Wireless LAN Security
The approval of the IEEE 802.11 standard for wireless local area networks
(WLANs) and the subsequent fall in prices for wireless network interface cards
(NICs) and wireless access points (APs) has caused an explosion in demand for
wireless LAN capability. Because of this demand, network administrators have had
to deal with two conflicting issues. Network administrators want to provide users
with the flexibility and convenience that wireless network access offers while
maintaining network security and integrity.
(WLANs) and the subsequent fall in prices for wireless network interface cards
(NICs) and wireless access points (APs) has caused an explosion in demand for
wireless LAN capability. Because of this demand, network administrators have had
to deal with two conflicting issues. Network administrators want to provide users
with the flexibility and convenience that wireless network access offers while
maintaining network security and integrity.
This whitepaper examines WLAN security beginning with the basic 802.11 security
features and shortcomings. It continues by exploring the additional security features
offered by 802.1x. Finally, it introduces Cisco’s LEAP authentication scheme and
discusses how using LEAP with Interlink Networks RAD-Series AAA servers offers
strong security for WLAN users.
802.11 SECURITY FEATURES
The 802.11 standard provides for two primary security features that, unfortunately,
fall short of a truly secure solution. Both of the solutions operate on the data link
layer of the network.
fall short of a truly secure solution. Both of the solutions operate on the data link
layer of the network.
SSID – Service Set Identifier
The SSID is a piece of information used to identify a particular access point to
stations wishing to use a wireless network. Thus, the SSID is analogous to a
common network name shared by the wireless station and access points. The SSID
must either be pre-configured or advertised in beacon broadcasts.
Because the SSID is transmitted in the clear in beacon frames by default, it provides
very little security. A rogue access point could read the SSID from beacon frames
and assume the identity of the legitimate access point. This could potentially allow
the hijacking of the stations’ traffic.
The SSID is a piece of information used to identify a particular access point to
stations wishing to use a wireless network. Thus, the SSID is analogous to a
common network name shared by the wireless station and access points. The SSID
must either be pre-configured or advertised in beacon broadcasts.
Because the SSID is transmitted in the clear in beacon frames by default, it provides
very little security. A rogue access point could read the SSID from beacon frames
and assume the identity of the legitimate access point. This could potentially allow
the hijacking of the stations’ traffic.
WEP - Wired Equivalent Privacy
According to the 802.11 standard, Wired Equivalent Privacy (WEP) was intended to
provide “confidentiality that is subjectively equivalent to the confidentiality of a
wired local area network (LAN) medium that does not employ cryptographic
techniques to enhance privacy.”
According to the 802.11 standard, Wired Equivalent Privacy (WEP) was intended to
provide “confidentiality that is subjectively equivalent to the confidentiality of a
wired local area network (LAN) medium that does not employ cryptographic
techniques to enhance privacy.”
WEP relies on a secret key that is shared between a mobile station and an access
point. WEP uses the RC4 stream cipher invented by RSA Data Security. RC4 is a
symmetric stream cipher that uses the same variable length key for encryption and
decryption. With WEP enabled, the sender encrypts the data frame payload and
replaces the original payload with the encrypted payload. The sender then forwards
the encrypted frame to its destination. The encrypted data frames are sent with the
MAC header WEP bit set. Thus, the receiver knows to use the shared WEP key to
decrypt the payload and recover the original frame. The new frame, with an
unencrypted payload can then be passed to an upper layer protocol.
point. WEP uses the RC4 stream cipher invented by RSA Data Security. RC4 is a
symmetric stream cipher that uses the same variable length key for encryption and
decryption. With WEP enabled, the sender encrypts the data frame payload and
replaces the original payload with the encrypted payload. The sender then forwards
the encrypted frame to its destination. The encrypted data frames are sent with the
MAC header WEP bit set. Thus, the receiver knows to use the shared WEP key to
decrypt the payload and recover the original frame. The new frame, with an
unencrypted payload can then be passed to an upper layer protocol.
WEP provides two main features. It denies access to the network by unauthorized
users that do not have the appropriate WEP key. It also prevents the decoding of
captured the encrypted WLAN traffic without the possession of the WEP key.
users that do not have the appropriate WEP key. It also prevents the decoding of
captured the encrypted WLAN traffic without the possession of the WEP key.
