Manualshelf

User's Guide

ManualsBrandsStrix Systems ManualsComputers & Accessories802.11 a/b/g Wireless Access Point
71727374757677787980
Table Of Contents
Unique Key: The unique key slot is supported by some NICs and allows a more robust static
key operation by assigning a specific key to each device based on the MAC address. The unique
key is used to encrypt unicast packets, as the default session key is still necessary for broadcast
packets.
SOME ATTACK TYPES
Wireless attacks can be categorized into two types: passive and active. Passive attacks involve
sniffing the wireless network to acquire as much information as possible about the network.
Active attacks can range from hijacking a session to massive denial of service.
Passive Attack: The passive attacker is looking to crack the encryption key by listening to
enough packets and finding repetition in the IV. Since the IV is sent in the clear, and comprises
as much as 33% of the cipher, intelligent guesses about the cipher can begin with as little as two
or three frames with the same IV. Typically it will take more frames than that, but it is estimated
that a 128 bit static WEP key can be cracked in as little as 4 hours on a high traffic network (1-2
million frames per hour). Both AES and WPA have guards to protect for this type of attack.
Active Attack: The active attack is typically concentrated on a particular session created by
either a valid user or the attacker. Most often, the attacker will attempt to send a known
(unencrypted) packet or message over the Internet to an observable wireless user and can
decrypt a single packet. If repeated enough times, the attacker can use the known packet to build
the key base and finally crack the key. The attack can also come from the other direction, by
intercepting a frame and flipping bits in such a manner so as to fool the standard WEP Integrity
Check Value, a known error message will be generated by some upper layer in the network and
encrypted by the access point back to the attacker. Denial of service can occur if a rogue device
sends disassociation packets to valid devices, or flooding the wireless area with association
requests to the AP.
SECURITY DEVICES
The 802.1x security model requires a supplicant (802.1x client on device), RADIUS client (AP),
an authenticator (RADIUS server like MS Internet Authentication Service), and a certificate
generator (MS Certificate Authority or similar). The authenticator verifies the identity of the
supplicant against the user list (MS Active Directory, for instance) located on the same or a
remote host. Before the authentication process takes place, the user list must contain the identity
and credentials of the device (or user) and can be a simple username and password or a
certificate generated by a certificate server. The certificate is typically pre-installed on the
supplicant over a wired connection (you can’t get a certificate over wireless because you don’t
have a certificate) and doesn’t require maintenance unless there is a security breach or the root
certificate is no longer valid.
IEEE 802.11I
The 802.11i standard addresses all of the known weaknesses associated with the WEP cipher
and wireless security in general. It mandates the use of 802.1x for remote authentication, and the
AES cipher using the CCMP scheme to provide a Robust Security Network (RSN). TKIP is
supported as an option under 802.11i.
68