Print

What Is Wireless Security
Pages: 1, 2

Preventive Measures

Another way of deflecting the attacks is to change the WEP keys periodically. Before an attacker can gather enough information to deduce the keys, the keys themselves change. Unfortunately, WEP does not provide a facility to distribute keys to deployed devices. Traditionally, keys are delivered through some alternate communication method, usually involving a wired network that is considered to be secure. Key distribution is one management problem associated with WEP that causes administrative and security headaches. Another is the management of authorization for deployed devices. Device management is usually done through MAC addresses. A deployed wireless network allows or disallows access to the network by checking the requester's MAC address against an access-control list. Complications arise because most managers administer their access control lists at individual access points, rather than through a centralized database.



This decentralized approach gives rise to a large number of lists. If hardware is lost or stolen, updating the access points individually is time-consuming. Also, access control via MAC addresses has a greater problem: MAC-address spoofing is relatively trivial for the determined hacker or espionage agent to implement. As the above issues illustrate, not only is security flawed, but administration of the security structure in wireless networks is flawed as well.

IEEE 802.11x is an IEEE standard for "port-based network access control." It allows the decision of whether or not to permit network access to be made at the port, the point of contact to the network itself. Until a port is authenticated, it can be used only to pass traffic associated with the authentication process. Authentication can be user-based and managed at a centralized authentication server. In addition, 802.11x provides optional abilities to distribute keys. With its combination of centralized management, management by user instead of device, network protection, and key delivery, 802.11x seems to be the prescription for security, correcting WEP's failings.

The 802.11x protocol specifies Extensible Authentication Protocol (EAP) to carry authentication messages. As "extensible" implies, EAP can carry any number of actual authentication protocols. One example of an EAP authentication method is EAP-TLS. This protocol packages Transport Layer Security (TLS), an evolution of the Secure Sockets Layer (SSL) used in secure web browsing, on top of EAP's message structure. Another example is EAP-OTP, which specifies the use of "one-time passwords." For successful authentication, the entity requesting access to the network and the network's infrastructure must both support the same EAP "flavor." While a deployment requires administrators to consider infrastructure costs and interoperability, the technology is presently available, and deploying a wireless network without it would be a critical oversight.

Security Protections for Your Organization

If your organization wants to establish proper security protections, here are some important guidelines to follow.

  • Wireless security policy and architectural design: The security policy of an organization should include wireless networking as a part of overall security management.

  • Treat access points as untrusted: There is need for evaluating access points at regular time periods to find out whether they can be treated as untrusted devices. This will involve placing the appropriate firewalls, VPNs and IDS between the access point and intranets or the internet.

  • Access point configuration policy: One needs to define the standard security settings for access points before deploying them.

  • Access point security assessments: With the help of regular security audits, one can identify poorly configured access points.

Summary

Ultimately, security is everybody's business, and only with everyone's cooperation and consistent practices will it be achievable. Wireless security is a work in progress, so it is essential to administer a wireless network so that it becomes more and more secure. And with more organizations focusing strongly on wireless security, we can only expect to see many more secured wireless networks in the future.

References

The following online resources provide detailed information on wireless security.

Swayam Prakasha has been working in information technology for several years, concentrating on areas such as operating systems, networking, network security, electronic commerce, Internet services, LDAP, and Web servers. Swayam has authored a number of articles for trade publications, and he presents his own papers at industry conferences. Currently he works at Unisys Bangalore in the Linux Systems Group.


Return to the Security DevCenter.