Sizing Up the Electronics Place

The process of a client associating and authenticating to an access point is standard. Should shared key authentication be selected at the client, there are additional packets sent confirming the keys authenticity.

Open Authentication: This type of security assigns a string to an access point or several access points defining a logical segmented wireless network known as a service set identifier (SSID). The client can't associate with an access point unless it is configured with that SSID. Associating with the network is as easy as determining the SSID from any client on the network. The access point can be configured to not broadcast the SSID improving security somewhat. Most companies will implement static or dynamic keys to supplement security of SSID.

Static WEP keys: Configuring your client adapter with a static wired equivalency private (WEP) key improves the security of your wireless transmissions. The access point is configured with the same 40 bit or 128 bit WEP key and during association those encrypted keys are compared. The issue is hackers can intercept wireless packets and decode your WEP key.

Dynamic WEP keys (WPA): The deployment of dynamic encrypted WEP keys per session strengthens security with a hash algorithm that generates new key pairs at specific intervals making spoofing much more difficult. The protocol standard includes 802.1x authentication methods with TKIP and MIC encryption. Authentication between the wireless client and authentication RADIUS server allows for dynamic administration of security. It should be mentioned that each authentication type will specify Windows platform support. An example is PEAP which requires Windows XP with service pack 2, Windows 2000 with SP4 or Windows 2003 at each client.

The 802.1x standard is an authentication standard with per user and per session encryption with these supported EAP types: EAP-TLS, LEAP, PEAP, EAP-FAST, EAP-TTLS and EAP-SIM. User network authentication credentials have nothing to do with the client computer configuration. Any loss of computer equipment doesn't affect security. The encryption process is handled with TKIP an enhanced encryption standard improving WEP encryption with per packet key hashing (PPK), message integrity checking (MIC) and broadcast key rotation. The protocol uses 128 bit keys for encrypting data and 64 bit keys for authentication. The transmitter adds some bytes or MIC to a packet before encrypting it and the receiver decrypts and verifies the MIC. Broadcast key rotation will rotate unicast and broadcast keys at specific intervals. Fast reconnect is a WPA feature that is available allowing employees to roam without having to re-authenticate with the RADIUS server should they change floors or rooms. The client username and password is cached with the RADIUS server for a specified period.

WPA-PSK: WPA pre-shared keys use some features of static WEP keys and dynamic key protocols. Each client and access point is configured with a specific static passcode. The passcode generates keys that TKIP uses to encrypt data per session. The passcode should be at least 27 characters to defend against dictionary attacks.

WPA2: The WPA2 standard implements the WPA authentication methods with Advanced Encryption Standard (AES). This encryption method is deployed with government implementations etc. where the most stringent security must be implemented.

Application Layer Passcode: SSG uses a passcode at the application layer. Client can't authenticate unless they know the passcode. SSG is implemented in public places such as hotels where the client pays for the password allowing access to the network.

VLAN Assignments: As noted companies will deploy access points with SSID assignments that define logical wireless networks. The access point SSID will then be mapped to a VLAN on the wired network that segments traffic from specific groups as they would with the conventional wired network. Wireless deployments with multiple VLANs will then configure 802.1q or ISL Trunking between access point and Ethernet switch.

Anti Theft Option: Some access points have an anti theft option available using padlock and cabling to secure equipment while deployed in public places. This is a key feature with public implementations where access points can be stolen or there is some reason why they must be mounted below the ceiling.

About the Author:

IT Knowledge Hub is a network for IT professionals and decision makers. Check out our library of free white papers to learn more about network security and database development. You can also review additional research and information at the Database Monitoring Blog.

Article Marketing

28 people like this article