Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
41424344454647484950
1-32
Access Control Concepts
Network Access Control Technologies
In terms of access control, dynamic WEP is quite secure. Dynamic WEP also
provides better data protection: because each station has its own key, a hacker
finds it much more difficult to collect enough keys to crack one.
Wi-Fi Protected Access (WPA)/WPA2, however, provides an even higher mea-
sure of security.
WPA/WPA2 and 802.11i
802.11i was developed to amend the flaws of WEP; however, it was not fully
adopted until 2004, several years after WEP was cracked. WPA, a Wi-Fi
standard, emerged in the interim.
WPA meets the first part of the 802.11i standard, the specifications for the
Temporal Key Identity Protocol (TKIP), which provides data privacy, and
Michael, which provides data integrity. WPA2 meets the full standard, which
calls for even more secure encryption via Counter Mode with CBC-MAC
Protocol (CCMP) with Advanced Encryption Standard (AES). These protocols
provide privacy and integrity for data transmitted in the wireless network. A
full discussion of the protocols is not pertinent to this design guide; it is
sufficient to know that WPA/WPA2 is not susceptible to key-cracking tools.
In addition to providing encryption, WPA/WPA2 requires users to authenticate
before joining the wireless network. This function is, of course, the most
crucial to your access control design.
Under normal (sometimes called Enterprise) operation, WPA/WPA2 uses
802.1X authentication to control which users can connect. In this mode, WPA/
WPA2 affords all of the benefits that are associated with 802.1X on Ethernet
connections:
Secure, per-user authentication
Choice of EAP method that meets your network’s security policy
Per-user rights received as dynamic settings from the authentication
server
If, for whatever reason, you do not want to implement 802.1X, you can still
take advantage of WPA/WPA2’s highly secure encryption. The WPA/WPA2
Preshared Key (PSK) option allows users to enter a shared key (password) to
authenticate to a wireless network that implements TKIP or CCMP/AES
encryption. You can then add another authentication method (MAC-Auth or
Web-Auth) or simply assume that the shared key provided sufficient access
control for your purposes.