Wireless Security
Although IEEE 802.11 wireless LAN technologies provide the benefits previously described, they introduce security issues that do not exist for wired networks. Unlike the closed cabling system of an Ethernet network, which can be physically secured, wireless frames are sent as radio transmissions that propagate beyond the physical confines of your office. Any computer within range of the wireless network can receive wireless frames and send its own. Without protecting your wireless network, malicious users can use your wireless network to access your private information or launch attacks against your computers or other computers across the Internet.
To protect your wireless network, you must use authentication and encryption, as described as follows:
- Authentication requires that computers provide either valid account credentials (such as a user name and password) or proof that they have been configured with a specific authentication key before being allowed to send data frames on the wireless network. Authentication prevents malicious users from being able to join your wireless network.
- Encryption requires that the content of all wireless data frames be encrypted so that only the receiver can interpret its contents. Encryption prevents malicious users from capturing wireless frames sent on your wireless network and determining sensitive data. Encryption also helps prevent malicious users from sending valid frames and accessing your private resources or the Internet.
IEEE 802.11 wireless LANs support the following security standards:
- IEEE 802.11
- IEEE 802.1X
- Wi-Fi Protected Access (WPA)
- Wi-Fi Protected Access 2 (WPA2)
IEEE 802.11
The original IEEE 802.11 standard defined the open system and shared key authentication methods for authentication and Wired Equivalent Privacy (WEP) for encryption. WEP can use either 40-bit or 104-bit encryption keys. However, the original IEEE 802.11 security standard has proven to be relatively weak and because there was no specified method for WEP encryption key management, cumbersome for widespread public and private deployment. Because of its susceptibility to attack and the widespread support of newer security standards such as WPA and WPA2, its use is highly discouraged.
IEEE 802.1X
IEEE 802.1X was a standard that existed for Ethernet switches and was adapted to 802.11 wireless LANs to provide much stronger authentication than the original 802.11 standard. IEEE 802.1X authentication is designed for medium and large wireless LANs that contain an authentication infrastructure consisting of Remote Authentication Dial-In User Service (RADIUS) servers and account databases such as the Active Directory domain service.
IEEE 802.1X prevents a wireless node from joining a wireless network until the node is successfully authenticated and authorized. Authentication verifies that wireless clients have valid account credentials and prevents users without valid credentials from being able to join your wireless network. Authorization verifies that the wireless client is allowed to make a connection to the wireless AP. IEEE 802.1X uses the Extensible Authentication Protocol (EAP) to exchange authentication credentials. IEEE 802.1X authentication can be based on different EAP authentication methods such as those using user name and password credentials or a digital certificate.
To address the key management issues of the original 802.11 standard, 802.1X authentication can produce dynamic WEP keys, which are mutually determined by the wireless client and RADIUS server. The RADIUS server sends the WEP key to the wireless AP after authentication completes. The combination of WEP encryption and dynamic keys determined for each 802.1X authentication is known as dynamic WEP.
In this tutorial:
- IEEE 802.11 Wireless Networks
- Support for IEEE 802.11 Standards
- Wireless Security
- WPA
- Planning and Design Considerations
- Wireless Authentication Modes
- Intranet Infrastructure
- Wireless AP Placement
- Authentication Infrastructure
- Wireless Clients
- Windows Vista Wireless Policy
- Windows XP Wireless Policy
- Command-Line Configuration
- PKI
- 802.1X Enforcement with NAP
- Deploying Protected Wireless Access
- Configuring Active Directory for Accounts and Groups
- Deploying Wireless APs
- Configuring Wireless Clients
- Configuring and Deploying Wireless Profiles
- Maintenance for a Protected Wireless
- Troubleshooting Wireless Connections
- Network Diagnostics Framework Support for Wireless Connections
- Wireless Diagnostics Tracing
- NPS Event Logging
- Troubleshooting the Windows Wireless Client
- Troubleshooting the Wireless AP
- Common Wireless AP Problems
- Troubleshooting the Authentication Infrastructure
- Troubleshooting Certificate-Based Validation
- Troubleshooting Password-Based Validation