Increased popularity of wireless networks have caused increased security worries for network administrators. In the early days of wireless, dangers were less prevalent. It took hackers a while to adjust to the technology, and there simply weren't that many businesses using wireless technology. That has changed radically of late; hackers have found that wireless networks are relatively easy to break into. This makes wireless security a top priority.

Wireless security requires vigilance to ensure that only authorized users are allowed access to the network. Security concerns led to specifying the 802.11 standard for encrypting WLAN data.

Wired Equivalent Privacy (WEP)

Designed to provide the same level of security as a wired LAN, Wired Equivalent Privacy (WEP) is the method of encryption specified by 802.11. Protecting a WLAN from security breaches is much more difficult, however, due to the physicality of its structure. While a LAN physically limits access to a building's computers, a WLAN presents no such barrier.

WEP sets up a barrier by encrypting data. WEP is a simple algorithm that uses a semi-random number generator (PRNG) and the RC4 stream cipher, which encrypts and decrypts quickly.

WEP keys are implemented on both client and infrastructure devices. A WEP key is an alphanumeric character string. Both the client and the access point, or both clients in an ad hoc WLAN, must have the same key. Otherwise, the client will not be allowed to use the WLAN. Two types of WEP authentication are possible:

• Open System authentication – WLAN client authenticates with Access Point before attempting to associate. This method is best used with networks that need minimal security.
• Shared Key authentication – WEP key is used for authentication before going through a 4 way handshake challenge/response process. Although this may appear to be more secure, it actually leaves open many holes that hackers can exploit relatively easily.

Both use RC4 for encrypting data. RC4 is a stream cipher also used in Secure Sockets Layer (SSL) for protecting traffic over the Internet. Advantages include simplicity and speed, but it has vulnerabilities that can be exploited in WEP.

Weaknesses

WEP is used at the lowest levels of the OSI model at the Physical and Data Link levels, so it does not offer end to end security. Two specific weaknesses are:

• Initialization Vector (IV) – Most implementations start with an IV of zero and increment it by one for each packet that is sent. On a busy network, all possible IVs are used in about 5 hours, after which the numbers are recycled. The IV is appended to the encrypted packet in clear text. This weakness leaves WEP open to several active and passive attacks.
• Shared-key implementation – A challenge text string is sent in the clear, without encryption. The client replies with an encrypted version of the challenge text. A hacker who has captured both the encrypted and non-encrypted versions of the challenge string can easily derive the WEP key.

WPA and WPA2

WPA

To plug weaknesses in WEP, a stronger authentication method was needed. Wi-Fi Protected Access (WPA) was adopted by the Wi-Fi Alliance as an immediate solution before the full development of the 802.11i standard. Enabling improved security over WEP without requiring replacing existing wireless networks, Temporal Key Integrity Protocol (TKIP) was designed by the 802.11i working group to work with WPA. TKIP offers the following improvements over WEP:

• Mixing function: combines secret root key with initialization vector before passing
• Sequence counter to guard against repeated attacks
• Uses 64-bit message integrity check

This increased complexity makes it more difficult for hackers to crack a WPA network. However, in order to run over the same WEP hardware, TKIP uses the same cipher as WEP. This makes it vulnerable to similar attacks—most notably, Denial of Service (DOS) attacks. Thus, TKIP is regarded as a temporary solution.

WPA2

Originally created as a patch to WEP, the 802.11i standard defines a secure wireless network

• User authentication – Mutual, or two-way, authentication is provided through 802.1x and Extensible Authentication Protocol (EAP). There is full support for a RADIUS server-based authentication or for authentication using pre-shared keys in a SOHO environment.
• CBC-MAC Protocol (CCMP) Encryption – Counter mode with CCMP and Advanced Encryption Standard (AES) provides strong encryption. AES requires significant processing power. .
• Message integrity check (MIC) – This helps prevent packets from getting altered and re-transmitted on a WLAN.
• Encryption key management – The management of encryption key generation and distribution is necessary for large network environments.

WPA2 is fully compliant with 802.11i by introducing a much more robust security system with CCM mode Protocol. CCMP uses the more sophisticated Advanced Encryption System (AES) adopted by the U.S. government.

Developed by Belgian cryptographers Joan Daemen and Vincent Rijmen, AES uses the Rijndael algorithm in 128-, 192-, and 256-bit key lengths. AES is considered to be uncrackable by most experts. The 802.11i standard requires Robust Security Network (RSN) that includes two additional protocols:

• 4-Way Handshake – used to create a secret Pairwise Transient Key (PTK) that is put through a cryptographic hash function
• Group Key Handshake – method of updating a Group Temporal Key (GTK) when a device leaves the network or due to expiration of a preset timer

 

Hotspots and RADIUS

Standard Hotspots

802.11 networking (or Wi-Fi) requires two-way communication via radio waves, which means a Wi-Fi device needs appropriate means to connect. That's where hotspots take center stage.

A Hotspot is a location where Internet access is available via Wi-Fi. Hotspots are becoming more and more widespread. Common locations include: airports, train stations, libraries, hotels, restaurants, coffee shops, hospitals, schools, and many public areas.

Free hotspots may or may not use a management system for access and/or bandwidth control. Commercial hotpots will definitely control access, generally securing authentication and payment for service. Most hotspots use WPA with TKIP encryption, but some may still use the more vulnerable WEP.

RADIUS

Wi-Fi has enabled much greater mobility and flexibility, but standard Wi-Fi deployments are subject to security breaches. Many enterprises need greater security to verify user credentials and a way to manage remote users. This is most readily provided using Remote Authentication Dial In User Service (RADIUS). A networking protocol designed to work from a centralized location, RADIUS serves three functions:

• Authenticate users or devices before granting them access to a network
• Authorize those users or devices for certain network services
• Account for usage of those services

Using User Data Protocol (UDP) for transport, RADIUS functions as a Client/Server protocol that runs in the Application layer of the Internet Protocol Suite. Gateways that control access to the network include:

• Remote Access Server (RAS)
• Network Access Server (NAS)
• Virtual Private Network Server

RADIUS server features can vary, but most can identify users in text files, LDAP servers, and various databases. This allows a company to maintain authorized users in a central database and manage remote servers for sharing. Centralized management of authentication data (such as usernames and passwords) is the main service provided by RADIUS. This centralized management of remote and Wi-Fi users along with encryption capacity enhances security greatly.

Since the RADIUS protocol can be found most everywhere and is widely supported, it is primarily used by ISPs to handle Internet access. A RADIUS server can also be used for an enterprise network that requires centralized authentication and accounting services for its workstations.