In-depth analysis: enterprise wireless network security issues (1)

Enterprise wireless network security is a complicated problem for many administrators. What aspects should we analyze and start from? The following is a detailed introduction. We hope that this article will give you a summary of the enterprise's wireless network security issues.

Enterprise Wireless Network Security Question 1. Wireless Identity Authentication

Traditional wired networks have been using "user names and passwords" for identity authentication for many years. CHAP, MSCHAP, MS-CHAPV2, and EAP-MD5 queries are frequently used password queries in wired and dial-up infrastructure. These identity authentication systems are based on a password hash and random queries sent by the identity authentication server. Although the password hash/query system has been quite reliable in the wired infrastructure, it has been proved that deploying the same identity authentication mechanism in wireless mode is flawed. By capturing or listening to identity authentication data packets in broadcast frequencies, hackers can use common dictionary attack tools to discover air transmission passwords and steal session information through man-in-the-middle attacks, or try to replay the attack.

IETF and IEEE Standards Committee have already worked with leading wireless vendors because the defects in the identity authentication method used in wired networks can be easily exploited in wireless networks, establish a more reliable wireless identity authentication method. IEEE802.1x is currently the most important wireless authentication standard.

Enterprise Wireless Network Security Question 2, 802.1xWiFi Identity Authentication

The IEEE Wireless LAN board has enhanced 802.1x and recommends that it be used as a way to enhance user identity authentication in wireless environments. It solves common problems in early 802.11b Implementation Solutions and allows the use of extended Identity Authentication Protocol (EAP) subprotocols to increase the security of identity authentication information exchange between clients and Identity Authentication servers, and encrypt the information. As an Identity Authentication Framework, 802.1x lays the foundation for the client to perform identity authentication through an identity authentication server. It is an open standard that can be extended using sub-protocols and does not specify which EAP authentication method should be used preferentially, when an updated identity authentication technology is developed, it can be expanded and upgraded.

802.1x uses an external identity authentication server (usually RADIUS) to authenticate the client. Currently, in addition to simple user authentication, some wireless products have begun to use Identity Authentication servers to provide user policy or user control functions. These advanced features may include dynamic VLAN allocation and dynamic user policies.

Compared with earlier 802.11b Implementation Solutions, 802.1x has the following advantages:

(1) identity authentication is based on users. Every user accessing the wireless network has a unique user account on the RADIUS Authentication Server. In this way, you no longer need device-based identity authentication methods that rely on MAC address filtering and static WEP keys that are easy to forge.

(2) The ADIUS server collects all user accounts and policies and does not require each access point to have a copy of the Identity Authentication database. This simplifies the management and coordination of account information.

(3) RADIUS, as a method for identity authentication for remote access, has been widely recognized and adopted for many years. People know it very well, and it is also a mature technology.

(4) The company can select the EAP authentication protocol that best suits its security needs-two-way certificates can be selected in the case of high security requirements, in other cases, you can select one-way certificates to accelerate implementation and reduce maintenance costs. Popular EAP types include EAP-TLS, EAP-TTLS, and PEAP.

(5) to provide the required scalability, you can deploy the authentication server in a hierarchical manner.

(6) the total cost of ownership of 802.1x is lower than that of Wireless Access Point management solutions that store user accounts on each access point.

Enterprise Wireless Network Security Question 3. Extended Identity Authentication Association EAP)

There are many types of EAP. EAP is a sub-Protocol of 802.1x used to protect the transmission of authentication information between the client and the authenticated party. You can also specify related data security mechanisms based on the type of EAP used.

Wireless Security Needs Promote the Development of 802.1x and secure data transmission. Therefore, we will develop an updated EAP authentication protocol to solve various security problems. According to IEEE802.1x and EAP standards, these new EAP security protocols should continue to use existing hardware.