Technology
Network Help
Wireless Net
Wi-Fi Security
Under Construction.
For Basic Security in your Wireless Network you should:
- Change default admin password on Access Point (Linksys, D-link, Airport, ...)
- Change default SSID (Don't use your name)
- Turn off SSID broadcase (Note some PC cards will not work with it turned off)
- Setup Security to require a password for access and encryption of transmissions. e.g. WEP, WPA, 802.11i
- Enable MAC filtering and set up a list of MAC addresses allowed to connect
- Turn off disk sharing (or add passwords on your PC)
Wired Equivalent Privacy (WEP) Original Standard with several vulnerabilities. See WEP WPA - Wi-Fi Protected Access: A newer standard which fixes some of the flaws in WEP. WPA is actually a snapshot of the current version of 802.11i, which includes Temporal Key Integrity Protocol (TKIP) and 802.1x mechanisms. The combination of these two mechanisms provides dynamic key encryption and mutual authentication, something much needed in WLANs. See: WPA Security Enhancements at Wi-Fi Planet. WPA at wi-fi.org. Wireless Security: WPA Step by Step at PC Magfazine.
One up-and-coming 802.11x specification, 802.11i, is still involved in development and approval processes. The specification might be officially released by early 2003. After it's available, 802.11i will provide replacement technology for WEP security. Initially, 802.11i will provide Temporal Key Integrity Protocol (TKIP) security that you can add to existing hardware with a firmware upgrade.
Advanced Encryption Standard (AES) protocol will replace TKIP, and the new chips will probably be backward-compatible with TKIP. In effect, TKIP is a temporary protocol for use until manufacturers implement AES at the hardware level.
TKIP is a quick-fix method to quickly overcome the inherent weaknesses in WEP security, especially the reuse of encryption keys. According to "802.11 Planet," "The TKIP [security] process begins with a 128-bit 'temporal key,' [which is] shared among clients and access points. TKIP combines the temporal key with the [client machine's] MAC address and then adds a relatively large 16-octet initialization vector to produce the key that will encrypt the data. This procedure ensures that each station uses different key streams to encrypt the data. TKIP uses RC4 to perform the encryption, which is the same as WEP. A major difference from WEP, however, is that TKIP changes temporal keys every 10,000 packets. This provides a dynamic distribution method that significantly enhances the security of the network."
Security at NetworkWorld 802.1X
In this era of ever-increasing mobility in wired and wireless scenarios, we can no longer always assume a user's access to a Layer 2 network will be via the same physical port of entry. This mobility has created a need to identify who is attempting to gain access to a given port. The 802.1X standard provides such a solution.
802.1X defines Extensible Authentication Protocol (EAP) over LANs (EAPOL).The standard encapsulates and leverages much of EAP, which was defined for dial-up authentication with Point-to-Point Protocol in RFC 2284.
Beyond encapsulating EAP packets, the 802.1X standard also defines EAPOL messages that convey the shared key information critical for wireless security.
EAP sits inside of PPP's authentication protocol and provides a generalized framework for several different authentication methods. EAP is supposed to head off proprietary authentication systems and let everything from passwords to challenge-response tokens and public-key infrastructure certificates all work smoothly.
With a standardized EAP, interoperability and compatibility of authentication methods becomes simpler. For example, when you dial a remote-access server and use EAP as part of your PPP connection, the RAS doesn't need to know any of the details about your authentication system. Only you and the authentication server have to be coordinated. By supporting EAP authentication a RAS server gets out of the business of acting as middle man, and just packages and repackages EAP packets to hand off to a RADIUS server that will do the actual authentication.
Return to Wireless Net