لطفا منتظر باشید ...
SAFE WLAN Axioms
Expanding on the SAFE axiom that networks are targets, outlined in Chapter 3, "SAFE Design Concepts," WLANs recently have become targets for hackers. This has led to the new axiom "Wireless networks are targets."
Wireless Networks Are Targets
Organizations rapidly are beginning to deploy wireless technology within the corporate infrastructure to benefit from the productivity gains associated with user mobility. However, many organizations are unaware of all the security aspects of this deployed technology. The following are some of the potential threats and problems that can be associated with WLANs:
- Interference and jamming
It is easy to interfere with wireless communications. A simple jamming transmitter can make communications impossible. - MAC authentication
Wireless access points can be configured to allow only predefined MAC addresses to associate. However, hackers easily can spoof MAC addresses and so circumvent authentication by sniffing the wireless spectrum. - Denial or degradation of service
802.11 management messages do not require authentication, so a denial-of-service (DoS) attack is possible if these messages are not authenticated. - Rogue access points
This is the unauthorized placement of an access point onto a network that a hacker can use to gain network connectivity. - 802.11 is insecure
Traditional 802.11 WLAN security relied on open or shared-key authentication and static wired equivalent privacy (WEP) keys. The use of shared-key authentication is considered insecure because a hacker can use techniques to derive the WEP key from the clear-text challenge. The use of static WEP keys, either 40-bit or 128-bit encryption keys, recently has been shown to cause key-management issues and is a security risk because WEP keys easily can be derived because of a weakness in the standard.
Security Extensions Are Required
With the discovered weaknesses in the 802.11 standard, security extensions are required to overcome the failings in WEP. The following three technologies are recommended as an alternative to WEP:
- IP Security (IPSec)
- 802.1X/Extensible Authentication Protocol (EAP)
- WEP enhancements
IPSec
IPSec virtual private networks (VPNs) ensure confidentially, integrity, and authenticity of data communication through the IPSec standard. Using IPSec overlaid on top of a clear-text 802.11 WLAN can provide security for the WLAN.When deploying an IPSec-secured WLAN, each device connected to the WLAN is given an IPSec client that is used to establish an IPSec VPN to route traffic to the wired network.
802.1X/EAP
802.1X and EAP provide the framework for a centralized authentication and dynamic key distribution approach. This design approach for securing WLANs has three elements:
- Mutual authentication between the wireless client and an authentication server. A Remote Access Dial-in User Service (RADIUS) server provides the authentication service.
- Dynamically derived encryption keys after authentication
- Centralized policy control for reauthentication and generation of encryption keys.
When the preceding features are incorporated into a WLAN, a wireless client does not gain access to the network until a mutual authentication takes place. After authentication, a client-specific WEP key is derived that then is used for the current logon session.Various EAP protocols are currently available that you can use to authenticate a user over wired or wireless connections. Some of these protocols are
- Cisco Lite-EAP (LEAP)
With LEAP, mutual authentication relies on a shared secret, the user's logon password, which is known by both the client and the network. When the mutual authentication is completed, both the client and the RADIUS server derive a dynamic WEP key for the session. - EAP-Transport Layer Security (EAP-TLS)
EAP-TLS uses digital certificates for both user and server authentication. Again, when authentication is complete, both the client and the RADIUS server derive a dynamic WEP key for the session. - Protected EAP (PEAP)
PEAP uses a digital certificate for server authentication. For user authentication, PEAP supports various EAP-encapsulated methods within a protected TLS tunnel. Again, when authentication is complete, both the client and the RADIUS server derive a dynamic WEP key for the session.
For a more detailed explanation of the various EAP authentication processes, refer to the "Cisco SAFE Wireless LAN Security in Depth" whitepaper at http://www.cisco.com/go/safe.
WEP Enhancements
To overcome the vulnerabilities found in the 802.11 WEP protocol, the IEEE 802.11i security standard includes two encryption enhancements:
- Temporal Key Integrity Protocol (TKIP)
TKIP provides for a software enhancement to WEP that overcomes the vulnerabilities from weak initialization vectors (IVs) within the WEP encryption process and also from replay attacks. Weak IVs are overcome by the use of a per-packet keying process in which a hash is created from the WEP key and IV to produce a new packet key that is used for encryption. The use of a message integrity check (MIC) to prevent tampering of the wireless frame ensures mitigation against replay attacks. - Advance Encryption Standard (AES)
AES provides for a much stronger encryption standard than that currently available with WEP. AES uses key sizes of 128, 192, and 256 bits.
