Diversified Wireless LAN security

Security issues have always been an important issue that has plagued many of our network users. Here we will explain in detail what aspects we should start with for a wide range of networks. Security issues have always been the weakness of the wireless LAN, which has been restricting the further promotion of the wireless LAN technology. From the perspective of the development of wireless LAN technology, people have been committed to solving the security issues of Wireless LAN. Understanding the security process of wireless networks helps users take effective security measures.

Wireless Network Security Process

In the early stages of Wireless LAN development, physical address (MAC) filtering and service area identifier (SSID) matching are two main security technologies. The physical address filtering technology allows you to maintain a list of MAC addresses that can be accessed in Wireless Access Point AP to implement physical address filtering. If the service area identifier matches, the wireless workstation must display the correct SSID to access the AP. By providing a password authentication mechanism, the wireless security is achieved.

Physical address filtering and service area identifier matching can only solve limited security problems. To further address security issues, the Wired Equivalent confidentiality (Wired Equivalent Privacy, WEP) protocol is pushed to the forefront. WEP is used to protect link layer data in Wireless LAN. WEP uses 40-bit, 64-bit, and 128-bit keys, and adopts the RC4 symmetric encryption algorithm to encrypt data and access control at the link layer. WEP has good interoperability. All products that pass the Wi-Fi organization authentication can implement WEP interoperability.

However, the key mechanism of WEP has potential security risks to be deciphered and is bound to be replaced by other security technologies that tend to be improved. Port-Based Network Access Control (IEEE 802.1x) and Extensible Authentication Protocol (EAP) can be considered as a transitional solution before the emergence of comprehensive security technologies. The IEEE 802.1x Standard defines port-based network access control, which can provide authenticated network access. Port-based network access control uses the physical characteristics of the LAN infrastructure to verify the identity of devices connected to the switch port. If authentication fails, the use of the Ethernet switch port to send and receive frames will be rejected. Although this standard is designed for wired Ethernet networks, it can be applied on IEEE 802.11 Wireless LAN after adaptation. EAP is not dedicated to a vendor. It can make up for WEP's weakness and solve the moving problem between access points. EAP also solves the VPN bottleneck problem, enabling users

Network speed. However, configuring EAP is not easy, that is why PEAP is popular. PEAP is developed by Microsoft, Cisco, and RSA Security to simplify end-to-end integration of clients, servers, and directories.

Wi-Fi protection Access (WPA) is an indispensable part of the road to 802.11i, and became a wireless security standard protocol that replaces WEP before the IEEE 802.11i standard is determined. WPA is a subset of IEEE 802.11i. Its core is IEEE 802.1x and temporary Key Integrity Protocol (TKIP ). WPA ensures the security of wireless devices including 802.11b, 802.11a, and 802.11g. This is because WPA uses new encryption algorithms and user authentication mechanisms to meet WLAN security requirements. WPA follows the basic principles of WEP and overcomes the disadvantages of WEP. Because of the enhanced Algorithm for generating encryption keys, even if hackers collect and parse group information, they can hardly calculate General keys, which solves the disadvantages of WEP. However, WPA cannot be backward compatible with some legacy devices and operating systems. In addition, unless the wireless LAN has a hardware that runs WPA and accelerates the processing speed of the Protocol, WPA reduces network performance.

WPA2 is the second-generation WPA standard released by the Wi-Fi Alliance. WPA2 has similar features with the later release of 802.11i. The most common feature of WPA2 is pre-verification, which enables users to achieve secure and fast roaming without notice of latency, CCMP is also used to replace TKIP.

For users with high security requirements, combining VPN security technology with other wireless security technologies is an ideal Wireless LAN security solution.

In the face of all kinds of wireless security solutions, users need to stay awake: Even the latest 802.11i also has defects, there is no solution to solve all security problems. For example, many Wi-Fi solutions currently provide 128-bit encryption technology, which cannot prevent malicious attacks. Many users often make some simple mistakes, such as forgetting to enable WEP, so that wireless connections become undefended connections. users do not set an AP outside the enterprise firewall, as a result, attackers can use wireless connections to bypass firewalls and intrude into the LAN. For users, rather than relying on a security technology, it is better to select a wireless security solution suitable for the actual situation and establish a multi-layer security protection mechanism to help avoid the security risks brought by wireless technology.

Enterprise Users generally regard wireless connections as part of a system. Such a system must be able to meet the needs of its network infrastructure and provide high-level protection functions, to ensure the security of enterprise information, user identities, and other network resources. Enterprise users need to evaluate the threats to wireless networks and the security levels required by wireless networks. In particular, they need to protect open network servers with sensitive data, they often require more security protection than other servers on the network. At the same time, enterprise users need to establish a multi-layer wireless connection between the AP and the client to enhance security.

The 40-bit WEP and 128-bit shared key encryption technologies provide basic security requirements and are able to withstand the lowest level of risks. The IT administrator can also create and maintain the MAC address table of the wireless client device in the AP, and manually change the MAC address table when replacing or adding wireless devices. Because WEP is a shared key, hackers may obtain private information and network resources if the user key is damaged. As the network scale continues to expand, IT administrators need to strengthen the management of wireless networks.

To increase the security mechanism of wireless networks, enterprises can use the "user-based" authentication mechanism instead of "device MAC address-based" authentication mechanism. In this way, even if the user's laptop is stolen, the thieves will not be able to access the network without the user name and password of the laptop. This method is easy to use and reduces the management burden because you do not need to manually manage the MAC address table. However, you need to evaluate and deploy the AP to support user-based authentication databases. The verification database can be maintained locally in the AP.