In WLANs, data security becomes the most important issue because the data transmitted is transmitted using radio waves in the air, which can penetrate the ceiling, floors and walls, and transmit data that may reach the intended reception equipment that is installed on different floors or even the transmitter's building.
Problem one: Easy to invade
Wireless LAN is very easy to find, in order to enable users to discover the existence of wireless networks, the network must send a specific parameter of the beacon frame, so that the attacker to provide the necessary network information. Intruders can attack the network via highly sensitive antennas from the side of the road, in buildings, and anywhere else without any physical intrusion.
Solution: Enhance network access control
Easy access does not mean vulnerable to attack. An extreme means is to prevent electromagnetic leakage through the electromagnetic shielding of the house, of course, through powerful network access control can reduce the risk of wireless network configuration. If the AP is placed outside a network security device such as a firewall, it is best to consider connecting to the backbone via VPN technology, preferably using IEEE802.1X based new wireless networking products. IEEE802.1X defines a new type of frame for user-level authentication, with the help of the user database already existing in the enterprise network, the front-end authentication based on Ieee802.1x wireless network is converted to the Rasius authentication of the back-end based on the wired network.
Question two: illegal AP
Wireless LANs are easy to access and configure simple features that make network administrators and security officials very headache. Because anyone's computer can be connected to the network without authorization through the access point they buy. Many departments are not authorized by the company's IT center to build their own wireless LAN, users through illegal AP access to the network to bring great security risks.
Solution: Periodic site reviews
Like many other networks, wireless networks have a corresponding requirement in terms of security management. Before intruders use the network to find unauthorized networks through the receiving antenna, monitoring at physical sites should be as frequent as possible, and frequent monitoring can increase the chances of discovering illegal configuration sites, but it can take a lot of time and poor mobility. One way to compromise is to choose a small handheld test device. The administrator can detect any location on the network at any time through a handheld scan device.
Question three: authorized use of services
Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/
More than half of the users use the AP only to make minimal changes based on their default configuration. Almost all AP are configured to turn on WEP for encryption or use the default key provided by the original. Because of the open access mode of WLAN, unauthorized use of network resources will not only increase the bandwidth cost, but also may lead to legal disputes. And an unauthorized user who fails to comply with the terms of service offered by the service provider may cause the ISP to interrupt the service.
Solution: Enhance security certification
The best defense method to strengthen security authentication is to prevent unauthorized users from entering the network, because access privileges are based on user identity, so encryption is the authentication process encryption is the prerequisite for authentication, through the VPN technology can effectively protect the network traffic transmission through the radio.
Once the network is successfully configured, a rigorous authentication approach and authentication strategy will be critical. Wireless networks also need to be tested regularly to ensure that network devices use security authentication mechanisms and that network devices are configured properly.
Problem four: Service and performance constraints
Wireless LAN transmission bandwidth is limited, because of the physical layer overhead, so that the actual maximum effective wireless LAN throughput is only half of the standard, and the bandwidth is shared by all users of AP.
Wireless bandwidth can be swallowed in several ways: the network traffic from the wired network far exceeds the bandwidth of the wireless network, and if an attacker sends a large amount of ping traffic from a fast Ethernet, it can easily devour the limited bandwidth of the AP; If the broadcast traffic is sent, it will block multiple APS at the same time; An attacker can send a signal within the same wireless channel as the wireless network, so that the attacked network will automatically adapt through the CSMA/CA mechanism, which also affects the transmission of the wireless network, in addition, the transmission of large data files or complex client/server system will generate great network traffic.
Solution: Network Detection
Location performance failure should start with monitoring and discovery, many AP can report statistics through SNMP, but the information is very limited, can not reflect the user's actual problems. and the wireless network tester can truthfully reflect the current position signal quality and network health situation. The tester can effectively identify the network rate, the type of frame, and help to locate the fault.
Problem five: Address spoofing and session interception
Since 802.11 wireless LAN does not authenticate data frames, attackers can redirect data streams through spoofed frames and make ARP tables confusing, and in a very simple way, attackers can easily obtain MAC addresses of sites in the network that can be used for malicious attacks.
In addition to attackers attacking by deception frames, an attacker can detect the presence of an AP by intercepting the session frame and discovering the presence of the APS by monitoring the broadcast frames emitted by the AP. However, since 802.11 does not require an AP to prove that it is really an AP, an attacker can easily dress up as an AP into the network, through which an attacker could gain further access to authenticated identity information. The network intrusion through session interception is unavoidable until the 802.11i technology is used to authenticate every 802.11 mac frame.
Solution: Isolate with critical networks
Before the 802.11i was formally approved, the threat of MAC address spoofing to wireless networks persisted. The network administrator must detach the wireless network from the vulnerable core network.
Problem six: Traffic analysis and traffic interception
802.11 cannot prevent attackers from listening to network traffic passively, and any wireless network analyzer can intercept unencrypted network traffic without any hindrance. Currently, WEP has vulnerabilities that can be exploited by attackers, which protects only the initial data of user and network traffic, and that management and control frames are not encrypted and authenticated by WEP, providing an opportunity for an attacker to suspend network traffic with spoofed frames. In the early days, WEP was very easy to decrypt with tools such as Airsnort and WEPCrack, but many vendors later released firmware that could avoid these known attacks. As an extension of the protection function, the newest wireless LAN product's protection function takes one step further, realizes the WEP key change every 15 minutes with the Key management protocol. Even the busiest network will not generate enough data in such a short time to confirm that the attacker cracked the key.
Solution: Encrypt with a reliable protocol
If a user's wireless network is used to transmit more sensitive data, it is not enough to use WEP encryption alone, and additional encryption techniques like SSH, SSL, and IPSec are needed to enhance the security of the data.
Question Seven: Advanced intrusion
Once an attacker enters a wireless network, it becomes the starting point for further intrusion into other systems. Many networks have a carefully set security device as the shell of the network to prevent illegal attacks, but within the shell-protected network is very fragile and vulnerable to attack. Wireless networks can quickly access the backbone of the network through simple configuration, but this exposes the network to attackers. Even a network with a certain border security device can also expose the network to attack.
Solution: Isolate wireless networks and core networks
Because wireless networks are vulnerable to attack, they are considered an unreliable network. Many companies place wireless networks in public areas, such as lounges and training classrooms, as a way to provide access to their guests. Network should be placed outside the core network protection shell, such as outside the firewall, access to the core network using VPN.