Overview of WLAN security functions (ENG)
0 likes198 views
The document provides an overview of WLAN security mechanisms, emphasizing the need for robust measures due to the vulnerabilities of wireless data transmission. It discusses various authentication, encryption, and access control methods such as WEP, WPA, and IEEE 802.11i, recommending best practices for securing wireless networks. Additionally, it highlights advanced features like LEPS, multiSSID, and VLANs for enhancing network security and management.
Overview of WLAN security functions (ENG)
- 1. 1/4 Hirschmann Technology Paper Overview of WLAN security functions Hirschmann. Symply a good Connection The increasingly widespread use of WLAN technology has led to higher demands on security mechanisms to protect the transmitted data from inter- ception by unauthorised persons. Data in a WLAN are transmitted through the air which makes the control and limitation of access to the data far more difficult that with cabled LAN. Advancements have been made since the early days of the IEEE 802.11 and recent years have seen the development of new functions and standards for the protection of modern WLANs. WLAN security mechanisms generally aim to fulfill the fol- lowing functions: Authentication Only authorized users should have access to the WLAN and should connect only to their desig- nated access points. Integrity The transmitted data should arrive at the recei- ver in their original form; manipulated data must be recognized as such and rejected. Confidentiality Unauthorized third parties should not be able to intercept the data traffic. This techpaper provides an overview of the security func- tions provided by the Hirschmann BAT54-Rail. Further information about the underlying technology is available from other techpapers; concrete details about configuring the functions in the Hirschmann BAT54-Rail are available in the reference manual for the respective version of LCOS. Hirschmann recommends that you utilise all of the avai- lable security mechanisms for the protection of your wire- less networks. You should regularly update the firmware of your Hirschmann BAT54-Rail so that you can use all of the available security functions. WEP64/128/152 WEP (Wired Equivalent Privacy) is the function incorpora- ted in the original WLAN standard for the encryption of transmitted data. The primary aim of WEP is the protection of the data from unauthorized interception. This made use of symmetrical keys of various lengths. Embedded in the standard are the basic encryption methods WEP64 and WEP128 which ensure compatibility to all standard client adapters available on the market. Hirschmann BAT54-Rail devices also support encryption with WEP152 which makes use of an even longer key. All AirLancer client adapters support this feature. WEP can provide a basic level of encryption that protects the network from unauthorised snoopers. Hackers are at least presented with a slight hurdle that complicates the interception of data. WLANs protected only by WEP are easily "cracked" by experts, so this method can only be recommended for home use whereby the WEP key needs to be changed regularly. More information about WEP is available in the Hirschmann techpaper "WPA and IEEE 802.11i". Instructions for setting up WEP encryption is available in the reference manual and in the user manual for the Hirschmann BAT54-Rail. MAC filter list (ACL) A simple yet effective method for authentication is the use of a MAC address filter. The MAC addresses of authorised client adapters are entered into a list (ACL — Access Con- trol List) in the access point which then only permits WLAN access to authorised users. For larger installations, the ACL can be centrally administered by a RADIUS server. Since an experienced hacker can get around the limitati- ons set by an ACL, this method should not be used as the sole security mechanism. Instructions for setting the ACL are to be found in the reference manual.
- 2. Hirschmann. Symply a good Connection 2/4 Hirschmann Technology Paper Overview of WLAN security functions Closed Network Each cell in a wireless network is identified by a network name, the SSID (Service Set Identifier). A client adapter can only connect to a wireless network if it is programmed with the SSID. The factory settings for many wireless networks use the SSID "any", the continued use of which would relieve a potential intruder of the need to find out the wireless LANs SSID. This can be prevented with the Closed Network function. This excludes the option of registering with the SSID "any", each user must know the SSID exactly to be able to log onto the WLAN. Instructions for setting up the Closed Network function are available in the reference manual. SSID broadcast Access points announce the presence of the available wireless networks by transmitting the SSID. Potential intruders benefit from this public announcement that offers a first step towards entering a WLAN; they can search at random for wireless networks by "scanning" the environment. The SSID broadcast can be suppressed to prevent unau- thorised users from finding a network by scanning. The name of the WLAN network will no longer appear in the scanner software's results list. Sophisticated scanning tools are still able to find out the SSID, however. Since these tools do not belong to the standard equipment for WLAN clients, the suppression of the SSID broadcast does present an additional hurdle to intrusion in to the WLAN network. It is not possible to suppress SSID broadcasting in wireless networks that operate with the IEEE 802.11a standard. Instructions for suppressing the SSID broadcast are to be found in the reference manual. WPA & IEEE 802.11i The WEP data encryption implemented in the IEEE 802.11 standard has been demonstrated as insufficient for pro- tecting wireless LANs from professional attacks. WPA and IEEE 802.11i are significantly improved encryption methods that are now available that address these known security loopholes and offer reliable protection from attack for your wireless networks. More information about WPA and IEEE 802.11i is available in the Hirschmann techpaper "WPA and IEEE 802.11i". Instructions for setting up this encryption is available in the reference manual and in the user manuals for the Hirschmann BAT54-RAil. WPA WPA uses an improved, software-based encryption method to close the security loopholes in WEP. In particu- lar, the dynamic key portion (initial vector) is no longer transmitted unencrypted and, with its 48 bits, is twice as long as with WEP. Further, WPA changes the key regularly so that true session keys are available even without a RADIUS server. WPA in combination with IEEE 802.1x also offers the option of authentication in corporate networks. IEEE 802.11i When the hardware-accelerated AES-CCK encryption algorithm is used in combination with IEEE 802.11i, an even higher level of encryption than WPA can be achieved which is comparable with VPN. This comes with no loss in performance thanks to the hardware acceleration. The maximum bandwidth (e. g. up to 108 Mbps in turbo mode) can be used to the full. IEEE 802.11i with passphrase A simple way of encrypting a WLAN connection with IEEE 802.11i in a small network is to set up a "passphrase" for each wireless network. This is entered directly into the access point and client adapter. This passphrase serves as a basis for the calculation of the encryption key per con- nection and time space for a WLAN connection. Ideally, the passphrases should be as long and as complex as possible, available only to the relevant persons, and should be changed regularly.
- 3. 3/4 Hirschmann Technology Paper Overview of WLAN security functions Hirschmann. Symply a good Connection The weak link is the 'human' factor in the distribution and management of the passphrase. Regular changes in the passphrase and as complex a structure as possible are recommended to address this weakness. Encryption with passphrase according to IEEE 802.11i is available with version 3.50 and hig- her. IEEE 802.11i for point-to-point connec- tions The introduction of IEEE 802.11i means that, for the first time, point-to-point (P2P) connections can be directly encrypted; additional protection from VPN is no longer necessary. The hardware acceleration in the Hirschmann BAT54-RAil carries out this encryption without loss of per- formance. IPSec over WLAN When using a VPN gateway in the access point, an alter- native to IEEE 802.11i for encrypting WLAN connections is IPSec. This method is also suitable for making point-to- point connections absolutely secure from attack. Mastering this complex technology is made easy with BAT54-Rail devices. Wizards and management tools help with fast configuration. The BSI (the German Federal Office for Informa- tion Security) still recommends IPSec via WLAN as the most secure method of WLAN protection. IEEE 802.1x The protocol IEEE 802.1x in combination with IEEE 802.11i in large networks offers the possibility to carry out an authentication of every single WLAN connection. The exchange of keys or passphrases is unnecessary for this. Advanced knowledge of networking is a requirement for establishing IEEE 802.11x infrastructure, as is a CA server and an IEEE 802.1x server. This makes this application most realistic for larger company networks. Further information about IEEE 802.1x can be found in the Hirschmann techpaper "IEEE 802.1x". LEPS With LEPS (LANCOM Enhanced Passphrase Security) in the BAT54-Rail an efficient method that makes use of the simple configuration of IEEE 802.11i with passphrase, but that avoids the potential error sources in passphrase dis- tribution is used. LEPS uses an additional column in the ACL to assign an individual passphrase consisting of any 4 to 64 ASCII cha- racters to each MAC address. The connection to the access point and the subsequent encryption with IEEE 802.11i or WPA is only possible with the right combination of passphrase and MAC address. This combination makes the spoofing of the MAC addres- ses futile—and LEPS thus shuts out a potential attack on the ACL. If WPA or IEEE 802.11i are used for encryption, the MAC address can indeed be intercepted—but this method never transmits the passphrase over wireless. This greatly increases the difficulty of attacking the WLAN as the combination of MAC address and passphrase requires both to be known before an encryption can be negotiated. LEPS can be used both locally in the device and centrally managed with a RADIUS server. LEPS works with all WLAN client adapters available on the market without any modification. Full compatibility to third- party products is assured as LEPS only involves configura- tion in the access point. An additional security aspect: LEPS can also be used to secure single point-to-point (P2P) connections with an individual passphrase. Even if an access point in a P2P installation is stolen and the passphrase and MAC address become known, all other WLAN connections secured by LEPS remain secure, particularly when the ACL is stored on a RADIUS server.
- 4. Hirschmann Technology Paper Overview of WLAN security functions Hirschmann Automation and Control GmbH I Stuttgarter Str. 45-51 I 72654 Neckartenzlingen I Deutschland I hac-support@hirschmann.de I www.hirschmann-ac.com ©2007HirschmannAutomationandControlGmbHandLANCOMSystemsGmbH.Allrightsreserved.LANCOM,LANCOMSystems,LCOSandLANvantageareregisteredtrademarks.Allothernamesordescriptionsusedmay betrademarksorregisteredtrademarksoftheirowners.Subjecttochangewithoutnotice.Noliabilityfortechnicalerrorsand/oromissions.Version1.0 Hirschmann. Symply a good Connection MultiSSID MultiSSID enables up to eight logical WLAN networks to operate on just one physical WLAN interface—each with its own SSID. This method allows one single access point to support multiple WLAN networks, each with different security settings. This means that a single access point can simultaneously support one WLAN that is completely open and another that is protected with IEEE 802.11i, for example. Further information about MultiSSID can be found in the Hirschmann techpaper "MultiSSID". VLAN Virtual networks (VLANs) enable the security measures for logical WLANs to be "extended" into the cabled network. This involves the assignment of each logical wireless net- work to a certain virtual network. Data traffic from particu- larly security sensitive wireless networks can be protected from eavesdroppers within the normal LAN as well.