ARE Technologies - Home
Search the site
Wireless Network Security
>Wireless Network Security


Some of the prevalent methods of securing a wireless network are explained below.

WEP stands for Wired Equivalent Privacy. This was meant as an optional security measure as specified by the IEEE 802.11 protocol. WEP uses the RC4 stream cipher to encrypt the payload in the transmitted packets. WEP uses a shared 60-bit key to encrypt the data, out of which 24 bits are the Initialization Vector (IV). A 128-bit variant (WEP2) is also available which also uses 24-bits for its IV. This key is then fed to a random number generator, which generates a key stream the size of the data packet. This key stream is XORed with the data packet to result the encrypted data packet. The problem with WEP is the 24-bit IV. This small value means that it possible for a passive listener to collect enough packets in a matter of a few hours to run simple cryptanalysis on the packets to uncover the shared key. WEP now just provides a minimum security to thwart break-in attempts by a casual hacker.

802.11i is the MAC Enhancements for Enhanced Security for the IEEE 802.11 MAC layer. It was mean to address the shortcomings in the current 802.11 WEP.802.11i provides two main developments in security: Wi-Fi Protected Access (WPA) and Robust Security Network (RSN).WPA is meant to be a better replacement to WEP and be software upgradeable to WI-Fi products. It improves on the WEP encryption method by using Temporal Key Integrity Protocol (TKIP). TKIP changes the generation of keys and also allows rotation of the keys periodically for improved security. TKIP consists of a 128-bit secret shared-key called the Temporal Key. This key is combined with the host's MAC address and the Initialization Vector (48-bit) to result the encryption key. This key is used to encrypt only packet. So for each new packet a new key is generated. The Temporal Keys are changed periodically (about every 10,000 packets) to make the system harder to crack.RSN allows for mobile communicating devices to negotiate the authentication and encryption algorithms. This gives the system the flexibility to upgrade to better algorithms when current algorithms are compromised. Currently for authentication it uses 802.1X and Extensible Authentication Protocol, and uses Advanced Encryption Standard (AES) for encryption. The problem with the two approaches is that they need a good amount of hardware resources to run. As a result legacy systems will have to make a compromise between the security level and network performance.

802.1X is the Port Based Network Access Control standard from IEEE. It is applicable as a security measure for both wired and wireless networks. For every client connecting to an AP using 802.1X, the AP asks for validating information which is verified by a RADIUS server at the backend. The exchange of validating information between the client and the AP is specified by the Extensible Authentication Protocol (EAP) in 802.1X. EAP gives the developer the freedom to make his own method to exchange the validating information. There are different types of EAP used currently. Some of the common ones are explained below:

EAP-MD5 uses a username and password to authenticate users. A MD5 hash value of this information is also sent to detect if the information has been modified. The login-name and passwords are authenticated by a backend RADIUS server.

Cisco's Lightweight EAP (LEAP)
LEAP also uses usernames and passwords to authenticate the users with the help of a RADIUS server. LEAP however uses dynamically generated WEP keys for each session. It is also possible to set some timeout value for these keys, which can be changed without the intervention of the user. Also LEAP incorporates mutual authentication, so that both sides are sure about whom they are communicating with.

EAP-TLS, developed by Microsoft, uses Transport layer Security. EAP-TLS provides all the features (dynamically created WEP keys, mutual authentication) of LEAP, except that it uses certificates for authentication instead of usernames and passwords. This means that the exchange of keys uses public key cryptography. As a result this is one of the best methods to use if you have certificates already in place in a Windows environment.

EAP-TTLS, by Funk Software, differs from EAP-TLS by supporting a variety of authentication methods like PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PAP/Token Card, or EAP. EAP-TTLS can be used in places where every machine does not have certificates, and want to use the login-password method of authentication.

Protected EAP (PEAP)
PEAP is developed by Cisco and Microsoft and works exactly like EAP-TTLS.

Virtual Private Network (VPN)
Like 802.1X a VPN can be used to secure wireless networks. VPNs are a tried and tested methodology to secure connections in wired networks for a long time. In the classic VPN scenario all user traffic entering a network is tunneled through a secure, encrypted channel. Usually this point of entry between the outer network (Internet) and the internal network is a firewall. In the wireless scenario, all wireless traffic will lie behind a firewall. All wireless clients will have a VPN client which manages the connection setup and tunneling of the information over the air to a central VPN concentrator. This concentrator can then further connect to wired networks and possibly the Internet. Thus only valid wireless clients will be able to gain access to your wired network.

 Google           www   AceWPTM

© ARE Technologies 2001 - 11

Home | Contact Us | Careers| Links |SiteMap