WLAN Security

WLAN security includes the following:

■ Authentication: Ensures that only legitimate clients access the network via trusted APs.

■ Encryption: Ensures the confidentiality of transmitted data.

■ Intrusion detection and intrusion protection: Monitors, detects, and mitigates unauthorized access and attacks against the network.

Initially, basic 802.11 WLAN security was provided via Wired Equivalent Privacy (WEP) authentication and encryption, using static keys. With static WEP, the encryption keys must match on both the client and the access point. Unfortunately, the keys are relatively easy to compromise, so static WEP is no longer considered secure.

While the 802.11 committee was developing a more robust standard security solution, vendors incorporated the IEEE 802.1X Extensible Authentication Protocol (EAP) to authenticate users via a RADIUS authentication server such as Cisco Secure Access Control Server (ACS) and to enforce security policies for them. Basing the authentication transaction on users, rather than on machine credentials, reduces the risk of security compromise from lost or stolen equipment. 802.1X authentication also permits flexible credentials to be used for client authentication, including passwords, one-time tokens, public key infrastructure (PKI) certificates, and device IDs.

When 802.1X is used for wireless client authentication, dynamic encryption keys can be distributed to each user, each time that user authenticates on the network. The Wi-Fi Alliance also introduced Wi-Fi Protected Access (WPA) to enhance encryption and protect against all known WEP key vulnerabilities. WPA includes the Temporal Key Integrity Protocol (TKIP) to provide per-packet keying that protects the WEP key from exploits that seek to derive the key using packet comparison, and a message integrity check (MIC) to protect against packet replay. MIC protects the wireless system from inductive attacks that seek to induce the system to send either key data or a predictable response that can be compared to known data to derive the WEP key.

In late 2001, Cisco implemented a prestandard version of TKIP and MIC now called Cisco Key Integrity Protocol and Cisco Message Integrity Check, respectively. Cisco devices also now support the standard TKIP and MIC.

The IEEE 802.11i standard now encompasses a number of security improvements, including those implemented in WPA. 802.1X authentication is still used; however, 802.11i specifies the use of the Advanced Encryption Standard (AES). AES is a stronger security algorithm than WEP, but it is more CPU-intensive and therefore requires updated hardware to run AES encryption while maintaining comparable throughput. The Wi-Fi Alliance-interoperable implementation of 802.11i with AES is called WPA2.

NOTE WPA and WPA2 can also use a preshared key (PSK) instead of 802.1X when a RADIUS server is not available—for example, for home users. A PSK is similar to a password. Before communication starts, the same password is put on both devices (it is preshared) and the devices authenticate each other using the key.

Table 9-2 summarizes the WLAN security evolution.

Table 9-2 Evolution of WLAN Security


WEP: No strong authentication, static keys, first-generation encryption, not scalable


802.1X and WPA: Strong, user-based authentication, dynamic keys, improved encryption


Wireless intrusion detection system (IDS): Identify and protect against attacks

802.1X, 802.11i/WPA2: Strong, user-based authentication, dynamic key management, AES encryption


Improvements to hashing algorithms and key management in conjunction with AES

Was this article helpful?

0 0
Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook

Post a comment