White Paper. Overview of WLAN Security Functions WLAN Access Point. WLAN Security Functions Release 01 06/10. Technical Support

Transcription

1 White Paper Overview of WLAN Access Point Technical Support

2 The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone Hirschmann Automation and Control GmbH Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation of a backup copy of the software for your own use. For devices with embedded software, the end-user license agreement on the enclosed CD applies. The performance features described here are binding only if they have been expressly agreed when the contract was made. This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the information in this document. Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated operating software. In addition, we refer to the conditions of use specified in the license contract. You can get the latest version of this manual on the Internet at the Hirschmann product site ( Printed in Germany Hirschmann Automation and Control GmbH Stuttgarter Str Neckartenzlingen Germany Tel.:

3 1 Overview of WLAN security functions The increasingly widespread use of WLAN technology has led to higher demands on security mechanisms to protect the transmitted data from interception by unauthorised persons. Data in a WLAN are transmitted through the air which makes the control and limitation of access to the data far more difficult that with cabled LAN. Advancements have been made since the early days of the IEEE and recent years have seen the development of new functions and standards for the protection of modern WLANs. WLAN security mechanisms generally aim to fulfill the following functions: Authentication Only authorized users should have access to the WLAN and should connect only to their designated access points. Integrity The transmitted data should arrive at the receiver in their original form; manipulated data must be recognized as such and rejected. Confidentiality Unauthorized third parties should not be able to intercept the data traffic. This techpaper provides an overview of the security functions provided by the Hirschmann access points and the Hirschmann wireless routers. Further information about the underlying technology is available from other techpapers; concrete details about configuring the functions in the models are available in the reference manual for the respective version of LCOS. It is recommended that you utilise all of the available security mechanisms for the protection of your wireless networks. You should regularly update the firmware of your devices so that you can use all of the available security functions. 3

4 1.1 WEP64/128/ WEP64/128/152 WEP (Wired Equivalent Privacy) is the function incorporated in the original WLAN standard for the encryption of transmitted data. The primary aim of WEP is the protection of the data from unauthorized interception. This made use of symmetrical keys of various lengths. Embedded in the standard are the basic encryption methods WEP64 and WEP128 which ensure compatibility to all standard client adapters available on the mar The access points and routers also support encryption with WEP152 which makes use of an even longer key. WEP can provide a basic level of encryption that protects the network from unauthorised snoopers. Hackers are at least presented with a slight hurdle that complicates the interception of data. WLANs protected only by WEP are easily "cracked" by experts, so this method can only be recommended for home use whereby the WEP key needs to be changed regularly. Note: More information about WEP is available in the Hirschmann whitepaper "WPA and IEEE i". 4

5 1.2 MAC filter list (ACL) 1.2 MAC filter list (ACL) A simple yet effective method for authentication is the use of a MAC address filter. The MAC addresses of authorised client adapters are entered into a list (ACL Access Control List) in the access point which then only permits WLAN access to authorised users. For larger installations, the ACL can be centrally administered by a RADIUS server. Since an experienced hacker can get around the limitations set by an ACL, this method should not be used as the sole security mechanism. Note: Instructions for setting the ACL are to be found in the LCOS reference manual. 5

6 1.3 Closed Network 1.3 Closed Network Each cell in a wireless network is identified by a network name, the SSID (Service Set Identifier). A client adapter can only connect to a wireless network if it is programmed with the SSID. The factory settings for many wireless networks use the SSID "any", the continued use of which would relieve a potential intruder of the need to find out the wireless LANs SSID. This can be prevented with the Closed Network function. This excludes the option of registering with the SSID "any", each user must know the SSID exactly to be able to log onto the WLAN. Note: Instructions for setting up the Closed Network function are available in the LCOS reference manual. 6

7 1.4 SSID broadcast 1.4 SSID broadcast Access points announce the presence of the available wireless networks by transmitting the SSID. Potential intruders benefit from this public announcement that offers a first step towards entering a WLAN; they can search at random for wireless networks by "scanning" the environment. The SSID broadcast can be suppressed to prevent unauthorised users from finding a network by scanning. The name of the WLAN network will no longer appear in the scanner software's results list. Sophisticated scanning tools are still able to find out the SSID, however. Since these tools do not belong to the standard equipment for WLAN clients, the suppression of the SSID broadcast does present an additional hurdle to intrusion in to the WLAN network. It is not possible to suppress SSID broadcasting in wireless networks that operate with the IEEE a standard. Note: Instructions for supressing the SSID broadcast are available in the LCOS reference manual. 7

8 1.5 WPA & IEEE i 1.5 WPA & IEEE i The WEP data encryption implemented in the IEEE standard has been demonstrated as insufficient for protecting wireless LANs from professional attacks. WPA and IEEE i are significantly improved encryption methods that are now available that address these known security loopholes and offer reliable protection from attack for your wireless networks. Note: More information about WPA and IEEE i is available in the Hirschmann whitepaper "WPA and IEEE i". Instructions for setting up this encryption is available in the LCOS reference manual WPA WPA uses an improved, software-based encryption method to close the security loopholes in WEP. In particular, the dynamic key portion (initial vector) is no longer transmitted unencrypted and, with its 48 bits, is twice as long as with WEP. Further, WPA changes the key regularly so that true session keys are available even without a RADIUS server. WPA in combination with IEEE 802.1x also offers the option of authentication in corporate networks. 8

9 1.5 WPA & IEEE i IEEE i When the hardware-accelerated AES-CCK encryption algorithm is used in combination with IEEE i, an even higher level of encryption than WPA can be achieved which is comparable with VPN. This comes with no loss in performance thanks to the hardware acceleration in the access points and wireless routers. The maximum bandwidth (e. g. up to 108 Mbps in turbo mode) can be used to the full IEEE i with passphrase A simple way of encrypting a WLAN connection with IEEE i in a small network is to set up a "passphrase" for each wireless network. This is entered directly into the access point and client adapter. This passphrase serves as a basis for the calculation of the encryption key per connection and time space for a WLAN connection. Ideally, the passphrases should be as long and as complex as possible, available only to the relevant persons, and should be changed regularly. The weak link is the 'human' factor in the distribution and management of the passphrase. Regular changes in the passphrase and as complex a structure as possible are recommended to address this weakness. Note: Encryption with passphrase according to IEEE i is available with LCOS version 3.50 and higher. 9

10 1.5 WPA & IEEE i IEEE i for point-to-point connections The introduction of IEEE i means that, for the first time, point-to-point (P2P) connections can be directly encrypted; additional protection from VPN is no longer necessary. The hardware acceleration in the Schneider Electric croducts carries out this encryption without loss of performance. Note: Encryption with passphrase according to IEEE i for P2P connections is available with LCOS version 4.00 and higher. 10

11 1.6 IPSec over WLAN 1.6 IPSec over WLAN When using a VPN gateway in the access point, an alternative to IEEE i for encrypting WLAN connections is IPSec. This method is also suitable for making point-to-point connections absolutely secure from attack. Mastering this complex technology is made easy with the devices. Wizards and management tools help with fast configuration. Note: The BSI (the German Federal Office for Information Security) still recommends IPSec via WLAN as the most secure method of WLAN protection. Note: The protection via IPsec over WLAN is available for the Hirschmann devices 18x1 Wireless (A)DSL and 3550 Wireless. 11

12 1.7 IEEE 802.1x 1.7 IEEE 802.1x The protocol IEEE 802.1x in combination with IEEE i in large networks offers the possibility to carry out an authentication of every single WLAN connection. The exchange of keys or passphrases is unnecessary for this. Advanced knowledge of networking is a requirement for establishing IEEE x infrastructure, as is a CA server and an IEEE 802.1x server. This makes this application most realistic for larger company networks. Note: Further information about IEEE 802.1x can be found in the Hirschmann whitepaper "IEEE 802.1x". Note: Encryption with IEEE i with IEEE 802.1x is available with LCOS version 3.52 and higher. 12

13 1.8 Public Spot 1.8 Public Spot The Public Spot Option enables authentication within a WLAN network. Unlike IEEE 802.1x there is no subsequent encryption of the connection, however. The Public Spot Option is thus suited to monitoring the utilisation, for charging, and for surveillance. The Public Spot Option is simple to implement even in small networks as further servers are not necessary. This option can be expanded to almost any extent in combination with a RADIUS server and external accounting software. 13

14 1.9 LEPS 1.9 LEPS With LEPS (LANCOM Enhanced Passphrase Security), Hirschmann has developed an efficient method that makes use of the simple configuration of IEEE i with passphrase, but that avoids the potential error sources in passphrase distribution. LEPS uses an additional column in the ACL to assign an individual passphrase consisting of any 4 to 64 ASCII characters to each MAC address. The connection to the access point and the subsequent encryption with IEEE i or WPA is only possible with the right combination of passphrase and MAC address. This combination makes the spoofing of the MAC addresses futile and LEPS thus shuts out a potential attack on the ACL. If WPA or IEEE i are used for encryption, the MAC address can indeed be intercepted but this method never transmits the passphrase over wireless. This greatly increases the difficulty of attacking the WLAN as the combination of MAC address and passphrase requires both to be known before an encryption can be negotiated. LEPS can be used both locally in the device and centrally managed with a RADIUS server. LEPS works with all WLAN client adapters available on the market without any modification. Full compatibility to third-party products is assured as LEPS only involves configuration in the access point. An additional security aspect: LEPS can also be used to secure single pointto-point (P2P) connections with an individual passphrase. Even if an access point in a P2P installation is stolen and the passphrase and MAC address become known, all other WLAN connections secured by LEPS remain secure, particularly when the ACL is stored on a RADIUS server. Note: The setup of individual passphrases per MAC address is available as of LCOS version

15 1.10 MultiSSID 1.10 MultiSSID MultiSSID enables up to eight logical WLAN networks to operate on just one physical WLAN interface each with its own SSID. This method allows one single access point to support multiple WLAN networks, each with different security settings. This means that a single access point can simultaneously support one WLAN that is completely open and another that is protected with IEEE i, for example. Note: The deployment of MultiSSID is available with LCOS versions 3.42 and later. Note: Further information about MultiSSID can be found in the Hirschmann whitepaper "MultiSSID". 15

16 1.11 VLAN 1.11 VLAN Virtual networks (VLANs) enable the security measures for logical WLANs to be "extended" into the cabled network. This involves the assignment of each logical wireless network to a certain virtual network. Data traffic from particularly security sensitive wireless networks can be protected from eavesdroppers within the normal LAN as well. 16

17 Further support A Further support Technical questions and training courses In the event of technical queries, please contact your local Hirschmann distributor or Hirschmann office. You can find the addresses of our distributors on the Internet: Our support line is also at your disposal: Tel Fax Answers to Frequently Asked Questions can be found on the Hirschmann internet site ( at the end of the product sites in the FAQ category. The current training courses to technology and products can be found under Hirschmann Competence Center In the long term, excellent products alone do not guarantee a successful customer relationship. Only comprehensive service makes a difference worldwide. In the current global competition scenario, the Hirschmann Competence Center is ahead of its competitors on three counts with its complete range of innovative services: Consulting incorporates comprehensive technical advice, from system evaluation through network planning to project planing. Training offers you an introduction to the basics, product briefing and user training with certification. Support ranges from the first installation through the standby service to maintenance concepts. With the Hirschmann Competence Center, you have decided against making any compromises. Our client-customized package leaves you free to choose the service components you want to use. Internet: 17

18