- Standards
- Security Issues
- Risk Mitigators
- Authentication Solutions
- Gateway Control
Risk Mitigators
To use wireless LANs in an enterprise or production environment, you need to mitigate the inherent risk in current products and standards. Enterprise-level wireless LAN security focuses on two issues: Network access must be limited to authorized users, and wireless traffic should be protected from sniffing. The 802.11b standard does include some security mechanisms, but their scalability is questionable.
MAC Address
One way to secure access to a wireless network is to instruct access points to pass only those packets originating from a list of known addresses. Of course, Media Access Control (MAC) addresses can be spoofed, but an attacker would have to learn the address of a user's Ethernet card before this would be successful. Unfortunately, many wireless cards have the MAC address printed right on the face.
Even if you can secure the card address, you still have to compile, maintain, and distribute a list of valid MAC addresses to each access point. Additionally, each brand of access point has some limit on the number of addresses allowed. For example, Lucent's Orinoco access point has a limit of approximately 490 MAC addresses. Cisco can support the highest number at around 2,000 addresses.
Service Set ID
Another setting on the access point that can be used to restrict access is the network name, also known as the service set ID (SSID). An access point can be configured either to allow any client to connect to it or to require that a client specifically must request the access point by name. Even though this was not meant primarily as a security feature, setting the access point to require the SSID can let the ID act as a password.
As with any password scheme, however, the more people who know the password, the higher the probability that an unauthorized user will misuse it. The SSID can be changed periodically, but each user must be notified of the new ID and reconfigure the client.
Wired Equivalent Privacy (WEP)
The 802.11b standard provides encrypted communication between clients and access points via Wired Equivalent Privacy (WEP). Under WEP, all users of a given access point share the same encryption key. To achieve mobility within a campus, all access points must be set to use the same key, and all clients have the same encryption key as well. Additionally, data headers remain unencrypted so that anyone can see the source and destination of data transmission.
WEP is a weak protocol that uses RC4. Here are just a few of the attacks that could easily be launched against WEP:
Passive attacks to decrypt traffic based on statistical analysis
Active attacks to inject new traffic from unauthorized mobile stations, based on known plain text
Active attacks to decrypt traffic, based on tricking the access point
Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic
With these limitations, some vendors do not implement WEP, although most provide models with and without it. An access point can be configured to never use WEP or to always require the use of WEP. In the latter case, an encrypted challenge is sent to the client. If the client cannot respond correctly, it will not be allowed to use the access point, making the WEP key another password. As with using the SSID as a password, you could routinely change the WEP key, but you would have the same client notification and configuration issues.
Of course, an attacker possessing the WEP key could sniff packets off the airwaves and decrypt them. Nonetheless, requiring WEP substantially raises the minimum skill set that is needed to intercept and read wireless data.