EAP-TLS (RFC 2716) was designed by Microsoft and is based on an authentication protocol that is nearly identical to the protocol used in the Secure Sockets Layer (SSL) protocol for securing Web transactions. EAP-TLS provides mutual authentication between the client and the authentication server. Once authentication is completed, 802.1X enables dynamic encryption keys to be generated. In EAP-TLS, digital certificates are used for mutual authentication. Digital certificates can be stored on smart cards or on the client computer.

By using the strong authentication provided by digital certificates, EAP-TLS greatly reduces the risk of a successful attack on your network. 

PEAP-MS-CHAP v2 | "Protected EAP - Microsoft - Challenge Handshake Authentication Protocol"

PEAP is a more flexible scheme than EAP-TLS. PEAP creates an encrypted SSL/TLS channel between the client and the authentication server, and the channel then protects the subsequent user authentication exchange.

 Note   If you use EAP authentication, you can select open or shared key authentication, but you don't have to. EAP authentication controls authentication both to your access point and to your network.
 

Authorization Tables - Mac Address Level
Authorization tables are maintained with  legal MAC addresses. Only those listed will be admitted to the AP Access Point. In addition, if an unauthorized client attempts to gain access to your network, this event will be trapped and reported to you.
 

Best Practices:

1. Performance. The actual performance of your wireless network depends on a number of factors, including:

In an Infrastructure environment, your distance from the access point. As you get farther away, the transmission speed will decrease. Structural interference. The shape of your building or structure, the type of construction, and the building materials used may have an adverse impact on signal quality and speed. The placement and orientation of the wireless devices.

2. Interference. Any device operating in the 2.4 GHz spectrum may cause network interference with a 802.11b wireless device. Some devices that may prove troublesome include 2.4 GHz cordless phones, microwave ovens, adjacent public hotspots, and neighboring 802.11b wireless LANs.

3. Security. While the following is a complete list, steps A through E should, at least, be followed:

Change the default SSID. Disable SSID Broadcasts. Change the default password for the Administrator account. Enable MAC Address Filtering. Change the SSID periodically. Enable WEP 128-bit Encryption. Please note that this will reduce your network performance. Change the WEP encryption keys periodically.

For information on implementing these security features, please refer to the User Guide.

4. Security Threats Facing Wireless Networks Wireless networks are easy to find. Hackers know that in order to join a wireless network, wireless networking products first listen for  "beacon messages".   These messages are unencrypted and contain much of the network’s information, such as the network’s SSID (Service Set Identifier) and the IP Address of the network PC or access point. One result of this, seen in many large cities and business districts, is called “Warchalking”. This is one of the terms used for hackers looking to access free bandwidth and free Internet access through your wireless network. Here are the steps you can take:

Change the administrator’s password regularly.  With every wireless networking device you use, keep in mind that network settings (SSID, WEP keys, etc.) are stored in its firmware. Your network administrator is the only person who can change network settings. If a hacker gets a hold of the administrator’s password, he, too, can change those settings. So, make it harder for a hacker to get that information. Change the administrator’s password regularly.

SSID. There are several things to keep in mind about the SSID:

Disable Broadcast Make it unique Change it often

Most wireless networking devices will give you the option of broadcasting the SSID. While this option may be more convenient, it allows anyone to log into your wireless network. This includes hackers. So, don’t broadcast the SSID. Wireless networking products come with a default SSID set by the factory. (The Linksys default SSID is “linksys”.) Hackers know these defaults and can check these against your network. Change your SSID to something unique and not something related to your company or the networking products you use. Change your SSID regularly so that any hackers who have gained access to your wireless network will have start from the beginning in trying to break in. MAC Addresses. Enable MAC Address filtering. MAC Address filtering will allow you to provide access to only those wireless nodes with certain MAC Addresses. This makes it harder for a hacker to access your network with a random MAC Address.

WEP Encryption. Wired Equivalent Privacy (WEP) is often looked upon as a panacea for wireless security concerns. This is overstating WEP’s ability. Again, this can only provide enough security to make a hacker’s job more difficult. 40 or 128 bit method. Uses RC4 cipher from RSA Challenge key sent unencrypted - security weakness There are several ways that WEP can be maximized: Use the highest level of encryption possible Use a “Shared” Key Use multiple WEP keys Change your WEP key regularly

Implementing encryption will have a negative impact on your network’s performance. If you are transmitting sensitive data over your network, encryption should be used.