The development of wireless local area network is more and more fierce, it has high access rate, flexible network, especially in the transmission of mobile data has a unique advantage. However, with the development of WLAN application field, the security problems are more and more important. In a wired network, you can clearly identify which computer is connected to the network cable. Unlike wireless networks, theoretically any computer in the radio range can listen and log in to a wireless network. If the security of an intranet is not tight enough, it is entirely possible to eavesdrop, browse, or even manipulate e-mail. In order for authorized computers to have access to the network while illegal users cannot intercept network traffic, wireless network security is critical.
★ Two basic means of safety protection
In this while, outsmart environment, how to protect the security of these data? Wireless LAN is committed to the development of WLAN manufacturers and international Wi-Fi Alliance have put forward new methods to strengthen the wireless LAN, so that its wide application. June 24, 2004, IEEE passed the 802. 11i based on the SIM card authentication and AES encryption method for wireless LAN provides security, making wireless LAN has a more extensive application space.
Security mainly includes access control and encryption two parts. Access control guarantees that only authorized users can access sensitive data, and encryption guarantees that only the correct recipient can understand the data. Currently the most widely used IEEE 802. The 11b standard provides two means of securing WLAN security--ssid Service configuration designator and WEP wireless encryption protocol. The SSID provides low levels of access control, WEP is an optional encryption scheme that uses the RC4 encryption algorithm, which is used to prevent an unauthorized user from accessing the network without the correct WEP key, and only allows users with the correct WEP key to encrypt and decrypt data: including software and hardware tools. (Computer science)
In addition, 802. The 11b standard defines two methods of authentication: open and shared keys. In the default open method, the user can access the access point even if it does not provide the correct WEP key, and the shared method requires the user to provide the correct WEP key to authenticate.
★ Three kinds of security measures for different users
It is clear that basic security can only provide basic security. For different users, it is necessary to provide them with different levels of security tools. Avaya, the company's technical advisor, said the Avaya company provides 3 levels of security for its WLAN equipment. The first is the security of the link layer, which is standard WEP encryption. The second is security at the user authentication level, and the representative approach is to use 802. 1x. The third is the use of VPN means. The bangs ship believes that these three levels of security, applicable to different requirements of users, VPN method is the safest. However, in practical applications, the most commonly used is the WEP method.
The defects of ★WEP and the way to solve them
WEP encryption is inherently flawed. Because of its key fixed, the initial vector is only 24 bits, the algorithm strength is not high, so there is a security vulnerability. AT&T's researchers first released the WEP decryption process, and people began questioning WEP and further studying its vulnerabilities. Now, there has been a special procedure for cracking down on WEP encryption, which is represented by WEPCrack and Airsnort.
Intel Corporate Communications Division Zhao Weiming points out that the WEP encryption method itself is not a problem, the problem is in the key transfer process-the key itself is easily intercepted. To address this problem, WPA (Wi-Fi Protected Access), as the de facto industry standard, changes the way the key is delivered. IEEE 802. 11TGi Task Group I has developed a temporary key integrity protocol Tkip,tkip is based on RC4 encryption like WEP, but it provides the ability to quickly update keys. WPA uses the TKIP protocol to pass the key, which uses a public key and private key method similar to RSA in Key management. With TKIP, as well as individual vendors planning to launch TKIP firmware patches, the user's investment in WLAN hardware will be protected. Enterasys, for example, recently announced its support for WPA. Enterasys will support WPA in its Roamabout series of indoor and outdoor WLAN products and update firmware and hardware for existing products.
Cisco's specific approach is: The RADIUS server authenticates with the client in both directions, and the RADIUS server and the client determine a WEP key, which means that the key is not a static key that is physically related to the client itself, but a key that is dynamically generated by the authentication. Thereafter, the RADIUS server sends the session key through the wired network to Ap,ap to encrypt the broadcast key with the session key, and sends the encrypted key to the client, which is decrypted by the client using the session key. The client then activates WEP with the AP and uses the key to communicate. Avaya's approach, called WEP Plus, is to generate an initial vector randomly, which is the fault of the initial vector, so that the WEPCrack and Airsnort programs cannot break the WEP key.
★ Comprehensive prevention of five major recommendations
One, many security problems are caused by wireless access points that are not in a closed environment. So, first of all should pay attention to reasonable place access point antenna. So as to limit the transmission distance of the signal beyond the coverage area. Don't put the antenna near the window, because the glass can't stop the signal. You'd better put the antenna in the center of the area you need to cover and minimize the signal leaking out to the wall.
Second, the signal antenna to deal with the problem, and then add a layer of "protective film", that is, must adopt wireless Encryption Protocol (WEP).
Third, it is recommended that DHCP and SNMP settings be disabled. This is useful from disabling DHCP to wireless networks.
If you take this action, the hacker will have to decipher your IP address, subnet mask and other TCP/IP parameters that it requires (which undoubtedly adds to the difficulty). No matter how the hacker uses your access point, he still needs to figure out the IP address. With regard to SNMP settings, either disable or change the public and private shared strings. If this is not done, hackers can use SNMP to obtain important information about your network.
Use Access lists (also known as access control lists). This feature is recommended for further protection of your wireless network, but please note that not all wireless access points are supported.
Because this attribute can specifically specify which machines are allowed to connect to the access point. Access points that support this feature are sometimes used with the normal file transfer protocol TFTP, and it is useful to periodically download updated lists.
V. Integrated use of wireless and wired strategies. Wireless network security is not a separate network architecture, it requires a variety of different programs and protocols to match. Developing policies that combine the security of wired and wireless networks can maximize security.