Wireless Network Security

December 5th, 2009

Network Authentication Process

The routine of a customer comparing and authenticating to an entrance point is standard. Should usual key authentication be comparison at the client, there have been one some-more packets sent confirming the keys authenticity.

The following describes EAP network authentication.

1. Client sends examine to all entrance points

2. Access point sends report await with interpretation rate etc

3. Client selects nearest relating entrance point

4. Client scans entrance point in sequence of 802.11a, 802.11b afterwards 802.11g

5. Data rate is selected

6. Client associates to entrance point with SSID

7. With EAP network authentication the customer authenticates with RADIUS server

Open Authentication

This sort of confidence assigns a fibre to an entrance point or multiform entrance points defining a judicious segmented wireless network well known as a make make make use of of of set identifier (SSID). The customer can’t join forces with with an entrance point unless it is configured with which SSID. Associating with the network is as easy as last the SSID from any customer on the network. The entrance point can be configured to not promote the SSID mending confidence somewhat. Most companies will exercise immobile or energetic keys to addition confidence of SSID.

Static WEP keys

Configuring your customer adapter with a immobile connected equivalency in isolation (WEP) key improves the confidence of your wireless transmissions. The entrance point is configured with the same 40 bit or 128 bit WEP key and during organisation those encrypted keys have been compared. The emanate is hackers can prevent wireless packets and resolve your WEP key.

Dynamic WEP keys (WPA)

The deployment of energetic encrypted WEP keys per event strengthens confidence with a crush algorithm which generates brand new key pairs at specific intervals creation spoofing many some-more difficult. The custom customary includes 802.1x authentication methods with TKIP and MIC encryption. Authentication in in in between the wireless customer and authentication RADIUS server allows for energetic administration department of security. It should be referred to which each authentication sort will mention Windows height support. An e.g. is PEAP which requires Windows XP with make make make use of of of container 2, Windows 2000 with SP4 or Windows 2003 at each client.

The 802.1x customary is an authentication customary with per user and per event encryption with these upheld EAP types: EAP-TLS, LEAP, PEAP, EAP-FAST, EAP-TTLS and EAP-SIM. User network authentication certification have zero to do with the customer mechanism configuration. Any loss of mechanism apparatus doesn’t start security. The encryption routine is rubbed with TKIP an extended encryption customary mending WEP encryption with per parcel key hashing (PPK), summary firmness checking (MIC) and promote key rotation. The custom uses 128 bit keys for encrypting interpretation and 64 bit keys for authentication. The conductor adds a little bytes or MIC to a parcel prior to encrypting it and the receiver decrypts and verifies the MIC. Broadcast key revolution will stagger unicast and promote keys at specific intervals. Fast reconnect is a WPA underline which is accessible permitting employees to ramble but carrying to re-authenticate with the RADIUS server should they shift floors or rooms. The customer username and cue is cached with the RADIUS server for a specified period.

EAP-FAST

• Implements symmetric key algorithm to set up secure tunnel

• Client and RADIUS server side mutual authentication

• Client sends username and cue credential in secure tunnel

EAP-TLS

• SSL v3 builds an encrypted tunnel

• Client side and RADIUS server side reserved PKI certificates with mutual authentication

• Dynamic per customer per event keys used to encrypt data

Protected EAP (PEAP)

• Implemented at Windows clients with any EAP authentication method

• Server side RADIUS server authentication with base CA digital certificate

• Client side authentication with RADIUS server from Microsoft MS-CHAP v2 customer with username and password encrypted credentials

Wireless Client EAP Network Authentication Process

1. Client associates with entrance point

2. Access point allows 802.1x traffic

3. Client authenticates RADIUS server certificate

4. RADIUS server sends username with cue encrypted ask to client

5. Client sends username with cue encrypted to RADIUS server

6. RADIUS server and customer get WEP key. RADIUS server sends WEP key to access point

7. Access point encrypts 128 bit promote key with which energetic event key. Sends to client.

8. Client and entrance point make make make use of of of event key to encrypt/decrypt packets

WPA-PSK

WPA pre-shared keys make make make use of of of a little facilities of immobile WEP keys and energetic key protocols. Each customer and entrance point is configured with a specific immobile passcode. The passcode generates keys which TKIP uses to encrypt interpretation per session. The passcode should be at slightest twenty-seven characters to urge opposite compendium attacks.

WPA2

The WPA2 customary implements the WPA authentication methods with Advanced Encryption Standard (AES). This encryption routine is deployed with supervision implementations etc. where the many difficult confidence contingency be implemented.

Application Layer Passcode

SSG uses a passcode at the focus layer. Client can’t substantiate unless they know the passcode. SSG is implemented in open places such as hotels where the customer pays for the cue permitting entrance to the network.

VLAN Assignments

As remarkable companies will muster entrance points with SSID assignments which conclude judicious wireless networks. The entrance point SSID will afterwards be mapped to a VLAN on the connected network which segments trade from specific groups as they would with the required connected network. Wireless deployments with mixed VLANs will afterwards configure 802.1q or ISL Trunking in in in between entrance point and Ethernet switch.

Miscellaneous Settings

Turn Microsoft File Sharing OFF Implement AntiVirus Software and Firewall Install your company VPN customer Turn OFF Auto Connect to any wireless network Never make make make use of of of AdHoc Mode – this allows different laptops to bond Avoid vigilance overshoot with a great site consult Use minimal broadcast energy environment

Anti Theft Option

Some entrance points have an anti burglary choice accessible regulating clinch and cabling to secure apparatus whilst deployed in open places. This is a key underline with open implementations where entrance points can be stolen or there is a little reason because they contingency be mounted next the ceiling.

Security Attacks

• Wireless parcel sniffers will captures, resolve and analyzes packets sent in in in between the customer mechanism and entrance points. The role is to resolve confidence information.

• Dictionary attacks try to establish the decryption key configured on the wireless network regulating a list or compendium with thousands of standard passcode phrases. The hacker captures report from the authentication routine and scans each compendium word opposite the cue until a compare is found.

• The specific mode reserved each wireless customer affects security. Ad Hoc mode is the least secure choice with no entrance point authentication. Each mechanism on the network can send report to an Ad Hoc nearby resident computer. Select infrastructure mode where available.

• IP spoofing is a usual network conflict involving faking or replacing the source IP residence of each packet. The network device thinks the communicating with an authorized computer.

• SNMP is infrequently a source of compromised security. Implement SNMP v3 with formidable village strings.

Cisco Wireless Network Design Guide available at amazon.com and eBookmall.com

Shaun Hummel is an writer of assorted technical books and has a web site focused on report record pursuit poke solutions and certifications.

http://www.networkjobsolutions.com

Shaun Hummel, CCNP, is a Senior Network Engineer with eleven years knowledge in craving network planning, design, and implementation. He has worked for assorted in isolation and open companies in Canada and the United States mending infrastructure, security, and management. He has created Network Planning and Design Guide, Cisco Wireless Network Design Guide and Network Assessment Guide. www.networkjobsolutions.com

Technorati Tags: network, Security, wireless