Wireless Security Protocol


Wireless Protocol Overview
Two types of authentication were introduced with the original 802.11 standard: open and shared WEP key authentication. While open authentication is really "no authentication," (a client requests authentication and the access point grants it), WEP authentication was supposed to provide privacy to a link, making it like a cable connecting a PC to an Ethernet wall-jack. As was mentioned earlier, shared WEP keys proved to be flawed and something better was required. To counteract shared WEP key weakness, the very first approach by companies was to try techniques such as cloaking SSIDs and filtering MAC addresses. These techniques were also too weak. You will learn more about the weaknesses of these techniques later.
The flaws with WEP shared key encryption were two-fold. First, the algorithm used to encrypt the data was crackable. Second, scalability was a problem. The 32-bit WEP keys were manually managed, so users entered them by hand, often incorrectly, creating calls to technical support desks.
Following the weakness of WEP-based security, there was a period of interim security measures. Vendors such as Cisco, wanting to meet the demand for better security, developed their own systems while simultaneously helping to evolve the 802.11i standard. On the way to 802.11i, the TKIP encryption algorithm was created, which was linked to the Wi-Fi Alliance WiFi Protected Access (WPA) security method.
Today, the standard that should be followed in most enterprise networks is the 802.11i standard. This is similar to the Wi-Fi Alliance WPA2 standard. For enterprises, WPA2 includes a connection to a Remote Authentication Dial In User Service (RADIUS) database.
For more about the WEP security weakness, see the paper "Security of the WEP algorithm" available at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html.
Authenticating to the Wireless LAN
In an open network, such as a home network, association may be all that is required to grant a client access to devices and services on the WLAN. In networks that have stricter security requirements, an additional authentication or login is required to grant clients such access. This login process is managed by the Extensible Authentication Protocol (EAP). EAP is a framework for authenticating network access. IEEE developed the 802.11i standard for WLAN authentication and authorization to use IEEE 802.1x.
The enterprise WLAN authentication process is summarized as follows:
The 802.11 association process creates a virtual port for each WLAN client at the access point.
The access point blocks all data frames, except for 802.1x-based traffic.
The 802.1x frames carry the EAP authentication packets via the access point to a server that maintains authentication credentials. This server is an Authentication, Authorization, and Accounting (AAA) server running a RADIUS protocol.
If the EAP authentication is successful, the AAA server sends an EAP success message to the access point, which then allows data traffic from the WLAN client to pass through the virtual port.
Before opening the virtual port, data link encryption between the WLAN client and the access point is established to ensure that no other WLAN client can access the port that has been established for a given authenticated client.
Before 802.11i (WPA2) or even WPA were in use, some companies tried to secure their WLANs by filtering MAC addresses and not broadcasting SSIDs. Today, it is easy to use software to modify MAC addresses attached to adapters, so the MAC address filtering is easily fooled. It does not mean you should not do it, but if you are using this method, you should back it up with additional security, such as WPA2.
Even if an SSID is not broadcast by an access point, the traffic that passes back and forth between the client and access point eventually reveals the SSID. If an attacker is passively monitoring the RF band, the SSID can be sniffed in one of these transactions, because it is sent in clear text. The ease of discovering SSIDs has led some people to leave SSID broadcasting turned on. If so, that should probably be an organizational decision recorded in the security policy.
The idea that you can secure your WLAN with nothing more than MAC filtering and turning off SSID broadcasts can lead to a completely insecure WLAN. The best way to ensure that end users are supposed to be on the WLAN is to use a security method that incorporates port-based network access control, such as WPA2.
Encrytpion
Two enterprise-level encryption mechanisms specified by 802.11i are certified as WPA and WPA2 by the Wi-Fi Alliance: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).
TKIP is the encryption method certified as WPA. It provides support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP encryption method. It makes use of the original encryption algorithm used by WEP.
TKIP has two primary functions:
It encrypts the Layer 2 payload
It carries out a message integrity check (MIC) in the encrypted packet. This helps ensure against a message being tampered with.
Although TKIP addresses all the known weaknesses of WEP, the AES encryption of WPA2 is the preferred method, because it brings the WLAN encryption standards into alignment with broader IT industry standards and best practices, most notably IEEE 802.11i.
AES has the same functions as TKIP, but it uses additional data from the MAC header that allows destination hosts to recognize if the non-encrypted bits have been tampered with. It also adds a sequence number to the encrypted data header.
When you configure Linksys access points or wireless routers, such as the WRT300N, you may not see WPA or WPA2, instead you may see references to something called pre-shared key (PSK). Various types of PSKs are as follows:
PSK or PSK2 with TKIP is the same as WPA
PSK or PSK2 with AES is the same as WPA2
PSK2, without an encryption method specified, is the same as WPA2

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog