Protecting Wireless LAN security-protecting users

Authentication

The first step is to establish a user identity to control access to network resources. Some enterprises authenticate users by verifying the media access control MAC address. However, for intruders, it is easy to copy MAC addresses from valid frames and then change the MAC addresses on the intruders laptop to valid MAC addresses. In addition, identity-based authentication can often use the IEEE 802.1X Standard and the extended Identity Authentication Protocol EAP) and remote user dial-in authentication service RADIUS ).

In addition, some enterprises may deploy a VPN on the WLAN to use technologies such as IPsec or SSL. In this case, the enterprise uses the VPN Authentication mechanism, such as the Extended Authentication XAUTH), and uses Challenge-Handshake Authentication ProtocolCHAP to authenticate users.

802.1X relies on EAP to authenticate users. EAP is an authentication framework that defines a method to encapsulate different authentication methods. We recommend that you use the EAP types listed in table 1 because they are widely used and have low risks.

Table 1: Recommended EAP types

The acronyms used in table 1 are defined as follows:

EAP-TLS:Transport Layer Security)

EAP-TTLS MS-CHAP v2:Use Microsoft Challenge Handshake to verify Protocol version 2 Tunnel TLSTunneled TLS with Microsoft Challenge-Handshake Authentication Protocol version 2)

PEAP MS-CHAP v2:Use Microsoft Challenge Handshake Verification Protocol version 2 to protect EAPProtected EAP with Microsoft Challenge-Handshake Authentication Protocol version 2)

EAP-FAST:Use the Security Tunnel's Flexible Authentication via Secure Tunneling)

PAC: Access certificate protection Protected Access Credentials)

We recommend the following best practices:

If 802.1X is deployed on the wired network, you can use 802.1X with EAP to authenticate users and Authentication servers. Enterprises must use one of the following EAP types: TLS, TTLS, PEAP, or FAST. Note: The EAP-TLS also requires a certificate on both the client and the authentication server.

If 802.1X is not deployed on the wired network, you can use IPsec or SSL to provide mutual authentication between users and Authentication servers.

Authenticate users by using a capture entry web page and monitor usage.

Data confidentiality and integrity

Enterprises must work hard to prevent malicious, unintentional, unauthenticated, or inappropriate information exposure. As mentioned in the first part, intruders can use shared software such as Aircrack) and commercial Packet Capturing tools such as AirMagnet notebook analyzer) for eavesdropping, at the same time, the high-gain antenna is used to discover the encrypted stream of the WEP Key or Rivest Cipher 4RC4), which usually refers to the "Shared Key" attack ). Moreover, cyclic redundancy checksum CRC used with WEP is fragile because intruders are likely to modify frames without CRC detection.

WEP was initially replaced by temporary WPA security authentication, and then replaced by WPA2 Security Authentication Based on the 802.11i standard. WPA2 provides powerful encryption functions and Advanced Encryption Standard [AES]), dynamic key exchange, and powerful authentication mechanism 802.1X ).

We recommend the following best practices:

If 802.1X has been deployed for wired LAN authentication, you can use WPA2 to ensure the confidentiality and integrity of wireless data. If WPA2 is not deployed, for example, because of legacy devices, WAP is used. 802.1X is recommended for use with WPA/WPA2 because it not only provides user authentication support, but also provides an automatic key distribution mechanism.

If 802.1X is not deployed for wired LAN authentication, IPsec or SSL is used to ensure the confidentiality and integrity of wireless data. Another method that you can choose to use 802.1X, IPsec, or SSL -- small applications -- is to use WPA, WPA2, and pre-shared key PSK ).
Note that PSK is easily decrypted by offline dictionary attacks. It may also be shared to non-employees intentionally or unintentionally by PSK employees. In addition, PSK is difficult to manage on a large network, because when PSK changes, for example, an employee leaves the company), each client in the network must reconfigure a new PSK. Therefore, be careful when using PSK.

WEP is not recommended. However, if you have already used WEP or have not used any WLAN encryption, you should deploy the WLAN on the firewall. In fact, this means to treat WLAN as an untrusted network.

Use different SSID and different wired VLANs to isolate the access traffic of shared WLAN/LAN.

Separate WEP traffic from WPA/WPA2 traffic using different SSID and different wired VLANs.

Authenticate users by using a capture entry web page and monitor usage.

1. Wireless Security: Research on the security of Wireless LAN
2. Comprehensive Solution to wireless security problems of Enterprises