Day 6: Wireless Security

A network administrator shoudl implement the following security features on a WLAN during initial setup (mind you they're easily avoided):

• Disable SSID broadcast.
• Change default settings.
• Enable MAC address filtering.

We can implement authentication for the WLAN (by username or password). This will occur before MAC filtering and there are three types of wireless authentication:

1. Open authentication: all clients can connect to the WLAN.
2. Preshared keys (PSK): both AP and client are configured with the same key. This is a one-way authentication because the AP doesn't authenticate with the host (user doesn't have to authenticate).
3. Extensible Authentication Protocol (EAP): the EAP software on the client communicates with an authentication server as RADIUS which maintains a database of users separate from the AP. 802.1x can also provide AP security through user authentication (EAP).

Its obvious that we need to protect transmission by using some form of WLAN encryption:

• Wired Equivalent Privacy - WEP key is 64 to 256 bits but all devices (including AP) must have the same manually configured static key to understand transmissions. This is easily avoided nowadays with hacking software.
• Wi-Fi Protected Access (WPA) is also 64 to 256 but has a more secure encryption because it rotates keys. WPA uses TKIP (temporal key integrity protocol) to generate new keys for clients and rotate them at a configurable interval, both client and AP have the key. Remember that WPA dynamically generates a different key with each client communication with the AP.
• 802.11i/WPA2 is a better version that uses advanced encryption standard (AES) technology.

WPA is a more powerful security technology for Wi-Fi networks than WEP. It provides strong data protection by using encryption as well as strong access controls and user authentication. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. There are two basic forms of WPA: WPA Enterprise (requires a Radius server) and WPA Personal (also known as WPA-PSK). Either can use TKIP or AES for encryption. Not all WPA hardware supports AES. WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify that they should be allowed access to a network. This requires a single password entered into each WLAN node. As long as the passwords match, a client will be granted access to a WLAN. Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials. The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared password system - dictionary attacks for example. Another issue may be key management difficulties such as removing a user once access has been granted when the key is shared among multiple users, not likely in a home environment.

Consider these points when planning/troubleshooting a WLAN:

• Signal: 802.11b/g/n have a larger coverage area than 802.11a. Generally speaking: the more data rates the lower the coverage area. There's also interference and reflection (RF waves bounce off metal or glass surfaces).
• Standards: be careful with backward-compatibility, some AP's don't support the 5 GHz frequency (802.11a).
• Bandwith: all users share the same bandwith on a BSS.
• Association: make sure that the SSID is correct on clients and AP.
• Total cost of ownership (TCO).
• Channels and correct placing.
• Authentication/security.