Although security was originally included with 802.11 standards, it soon became obvious that it wasn't enough. Wireless security—or the lack of it—has been a major contributor to IT managers' reluctance to adapt wireless LANs.
Recently, wireless security has improved dramatically, providing IT managers with an acceptable level of comfort to proceed with the installation of WLANs. IEEE 802.11i, released in June 2004, addresses current security concerns.
In addition to the 802.11 suite of standards, the 802.1x standard can be used for wireless security. More precisely, 802.1x addresses port-based access control.
Wireless Security Issues
A main issue with wireless communication is unauthorized access to network traffic or, more precisely, the watching, displaying, and logging of network traffic, also known as sniffing. Contrary to a wired network, where a hacker would need to be physically located at the corporate premises to gain access through a network drop, with a wireless network, the intruder can access the network from a location outside the corporate building. WLANs use radio frequencies, and their signals propagate through ceilings and walls. Therefore, wireless eavesdropping, known as war driving or walk-by hacking, and rogue WAPs—unauthorized WAPs that allow a hacker access to a network—are two significant security issues with wireless networks.
Moreover, wireless equipment tends to ship with open access. Not only is traffic propagated in clear text, but WAPs also voluntarily broadcast their identity, known as Service Set Identifiers (SSIDs).
Wireless Threat Mitigation
Thanks to the wireless open-access default mode, we can join a wireless network from our favorite coffee shop or hotel room; however, this unrestricted access is not advisable for corporate networks. Wireless network security can be classified into the following three categories:
- Basic wireless security
- Enhanced wireless security
- Wireless intrusion detection
Basic Wireless Security
Basic wireless security is provided by the following built-in functions:
- Wired Equivalent Privacy (WEP)
- Media Access Control (MAC) address verification
An SSID is a code that identifies membership with a WAP. All wireless devices that want to communicate on a network must have their SSID set to the same value as the WAP SSID to establish connectivity with the WAP.
By default, a WAP broadcasts its SSID every few seconds. This broadcast can be stopped so that a drive-by hacker can't automatically discover the SSID and hence the WAP. However, because the SSID is included in the beacon of every wireless frame, it is easy for a hacker equipped with sniffing equipment to discover the value and fraudulently join the network.
Being able to join a wireless network by the mere fact of knowing the SSID is referred to as open authentication.
Wired Equivalent Privacy
WEP can be used to alleviate the problem of SSID broadcasts by encrypting the traffic between the wireless clients and WAPs. Joining a wireless network using WEP is referred to as shared-key authentication, where the WAP sends a challenge to the wireless client who must return it encrypted. If the WAP can decipher the client's response, the WAP has the proof that the client possesses valid keys and therefore has the right to join the wireless network. WEP comes in two encryption strengths: 64-bit and 128-bit.
However, WEP is not considered secure: A hacker sniffing first the challenge and then the encrypted response could reverse-engineer the process and deduce the keys used by the client and WAP.
MAC Address Verification
To further wireless security, a network administrator could use MAC address filtering, in which the WAP is configured with the MAC addresses of the wireless clients that are to be permitted access.
Unfortunately, this method is also not secure because frames could be sniffed to discover a valid MAC address, which the hacker could then spoof.
Enhanced Wireless Security
Stronger security standards, shown in Table 5-2, were created to replace the weaknesses in WEP.
Table 5-2. Wireless Security Standards
802.11 Original Standards
Open authentication or shared-key
Wireless Fidelity (Wi-Fi) Protected Access (WPA), then 802.11i
IEEE 802.1x is a port-based network access control standard. It provides per-user, per-session, mutual strong authentication, not only for wireless networks but also for wired networks, if need be.
Depending on the authentication method used, 802.1x can also provide encryption. Based on the IEEE Extensible Authorization Protocol (EAP), 802.1x allows WAPs and clients to share and exchange WEP encryption keys automatically. The access point acts as a proxy, doing the heavier computational load of encryption. The 802.1x standard also supports a centralized key management for WLANs.
Wi-Fi Protected Access
WPA was introduced as an intermediate solution to WEP encryption and data integrity insecurities while the IEEE 802.11i standard was being ratified.
When WPA is implemented, access to the WAP is provided only to clients that have the right passphrase. Although WPA is more secure than WEP, if the preshared key is stored on the wireless client and the client is stolen, a hacker could get access to the wireless network.
WPA supports both authentication and encryption. Authentication done through preshared keys is known as WPA Personal; when done through 802.1x, it is known as WPA Enterprise.
WPA offers Temporal Key Integrity Protocol (TKIP) as an encryption algorithm and a new integrity algorithm known as Michael. WPA is a subset of the 802.11i specification.
In June 2004, the IEEE ratified the draft for the 802.11i standard, also known as WPA2. The 802.11i standard formally replaces WEP and other security features of the original IEEE 802.11 standard.
WPA2 is the product certification attributed to wireless equipment that is compatible with the 802.11i standard. WPA2 certification provides support for the additional mandatory 802.11i security features that are not included in WPA. WPA2, like WPA, supports both Enterprise and Personal modes for authentication.
In addition to stricter encryption requirements, WPA2 also adds enhancements to support fast roaming of wireless clients by allowing a client to preauthenticate with the access point toward which it is moving, while maintaining a connection to the access point that it is moving away from.
Wireless Intrusion Detection
Many products provide rogue access point detection. However, some third-party products integrate better than others with Cisco Aironet WAPs and the CiscoWorks Wireless LAN Solution Engine (WLSE), discussed in the next section. One such third-party product is from AirDefense. This product provides wireless intrusion detection that uses the access points to scan the airwaves and report wireless activity.