Wi-Fi Security

WISDOM Advanced Security Measures WISDOM Advanced Security is designed for high-level security WLANs in a converged network that are subject to regulations or legal security requirements such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (U.S. Department of ... [full story]

WISDOM Intermediate Security Measures WISDOM Intermediate Security is designed for WLANs in a converged network that contains proprietary or very sensitive data. WISDOM Intermediate Security also requires that the WLAN security management considerations and those required for WISDOM Basic Security described ... [full story]

WISDOM Basic Security Measures WISDOM Basic Security is defined as the minimum security requirements for WLANs attached to a converged network. WISDOM Basic Security also requires that the WLAN security management considerations described earlier be implemented as part of its layered ... [full story]

Applying WISDOM to WLAN Security WISDOM, as proposed by James F. Ransome in his doctoral dissertation [1], provides three tiered security options with proper hardware, software, and security requirements to secure a WLAN at a corresponding security level equivalent to the ... [full story]

WLAN Security Management Considerations Managing and maintaining a secure wireless network (and associated devices) requires significant effort, resources, and vigilance and involves the following steps: (1) maintaining a full understanding of the topology of the wireless network, (2) labeling and keeping ... [full story]

Costs of Securing WLANs What are the costs associated with securing wireless networks? Compare the cost of the solution(s) against the assets the organization is trying to protect. Are security costs worth the investment, considering the risks, in implementing a WLAN? ... [full story]

Risk Assessments Revisited It is not useful to secure a WLAN if the data is not worth protecting. The two primary types of assets to protect on a WLAN are sensitive data and network services: Sensitive data. Sensitive can mean different things ... [full story]

WISDOM for WLAN Practitioners We have identified the 802.11 WLAN as the most vulnerable and critical node in wireless converged network security. WLANs can easily be reconfig-ured, are very mobile, allow for potentially continuous exposure, and require the level of security ... [full story]

802.11i and WiFi Protected Access The IEEE 802.11i standard [22] for WLAN security is still in draft format as of this writing, but wireless vendors have released key components under the name Wireless-Fidelity, or WiFi, Protected Access (WPA). Some features of ... [full story]

Multifactor Authentication Multifactor authentication solutions use more than one credential criteria to authenticate a user. The three different types of authentication criteria that can be combined to create a multifactor solution are Something you know (usernames/passwords) Something you have (token, SecureID, SmartCard) Something you ... [full story]

LDAP LDAP is a directory service based on the X.500 Directory Services model that performs operations management functions, acting as a storehouse of information for applications and as a central part of modern OS services. LDAP is both an information repository ... [full story]

RADIUS RADIUS is a widely deployed protocol for network access AAA. Although there are many issues with RADIUS, including issues with security and transport, it will more than likely remain widely used for years to come because it is simple, efficient, ... [full story]

Kerberos The Kerberos protocol was first developed by engineers at the Massachusetts Institute of Technology (MIT) in the late 1980s as part of MIT's project Athena [3]. Kerberos is a security system that provides authentication and message protection and is appropriately ... [full story]

Using Kerberos, RADIUS, and LDAP for WLAN Authentication While wireless networking applications benefit from location independence and freedom of mobility, they all have the same security challenge— authentication. When considering a security implementation, authentication is a key component of any security ... [full story]

Baselining Baselining is a procedure where data is collected to measure the performance of selected network segments over a period of time, typically several hours to several days. These data are used as a historical benchmark against which suspicious or anomalous ... [full story]

Using DHCP Services for Authentication The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network, handling the authentication of users, and assigning unique IP addresses to incoming network access requests. Network administration ... [full story]

Security Advantages of Thin Clients in a Wireless Environment Thin clients operate as a hybrid instance of a mainframe terminal using the client/server model, where the client is running on a local operating system and all processing is done on the ... [full story]

Intrusion Detection Systems Intrusion Detection Systems (IDSs) have been a critical security component of wired networks for a number of years now. They are beginning to appear in the wireless security software marketplace and have been specifically designed with the discrete ... [full story]

Additional WLAN Security Solutions This chapter deals with topics crucial to WLAN security that deserve special attention. Each has a useful and unique approach to WLAN security and merits coverage in this text. The subjects in this chapter are unrelated to ... [full story]

Subnet Roaming Unfortunately, mobile users often experience broken network sessions as they transit (roam) subnet boundaries. One way to solve this problem is with the use of a vendor subnet-roaming solution that provides session and network layer address persistence. Most EWG ... [full story]

Other WLAN Security Issues 10.5.1 Rate Limitation Because 802.11 WLANs use a half-duplex medium, the maximum throughput of 801.11b access points is approximately 5 Mbps. This is shared between simultaneous users on each access point. Administrators may want to limit or control ... [full story]

Techniques In this section, the techniques of network segmentation, redundancy, NAT / Network Address Port Translation (NAPT) and RBAC are discussed in relation to their ability to enhance the security of WLANs. Network segmentation and redundancy is presented from the viewpoint ... [full story]

Segmentation Devices WLANs pose a unique problem because they do not have physical barriers and is data broadcast in the air. In general, a WLAN is more vulnerable to compromise and is less secure than a wired network. This requires wireless ... [full story]

Enhancing WLAN Security In this section, segmentation devices and other techniques that can be used to enhance WLAN security are described. Segmentation devices are security devices that are used when implementing a demarcation between wired and wireless networks to mitigate the ... [full story]

Tools and Technologies to Enhance VPN Security In this section, the tools and technologies used to enhance VPN security in a WLAN are described. Such tools include secure shells, port forwarding, secure file transfer, public key authentication, and Mobile IP. The ... [full story]

VPN Types Although there are many types of VPNs (including remote access, extranets, branch offices, SOHO, and wireless), there are only two types of connections: remote access and router-to-router. This section provides an overview of how VPN technology is used with ... [full story]

VPNs in a WLAN Environment As the Internet has increased in popularity, its use as a public medium for transporting data between private networks has also increased. Correspondingly, the inherent security risks of transited data over the Internet has also increased. ... [full story]

EAP Authentication Types Several different EAP protocol types are used with WLANs today. Some are complicated to deploy, some are more secure than others, and some are not considered secure. The differences between the types of EAP that can be deployed ... [full story]

EAP and its Variants An understanding of Point-to-Point Protocol (PPP) is required before you can understand EAP. PPP is used for dial-up connections to the Internet and to establish a connection over a point-to-point link. Once a link is established, PPP ... [full story]

Using Dynamic WEP (802.1x and EAP) to Address Authentication and Encryption Flaws in 802.11 802.11 unauthenticated, cleartext management, and control frames mitigate the basic security flaws that have resulted in numerous attack scenarios targeted at WLANs. There are numerous authentication and ... [full story]

When and How to Use TKIP and WEP Many wireless security companies base their marketing strategy on the vulnerabilities of WEP. Even if the hacker is on a fully used wireless network using WEP cracking tools such as WEPcrack [3] or ... [full story]

How TKIP Addresses the Weaknesses in WEP TKIP is a set of modifications the IEEE 802.11i task group created as a measure to augment security issues found in the existing WEP algorithm. WEP is susceptible to forgery, weak-key, collision, and replay ... [full story]