Extending the flexibility of a network with wireless networking products began rising in popularity around the early '90s and has picked up steam ever since. With the advent of all of these new wireless products and technologies, security seems to be the biggest weakness often associated with a wireless network. On a traditional wired network, an attacker must either be physically plugged into your network from within the wired network or go to the trouble of breaking through an edge firewall or router. With a wireless network, all a potential attacker needs to do is sit in the comfort of his or her car in the parking lot with a laptop and wireless sniffer. The goal of this article is to give a brief description of all of the different types of wireless security options available, so that you may determine the best fit for securing your wireless network.
Wired Equivalent Privacy (WEP) is anything but equivalent to the security of a wired network. The WEP standard was created in the very early days of wireless networks with the goal of being the only layer of security necessary for WLANs. Unfortunately, WEP didn't really work out at all. The problem with it boils straight down to flaws in its design.
WEP is based upon a system where the data flowing across the wireless network is encrypted using a randomly generated cryptographic key. The method WEP uses to generate these keys, however, was soon discovered to be very predictable, thus making it easier for potential intruders to intercept and decipher these keys. Even a moderately skilled wireless hacker can break WEP cryptography in as little as two or three minutes. The WEP cracking process is displayed in Figure 1.
Figure 1. Cracking WEP is a relatively simple process
Even though WEP has been proven to be antiquated and ineffective it is still supported by a large number of modern wireless access points and routers produced today. Not only that, but it is still one of the most used ways individuals, as well as companies, report they are securing their wireless networks. If you are still using WEP, then I implore you to continue reading the rest of this guide and to get as far away from it as possible. That is, if you value the security of your network at all.
The direct response to the weaknesses of WEP is Wi-Fi Protected Access (WPA). WPA works around the same basic principal as WEP, but does it in a much less flawed way. There are two basic ways WPA can be used, depending on the level of security you require. Most home and small office users will use WPA-Personal security, which is solely based on an encryption key. In this setup, your access point and wireless clients share a key that is encrypted by either the TKIP or AES methods. Although this sounds exactly like WEP, the encryption methods used in WPA are far different and much more complicated to crack. The other method of WPA implementation is to combine the use of a WPA encryption key with 802.1Xauthentication, discussed in the next section.
802.1X and EAP are IEEE approved standards that are designed to enable an improved means of authentication for both wired and wireless networks alike, although their main popularity is in the wireless segment. These things are not cipher-based technologies and therefore do not serve as a direct alternative to WEP, TKIP, etc. but rather as an addition to them to provide additional security. Each component breaks down as follows:
Any wireless network using 802.1X/EAP-based authentication can be broken down into three main components: (See Figure 2.)
Figure 2. 802.1x relies on a EAP and a RADIUS server to manage authentication
The use of 802.1X/EAP-based wireless security is really most appropriate for corporate-level wireless networks. Small networks can get by coupling 802.1X security with a standard encryption protocol such as WPA or TKIP, where as larger, more secure networks will want to tie 802.1X security in with certificate-based authentication.
Virtual Private Network technology (VPN) has been used as a means of point to point security since the 1990s. This technology has gained even more popularity, since its proven security can easily be translated to wireless networks.
When a WLAN client uses a VPN tunnel, communications data remains encrypted until it reaches the VPN gateway, which sits behind the wireless AP (as shown in Figure 3). Thus, intruders are blocked from intercepting unencrypted network communications. Since the VPN encrypts the entire link from the PC to the VPN gateway in the heart of the corporate network, the wireless network segment between the PC and the AP is also encrypted. VPN connections can be managed with a variety of credentials including passwords, certificates, and smart cards. This is another great method of securing enterprise level wireless networks.
Figure 3. VPN provides a secure encrypted tunnel for wireless communications
One of the newest things to hit the wireless security market are wireless security switches. These switches are hardware-based solutions that plug straight in to the backbone of your wired network and often come as packages complete with access points (see Figure 4). The goal of these switches is to centralize security and management for access points in large distributed networks. Often manageable via a web, application, or command-line interface, they are a great means for providing uniformity for all of the access points across a network. Not only that, but they are also great for keeping rogue access points out of a network. If an access point is not configured in the ACL for the security switch, then you quickly know that it should not be operating on your network. All of the major networking component manufacturers now provide some form of wireless security switch.
Figure 4. An Enterasys RBT-8400 wireless security switch
In this article I have really only covered a few of the most common methods of securing a wireless network. In all honesty, you are always going to be putting your data at some risk when you transmit it over the airwaves. All we can really hope to do is to minimize this risk by implementing some of the measures discussed here. That being the case, which of these methods is right for your network? To answer this question I have created a handy little flow chart (Figure 5). Just keep in mind to not go by this flow chart alone. You should do a serious review of the sensitivity of the information flowing across your wireless network and consult organization management before jumping into a wireless security solution.
Figure 5. Follow this flow chart to help determine your wireless security needs
Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. For more about Chris, you can view his personal blog at http://www.chrissanders.org.
Return to WindowsDevCenter.
Copyright © 2009 O'Reilly Media, Inc.