Table of Contents 1 WLAN Security 1-1

Similar documents
Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

CS 356 Lecture 29 Wireless Security. Spring 2013

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Wireless Networks. Welcome to Wireless

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Huawei WLAN Authentication and Encryption

chap18.wireless Network Security

9 Simple steps to secure your Wi-Fi Network.

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

How To Secure A Wireless Network With A Wireless Device (Mb8000)

Wireless security. Any station within range of the RF receives data Two security mechanism

CS549: Cryptography and Network Security

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

WLAN Authentication and Data Privacy

NXC5500/2500. Application Note w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015

UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

Self Help Guide IMPORTANT! Securing Your Wireless Network. This Guide refers to the following Products: Please read the following carefully; Synopsis:

The next generation of knowledge and expertise Wireless Security Basics

How To Secure Wireless Networks

CS 336/536 Computer Network Security. Summer Term Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Chapter 2 Configuring Your Wireless Network and Security Settings

WI-FI SECURITY: A LITERATURE REVIEW OF SECURITY IN WIRELESS NETWORK

Analysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal

IEEE Wireless LAN Security Overview

A SURVEY OF WIRELESS NETWORK SECURITY PROTOCOLS

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

WIRELESS SECURITY IN (WI-FI ) NETWORKS

Configure WorkGroup Bridge on the WAP131 Access Point

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

Recommended Wireless Local Area Network Architecture

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Chapter 6 CDMA/802.11i

Securing your Linksys WRT54G

Implementing Security for Wireless Networks

Understanding Wireless Security on Your Polycom SpectraLink 8400 Series Wireless Phones

Network Security Best Practices

Wireless Encryption Protection

Security in Wireless Local Area Network

Wireless Network Security. Pat Wilbur Wireless Networks March 30, 2007

Nokia E90 Communicator Using WLAN

SSI. Commons Wireless Protocols WEP and WPA2. Bertil Maria Pires Marques. Dez Dez

Security in IEEE WLANs

Security Awareness. Wireless Network Security

Chapter 3 Safeguarding Your Network

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Product Specifications

Configuring Security Solutions

WLAN Information Security Best Practice Document

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Wireless Network Standard and Guidelines

Certified Wireless Security Professional (CWSP) Course Overview

Computer Networks. Secure Systems

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

ALL Mbits Powerline WLAN N Access Point. User s Manual

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2003): 15 Wireless LAN Security 1. Dr.-Ing G.

Chapter 2 Wireless Networking Basics

Question How do I access the router s web-based setup page? Answer

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

A DISCUSSION OF WIRELESS SECURITY TECHNOLOGIES

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

Authentication in WLAN

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

Wireless USB Adapter

HANDBOOK 8 NETWORK SECURITY Version 1.0

Nokia E61i Configuring connection settings

Particularities of security design for wireless networks in small and medium business (SMB)


Configuration of Cisco Autonomous Access Point with 802.1x Authentication for Avaya 3631 Wireless Telephone

COMPARISON OF WIRELESS SECURITY PROTOCOLS (WEP AND WPA2)

A COMPARITIVE ANALYSIS OF WIRELESS SECURITY PROTOCOLS (WEP and WPA2)

Top 10 Security Checklist for SOHO Wireless LANs

USER GUIDE Cisco Small Business

XIV. Title. 2.1 Schematics of the WEP Encryption in WEP technique Decryption in WEP technique Process of TKIP 25

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

Wireless LAN Security: Securing Your Access Point

Wireless Security with Cyberoam

MOHAMMAD YASIN ARASHPOUR

WiFi Security: WEP, WPA, and WPA2

Network Access Security. Lesson 10

Running Head: WIRELESS NETWORKING FOR SMALL BUSINESSES. Wireless Networking for Small Businesses. Russell Morgan. East Carolina University

THE 123 OF WIRELESS SECURITY AT HOME 家 居 WIFI 保 安 123

Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

Wireless Security for Mobile Computers

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Configuring connection settings

CSC574: Computer and Network Security

Transcription:

Table of Contents 1 WLAN Security 1-1 Overview 1-1 Authentication Modes 1-1 WLAN Data Security 1-2 Client Access Authentication 1-3 WLAN Security Policies 1-5 i

1 WLAN Security Overview WLAN networks feature ease of deployment, low cost, and good scalability. However, since radio signals are transmitted over the air, attackers can easily eavesdrop and modify radio data. Therefore, security is a primary concern in WLAN deployment. The wireless security capabilities incorporated in 802.11 are inadequate for protecting networks containing sensitive information. They do a fairly good job for defending against the general public, but there are some good hackers who can crack into wireless networks. Therefore, there is a need to implement advanced security mechanisms beyond the capabilities of 802.11. H3C WLAN security fully implements IEEE 802.11 security standards and meets the requirements of WPA. Besides, it can cooperate with port security features to provide more secure wireless access, and more flexible service combinations, thus satisfying various network requirements. Both ACs and fat APs support all security features described in this document. This document describes the WLAN security implementation on ACs. Authentication Modes Open system authentication Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication involves a two-step authentication process. The first step is to request for authentication. The second step is to return the authentication result. Figure 1-1 Open system authentication process Shared key authentication 1-1

The following figure shows a shared key authentication process. The two parties have the same shared key configured. 1) The client sends an authentication request to the AP. 2) The AP randomly generates a challenge and sends it to the client. 3) The client uses the shared key to encrypt the challenge and sends it to the AP. 4) The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the authentication. If not, the authentication fails. Figure 1-2 Shared key authentication process WLAN Data Security Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and thus every device can receive data from any other sending device. If no security service is provided, plain-text data is transmitted over the WLAN. To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices without the right key cannot read encrypted data. 1) WEP encryption Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. It uses the RC4 encryption algorithm to secure data and uses the shared key mechanism to implement authentication. Although WEP-104 enhances WEP encryption, it still has weaknesses due to limitations of the RC4 encryption algorithm, the short initialization vector and static key configuration. WEP can work with either open system authentication or shared key authentication. Open-system authentication: When this authentication mode is adopted, a WEP key is used for encryption only. Even if the configured key is not correct, a user can still get online. However, the data sent by the user will be discarded by the receiver due to the incorrect key. Shared-key authentication: When this authentication mode is adopted, a WEP key is used for both authentication and encryption. If the configured key is not correct, a user cannot pass authentication. That is, when WEP encryption is used together with the shared-key authentication mode, WEP can also be used as an authentication method. 2) TKIP encryption 1-2

Temporal Key Integrity Protocol (TKIP) is a cipher suite enhancing the WEP protocol on pre-rsna hardware. It has many advantages over WEP. The main disadvantages of WEP include: it uses the same key for all frames though the IV changes, and it does not have a key management system. TKIP solves these problems: First, TKIP provides longer IVs to enhance WEP security. Compared to WEP encryption, the key length in TKIP encryption increases from 40 bits to 128 bits, and the length of IVs increases from 24 bits to 48 bits. Second, TKIP allows for dynamic key negotiation. TKIP replaces static keys with dynamic keys generated by an authentication server. Although TKIP uses the same RC4 algorithm as WEP, its dynamic keys are hard to be attacked. Third, TKIP offers Message Integrity Check (MIC) and countermeasure functions. When the MIC is wrong, the data may be tampered, and the system may be attacked. In this case, countermeasures can be taken to prevent attacks. 3) CCMP encryption CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. All AES processing used within CCMP uses AES with a 128-bit key and a 128-bit block size. CCM requires a fresh temporal key for every session. CCM also requires a unique nonce value for each frame protected by a given temporal key, and CCMP uses a 48-bit packet number (PN) for this purpose. Reuse of a PN with the same temporal key voids all security guarantees. Client Access Authentication 1) PSK authentication To implement pre-shared key (PSK) authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass authentication. Figure 1-3 PSK authentication 2) MAC authentication MAC authentication provides a way for authenticating users based on ports and MAC addresses. You can configure permitted MAC address lists to filter clients. However, the efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is applicable to environments without high security requirements, for example, SOHO and small offices. MAC authentication falls into two modes: Local MAC authentication: When this authentication mode is adopted, you need to configure a permitted MAC address list on the device. If the MAC address of a client is not in the list, its access request will be denied. 1-3

Figure 1-4 Local MAC authentication Permitted MAC address list: 0009-5bcf-cce3 0011-9548-4007 000f-e200-00a2 Client: 0009-5bcf-cce3 Client: 0011-9548-4007 AC L2 switch AP Client: 001a-9228-2d3e Remote Authentication Dial-In User Service (RADIUS) based MAC authentication: If the device finds that the current client is an unknown client, it sends an unsolicited authentication request to the RADIUS server. After the client passes the authentication, it can access the WLAN network and the corresponding authorized information. Figure 1-5 RADIUS-based MAC authentication 3) 802.1x authentication As a port-based access control protocol, 802.1X authenticates a client before it can access the WLAN through the associated AP. If the client fails to pass 802.1X authentication, it cannot access WLAN resources. 1-4

Figure 1-6 802.1X authentication process WLAN Security Policies Home and small enterprise networks that accommodate a few wireless users do not require exclusive IT administrators or authentication servers. In these scenarios, you can adopt the WPA-PSK + access point hiding policy to meet security requirements. In scenarios such as hospitals, schools and warehouses, wireless networks need to cover a wide area to provide access for many clients, and thus the WPA-PSK solution is no longer suited. You can adopt 802.1X authentication for these networks, in which, a RADIUS server is responsible for authenticating wireless clients to effectively filter unauthorized users. In public WLANs, large enterprises and financial institutes, some users may need to access the Internet through public hotpots such as airports and café shops, which gives opportunity to unauthorized users to access these networks and thus compromise network security. To prevent this, you can adopt the advanced security solution using the technologies of user isolation, IEEE802.1i, and RADIUS authentication and accounting to ensure network security. Table 1-1 WLAN security policies Security level Scenarios Security Policies Low Homes, small enterprises, and so on WPA-PSK + access point hiding Intermediate High Hospitals, schools, warehouses and so on Public WLANs, large enterprises, financial institutes, and so on IEEE802.1X authentication + TKIP encryption User isolation + IEEE802.11i + RADIUS authentication and accounting (for ISPs) 1-5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information