Making wireless networks safer and setting Wireless LAN security

Wired networks have always been a frequent network type for home and enterprise users. However, with the popularity of wireless networks, wired networks gradually expose their inevitable drawbacks: a large number of cabling and line change projects; lines are prone to damage; nodes in the network cannot be moved. In particular, when connecting distant nodes, it is difficult, expensive, and time-consuming to build dedicated communication lines, serious bottlenecks have been formed for rapidly expanding connection demands. At this time, wireless networks show their advantages: mobility, simple installation, high flexibility and scalability. As an extension of traditional wired networks, wireless networks have been widely used in many special environments. In the past, movies often appeared in our real life to move office anywhere in the smart building, download documents anytime, anywhere, and print documents.

However, the security of Wireless LAN is worth noting. Because the transmitted data is transmitted by means of radio waves in the air, radio waves can penetrate the ceiling, floor, and walls, transmit data may arrive at receiving devices outside of expectation, installed on different floors, or even outside the building where the transmitter is located. Anyone has conditional eavesdropping or interference information, data security has become the most important issue. Therefore, when we first applied wireless networks, we should fully consider their security and understand enough preventive measures to protect our own networks. Next, we will introduce the risks faced by wireless LAN and know how the risks exist, so it is easier for us to solve them again:

Easy to intrude

Wireless LAN is very easy to detect. In order to enable users to discover the existence of wireless networks, the network must send beacon frames with specific parameters, so as to provide necessary network information to attackers. Intruders can use high-sensitivity antennas to launch attacks on networks from road borders, buildings, and anywhere else without any physical intrusion.

Illegal AP

Wireless LAN is easy to access and easy to configure, making it a headache for network administrators and security officials. Any computer can connect to the network without authorization through the AP purchased by itself. Many departments build their own wireless LAN without authorization from the company's IT center. Illegal AP access brings great security risks to the network.

Authorized Service

More than half of users only make few changes based on the default configuration when using the AP. Almost all APs enable WEP Encryption Based on the default configuration or use the default key provided by the original manufacturer. Due to the open access method of the wireless LAN, unauthorized use of network resources will not only increase bandwidth fees, but also lead to legal disputes. In addition, unauthorized users do not comply with the terms of service proposed by the service provider, which may lead to service interruption by the ISP.

Service and performance restrictions

The transmission bandwidth of the wireless LAN is limited. Due to the overhead of the physical layer, the actual maximum effective throughput of the wireless LAN is only half of the standard, and the bandwidth is shared by all AP users.

Wireless bandwidth can be swallowed up in several ways: network traffic from wired networks far exceeds the bandwidth of wireless networks. If attackers send a large amount of Ping traffic from fast Ethernet, it will easily swallow the limited bandwidth of the AP. If broadcast traffic is sent, multiple APS will be blocked at the same time. attackers can send signals in the same wireless channel of the same wireless network, in this way, the attacked network will automatically adapt through the CSMA/CA mechanism, which also affects the transmission of wireless networks. In addition, transmission of large data files or complex client/server systems will generate a large amount of network traffic.

Address Spoofing and session Interception

Because 802.11 Wireless LAN does not authenticate data frames, attackers can redirect data streams by spoofing frames and confuse ARP tables, attackers can easily obtain the MAC addresses of websites on the network. These addresses can be used for malicious attacks.

In addition to spoofing frames, attackers can capture session frames to discover authentication defects in the AP and detect the existence of the AP by monitoring the broadcast frames sent by the AP. However, because 802.11 does not require the AP to prove that it is an AP, attackers can easily dress up as an AP to enter the network. Through such an AP, attackers can further obtain authentication information and access the network. Before using 802.11i to authenticate each 802.11 MAC frame, network intrusion through session interception is unavoidable.

Traffic Analysis and traffic listening

802.11 cannot prevent attackers from passively listening for network traffic, and any wireless network analyzer can intercept unencrypted network traffic without any hindrance. Currently, attackers can exploit the WEP vulnerability to protect the initial data of user and network communication, and the management and control frames cannot be encrypted and authenticated by WEP, this provides an opportunity for attackers to stop network communication by spoofing frames. In the early days, WEP was easily decrypted by tools such as Airsnort and WEPcrack. However, firmware released by many vendors can avoid these known attacks. As an extension of the protection function, the protection function of the latest wireless LAN product is further improved. The key management protocol is used to change the WEP Key every 15 minutes. Even the busiest Network won't generate enough data in such a short period of time to prove that the attacker cracked the key.

Advanced Intrusion

Once an attacker enters the wireless network, it will be the starting point for further intrusion into other systems. Many networks have a set of well-configured security devices as the network shell to prevent illegal attacks. However, the network protected by the shell is very fragile and vulnerable to attacks. A wireless network can quickly access the network trunk through simple configuration, but this will expose the network to attackers. Even a network with a certain number of border security devices can expose the network to be attacked.
Are you worried about using a wireless LAN when you see these dangerous signals? In fact, you don't have to worry too much. There are solutions to all problems. As long as we perform the correct configuration according to the correct method, our network is still safe.

Service Set Identifier (SSID)

You can set different SSID for multiple wireless access points AP (AccessPoint), and require the wireless workstation to display the correct SSID to access the AP, so that users in different groups can access the AP, and restrict resource access permissions. Therefore, it can be considered that the SSID is a simple password to provide certain security. However, if an AP is configured to broadcast its SSID outward, the security level will decrease. Generally, the user configures the client system on his/her own, so many people know the SSID and it is easy to share it with illegal users. Currently, some manufacturers support the "ANY" SSID mode. As long as the wireless workstation is within the range of any ap, the client will automatically connect to the AP, which will skip the SSID security function.

Physical address filtering (MAC)

Because each Nic of a wireless workstation has a unique physical address, you can manually maintain a list of MAC addresses that are allowed to access the AP to filter physical addresses. This scheme requires the MAC address list in the AP to be updated at any time, with poor scalability. In theory, MAC addresses can be forged, so this is also a low level of authorization authentication. Physical address filtering is a hardware authentication rather than user authentication. This method requires that the MAC address list in the AP be updated at any time. Currently, it is performed manually. If the number of users increases, the scalability is poor. Therefore, it is only suitable for small networks.

Wired peer-to-peer confidentiality (WEP)

RC4 symmetric encryption technology is used at the link layer. The user's encryption key must be the same as the AP's key to allow access to network resources, thus preventing unauthorized user listening and unauthorized user access. WEP provides a 40-bit (sometimes called 64-bit) and 128-bit key mechanism, but it still has many drawbacks. For example, all users in a service area share the same key, if a user loses a key, the entire network is insecure. In addition, 40-bit keys are easily cracked today. Keys are static and need to be manually maintained with poor scalability. To improve security, we recommend that you use a 128-bit encryption key.

Wi-Fi protection access (WPA)

WPA (Wi-FiProtectedAccess) is a new technology that inherits the basic principles of WEP and solves the disadvantages of WEP. Because the algorithm for generating encryption keys is enhanced, even if the group information is collected and parsed, it is almost impossible to calculate a general key. The principle is to generate different keys for each group based on the general key and the serial number indicating the computer MAC address and group information. This key is then used for RC4 encryption like WEP. Through this processing, the data exchanged for all group information of all clients is encrypted by different keys. No matter how much data is collected, it is almost impossible to crack the original universal key. WPA also adds functions and authentication functions to prevent data tampering in the middle. With these features, all the shortcomings that were previously criticized by WEP have been solved. WPA is not only a more powerful encryption method than WEP, but also has a richer connotation. As a subset of the 802.11i standard, WPA consists of authentication, encryption, and data integrity verification. It is a complete security solution.

National Standard (WAPI)

WAPI (WLANAuthenticationandPrivacyInfrastructure) is the basic structure of Wireless LAN authentication and confidentiality. It is a WLAN security solution proposed in the National Standard GB15629.11 of China's wireless LAN for security issues of the WEP protocol in. At the same time, this scheme has been reviewed and approved by the ISO/IEC authorized Authority (IEEE registry Authority. It uses a certificate mechanism based on the public key cryptography system to implement bidirectional identification between mobile terminals (MT) and wireless access points (AP. You only need to install a certificate to roam across different regions that cover the WLAN for your convenience. Services that are compatible with existing billing technologies can be billed on time, by traffic, or by monthly subscription. After the AP sets the certificate, it no longer needs to set up the AAA Server in the background. It is easy to install, set up, and expand easily, and can meet the needs of multiple application modes such as home, enterprise, and carrier.

Port Access Control Technology (802.1x)

This technology is also an enhanced network security solution for wireless LAN. When the STA of the wireless workstation is associated with the AP of the wireless access point, whether the AP service can be used depends on the 802.1x authentication result. If the authentication succeeds, the AP opens the logical port for the STA. Otherwise, the user is not allowed to access the Internet. 802.1x requires the wireless workstation to install 802.1x client software. The wireless access point must be embedded with an 802.1x Authentication Proxy. It also serves as a Radius client to forward user authentication information to the Radius server. In addition to port access control, 802.1x also provides user-based authentication systems and billing, which is particularly suitable for public wireless access solutions.

Summary:

The above are just some of our solutions to the potential dangers of the wireless LAN. It cannot represent all of them. It is a reference for everyone. If there is something incomplete, we also hope that the majority of readers can provide additional information. The security and stability of the network do not rely solely on the performance and personal technology of the device. It is worth noting in some detail. We often say that "Details determine success or failure", so our network will be much more sustainable and safer only when the details are well enough.