User's Manual
Table Of Contents
- Welcome to the Airespace Product Guide!
- OVERVIEWS
- About the Airespace System
- About the AireOS
- Single-Airespace Switch or Appliance Deployments
- Multiple-Airespace Switch and Appliance Deployments
- About AireOS Security
- About Airespace Wired Security
- About AireWave Director Software
- About the Master Airespace Switch or Appliance
- About the Primary Airespace Switch or Appliance
- About Client Roaming
- About External DHCP Servers
- About Airespace Mobility Groups
- About Airespace Wired Connections
- About Airespace WLANs
- About File Transfers
- About Power Over Ethernet
- About Airespace Switches and Appliances
- 4012 and 4024 Airespace Wireless Switch Models
- 4101 and 4102 Airespace WLAN Appliance Models
- Airespace Switch and Appliance Features
- Airespace Switch and Appliance Model Numbers
- Airespace Wireless Switch Direct Connect Mode
- Airespace Switches and Appliances in Appliance Mode
- Airespace Wireless Switch Hybrid Mode
- About the Distribution System Port
- About the Service (Management) Port
- About the Startup Wizard
- About Airespace Switch and Appliance Memory
- Airespace Switch and Appliance Failover Protection
- Switched Network Connection to the Airespace Switch or Appliance
- Enhanced Security Module
- About Airespace Access Points
- About Airespace AP Models
- About Airespace AP External and Internal Antennas
- About Airespace AP LEDs
- About Airespace AP Connectors
- About Airespace AP Power Requirements
- About Airespace AP External Power Converter
- About Airespace AP Mounting Options
- About Airespace AP Physical Security
- About Airespace AP Monitor Mode
- About Third-Party Access Points
- About Rogue Access Points
- About the Airespace Control System Software
- About the Airespace Web Browser Interface
- About the Airespace Command Line Interface
- About the Airespace System
- SOLUTIONS
10/10/03 AireOS Security
90-100584-004 Airespace Product Guide 9
About AireOS SecurityAireOS Security
AireOS Security bundles Layer 1, Layer 2 and Layer 3 802.11 Access Point security components into a
simple, system-wide policy manager that creates independent security policies for each of up to 16
Airespace WLANs and one third-party WLAN. (Refer to Airespace WLANs
.)
One of the barriers that made enterprises avoid deploying 802.11 networks was the inherent weakness
of WEP (Wired Equivalent Privacy) encryption. Because WEP is so insecure, enterprises have been
looking for more secure solutions for business-critical traffic.
The Layer 2 WEP weakness problem can be overcome using more-robust industry-standard security
solutions, such as:
• 802.1X dynamic keys with EAP (extended authorization protocol), or
• WPA (Wi-Fi protected access) dynamic keys. The Airespace WPA implementation includes:
- AES (advanced encryption standard),
- TKIP + Michael (temporal key integrity protocol + message integrity code checksum)
dynamic keys, or
- WEP (Wired Equivalent Privacy) keys.
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as:
• Terminated and pass-through VPNs (virtual private networks), and
• Terminated and pass-through IPSec (IP security) protocols. The terminated Airespace IPSec
implementation includes:
- IKE (internet key exchange),
- DH (Diffie-Hellman) groups, and
- Three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES
(ANSI X9.52-1998 data encryption standard), or AES/CBC (advanced encryption stan-
dard/cipher block chaining).
The Airespace IPSec implementation also includes industry-standard authentication using:
- MD5 (message digest algorithm), or
- SHA-1 (secure hash algorithm-1).
• The Airespace System supports local and RADIUS MAC (media access control) filtering.
• The Airespace System supports local and RADIUS user/password authentication.
• The Airespace System also uses manual and automated Blacklisting to block access to network
services. In manual Blacklisting, the operator blocks access using client MAC addresses. In
automated Blacklisting, which is always active, the AireOS software automatically blocks access
to network services for an operator-defined period of time when a client fails to authenticate for
a fixed number of consecutive attempts. This can be used to deter brute-force login attacks.
These and other AireOS Security features use industry-standard authorization and authentication
methods to ensure the highest possible security for your business-critical wireless LAN traffic.
For information about Airespace wired security, refer to Airespace Wired Security
.