Secure WLAN AccessSegmenting your WLAN from the rest of your network will help to protect the internal network from any issues or attacks on the wireless network, but there are still other steps you can take to protect the wireless network itself. By encrypting your wireless communications and requiring users to authenticate before connecting, you can ensure unauthorized users do not intrude on your WLAN and that your wireless data can not be intercepted.
One of the ways to ensure unauthorized users do not eavesdrop on your wireless network is to encrypt your wireless data. The original encryption method, WEP (wired equivalent privacy), was found to be fundamentally flawed. WEP relies on a shared key, or password, to restrict access. Anyone who knows the WEP key can join the wireless network. There was no mechanism built in to WEP to automatically change the key, and there are tools available that can crack a WEP key in minutes, so it won’t take long for an attacker to access a WEP-encrypted wireless network.
While using WEP may be slightly better than using no encryption at all, it is insufficient for protecting an enterprise network. The next generation of encryption, WPA (Wi-Fi Protect Access), is designed to leverage an 802.1X-compliant authentication server, but it can also be run similar to WEP in PSK (Pre-Shared Key) mode. The main improvement from WEP to WPA is the use of TKIP (Temporal Key Integrity Protocol), which dynamically changes the key to prevent the sort of cracking techniques used to break WEP encryption.
Even WPA was a band-aid approach though. WPA was an attempt by wireless hardware and software vendors to implement sufficient protection while waiting for the official 802.11i standard. The most current form of encryption is WPA2. The WPA2 encryption provides even more complex and secure mechanisms including CCMP, which is based on the AES encryption algorithm.
To protect wireless data from being intercepted and to prevent unauthorized access to your wireless network, your WLAN should be set up with at least WPA encryption, and preferably WPA2 encryption.
Aside from just encrypting wireless data, WPA can interface with 802.1X or RADIUS authentication servers to provide a more secure method of controlling access to the WLAN. Where WEP, or WPA in PSK mode, allows virtually anonymous access to anyone who has the correct key or password, 802.1X or RADIUS authentication requires users to have valid username and password credentials or a valid certificate to log into the wireless network.
Requiring authentication to the WLAN provides increased security by restricting access, but it also provides logging and a forensic trail to investigate if anything suspicious goes on. While a wireless network based on a shared key might log MAC or IP addresses, that information is not very useful when it comes to determining the root cause of a problem. The increased confidentiality and integrity provided are also recommended, if not required, for many security compliance mandates.
With WPA / WPA2 and an 802.1X or RADIUS authentication server, organizations can leverage a variety of authentication protocols, such as Kerberos, MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), or TLS (Transport Layer Security), and use an array of credential authentication methods such as usernames / passwords, certificates, biometric authentication, or one-time passwords.
Wireless networks can increase efficiency, improve productivity and make networking more cost effective, but if they are not properly implemented they can also be the Achilles heel of your network security and expose your entire organization to compromise. Take the time to understand the risks, and how to secure your wireless network so that your organization can leverage the convenience of wireless connectivity without creating an opportunity for a security breach.