Manualshelf

Executive Briefing: Wireless Network Security

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
12345678910
White Paper
Wireless Network Security
Three Levels of Wireless Security
10
If the user is both authenticated and authorized to access the network, and the access point is verified as
being part of the network, then the security server communicates directly with the access point to authorize
the user's access to the network. The security server also creates a unique pair of encryption keys for this user
session, which are sent to both the access point and the client to securely and uniquely encrypt the wireless
communication between the two.
The security server also verifies that the access point is a valid part of the network. This is done to protect the
user from connecting to an unauthorized access point that may have been set up to fraudulently capture
network data.
802.1X security overcomes two significant limitations that physical layer security alone presents. It provides
unique encryption keys for each user each time they sign onto the network, and eliminates the key
management issues associated with maintaining common encryption keys across all access points and users.
The security server allows network access to be managed on a user basis. It can tie in to other corporate user
databases or directories to authenticate the user against a common set of user credentials, eliminating the
need for replicating and maintaining separate databases.
Combining 802.1X user authentication with physical layer security provides robust, strong security that
cannot be broken with any known off-the-shelf software tools. It can provide wireless LAN users with a high
level of assurance that their data will remain protected and that only authorized network users can access
the network.
While no security mechanism can be considered “absolutely secure, the protection given by 802.1X security is
strong enough to prevent most sophisticated attacks. As such, layer 2 security offers a pragmatic, economical
security mechanism to meet the requirements of most corporate environments. Gartner Research believes
this level of security will meet the needs of most businesses through 2005.
In some cases where higher levels of data security is required, VPNs can be layered on top of the security
servers to provide an additional level of encryption of the IP data.
3 — VPN Security
In environments where triple DES encryption is required, or the data on the wireless network may be passed
through the Internet, VPNs may be used to provide another layer of security over 802.1X based solutions.
A word of caution on VPN implementations for wireless security: early wireless implementations used VPNs
as the only security layer for wireless LANs. This practice leaves open security vulnerabilities. VPNs only
encrypt data between the IP packets, leaving the wireless network vulnerable to a number of lower level
attacks on the MAC and IP headers, such as wireless session hijacking and rogue AP, or man-in-the-middle
attacks.
802.1X-based security should be used to prevent unauthorized access to the network, and to prevent the
sniffing and stealing of IP and MAC addresses. It should also be used to prevent session hijacking and
man-in-the-middle attacks through rogue access points. VPNs, while providing very strong IP data
encryption, cannot prevent these types of lower level attacks.
If VPN security is required, a layered approach in conjunction with an 802.1X security server is the
predominately recommended approach, as shown in Figure 3.