Wireless Networking, Part 2

[FrankDaTank86]

Wi-Fi Security (More Information)

Security Technologies

WPA2? (Wi-Fi Protected Access 2?)

WPA? (Wi-Fi Protected Access?)

VPN (Virtual Private Network)

Firewalls

Media Access Control (MAC) Filtering

RADIUS Authentication and Authorization

Kerberos

802.1x and Other New Security Technologies

Putting Technologies Together

Security in Public Spaces

Whenever you communicate over the Internet using a wired or wireless connection, you may want to ensure that your communications and files are private and protected. If your transmissions are not secure, you take the risk of others intercepting your business e-mails, examining your corporate files and records, and using your network and Internet connection to distribute their own messages and communications.

How secure you want your network to be depends on how you use the Net. If you're just surfing to do research or watch movies, you may not care if anyone picks up part of the transmission, but that's up to you. Even if you're shopping and purchasing items over the net, those financial transactions are usually protected by a technology called Secure Socket Layer (SSL). However, if your data is confidential or if you want additional security, there are several different technologies you might consider implementing. Remember, security is a personal decision, and we encourage you to use at least some level of security as a deterrent to intrusion.

In a home wireless network, you can use a variety of simple security procedures to protect your Wi-Fi? connection. These include enabling Wi-Fi Protected Access, changing your password or network name (SSID) and closing your network. However, you can also employ additional, more sophisticated technologies and techniques to further secure your business network.

For more information on implementing security techniques, see Securing The Network.

--------------------------------------------------------------------------------

Security Technologies

WPA and other wireless encryption methods operate strictly between your Wi-Fi enabled computer and your Wi-Fi CERTIFIED? access point. When data reaches the access point or gateway, it is unencrypted and unprotected while it is being transmitted out on the public Internet to its destination ? unless it is also encrypted at the source with SSL when purchasing on the Internet or when using a VPN. So while using WPA will protect you from external intruders, you may want to implement additional techniques to protect your transmissions when you use public networks and the Internet. There are several technologies available, but currently VPN works best.

--------------------------------------------------------------------------------

WPA2 (Wi-Fi Protected Access 2)

WPA2 (Wi-Fi Protected Access 2) provides network administrators with a high level of assurance that only authorized users can access the network. Based on the ratified IEEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. WPA2 can be enabled in two versions ? WPA2 - Personal and WPA2 - Enterprise. WPA2 - Personal protects unauthorized network access by utilizing a set-up password. WPA2 - Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.

--------------------------------------------------------------------------------

WPA (Wi-Fi Protected Access)

WPA is a powerful, standards-based, interoperable security technology for Wi-Fi networks. It provides strong data protection by using encryption as well as strong access controls and user authentication. WPA can be enabled in two versions ? WPA-Personal and WPA-Enterprise. WPA-Personal protects unauthorized network access by utilizing a set-up password. WPA-Enterprise verifies network users through a server. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security.

--------------------------------------------------------------------------------

VPN (Virtual Private Network)

Most major corporations today use VPN to protect their remote-access workers and their connections. It works by creating a secure virtual "tunnel" from the end-user's computer through the end-user's access point or gateway, through the Internet, all the way to the corporation's servers and systems. It also works for wireless networks and can effectively protect transmissions from Wi-Fi equipped computers to corporate servers and systems.

Most corporate IT departments are already skilled with VPN and can modify existing systems to support Wi-Fi networks. A VPN works through the VPN server at the company headquarters, creating an encryption scheme for data transferred to computers outside the corporate offices. The special VPN software on the remote computer or laptop uses the same encryption scheme, enabling the data to be safely transferred back and forth with no chance of interception.

IT Managers can set up VPN to support mobile professionals communicating from airports or hotels and telecommuters working from home, as well as wireless and wired computers located inside the company facility.

At the corporate location, companies can provide security and still allow open access to the Internet and email for guests by giving individuals who need to access the network different levels of access. Visitors to the company, as well as mobile workers, can still have unfettered access to the Internet and use standard e-mail protocols. However, VPN access, which enables access to the corporate network, corporate e-mail and communications systems, is provided only to those who've been given authorization.

There are many different types and levels of VPN technology, some of which are very expensive and include both hardware and software components. However, Microsoft provides a basic but free VPN technology with its advanced server operating systems. For more information, check out Microsoft's VPN Overview.

--------------------------------------------------------------------------------

Firewalls

Firewalls can make your network appear invisible to the Internet, and they can block unauthorized and unwanted users from accessing your files and systems. Hardware and software firewall systems monitor and control the flow of data in and out of computers in both wired and wireless enterprise, business and home networks. They can be set to intercept, analyze and stop a wide range of Internet intruders and hackers.

Like VPNs, there are many types and levels of firewall technology. Many firewall solutions are software only; many are powerful hardware and software combinations. Some Wi-Fi gateways and access points provide a built-in firewall capability. But even if they don't, most Wi-Fi gateways include a NAT routing capability that acts like a basic firewall, making the networked computers and their data invisible to simple hacking scans and probes.

--------------------------------------------------------------------------------

Media Access Control (MAC) Filtering

As part of the 802.11b standard, every Wi-Fi radio has its unique Media Access Control (MAC) number allocated by the manufacturer. To increase wireless network security, it is possible for an IT manager to program a corporate Wi-Fi access point to accept only certain MAC addresses and filter out all others. The MAC control table thus created works like "call blocking" on a telephone: if a computer with an unknown MAC address tries to connect, the access point will not allow it. However, programming all the authorized users' MAC addresses into all the company's access points can be an arduous task for a large organization and can be time consuming ? but for the home technology enthusiast it can be quite effective.

It is also possible for a dedicated hacker to "spoof" a MAC address, by intercepting valid MAC addresses and then programming his or her computer to broadcast using one of those. Despite that, for small network installations, using a MAC filtering technique can a be very effective method to prevent unauthorized access.

--------------------------------------------------------------------------------

RADIUS Authentication and Authorization

RADIUS (Remote Access Dial-Up User Service) is another standard technology that is already in use by many major corporations to protect access to wireless networks. RADIUS is a user name and password scheme that enables only approved users to access the network; it does not affect or encrypt data. The first time a user wants access to the network, secure files or net locations, he or she must input his or her name and password and submit it over the network to the RADIUS server. The server then verifies that the individual has an account and, if so, ensures that the person uses the correct password before she or he can get on the network.

RADIUS can be set up to provide different access levels or classes of access. For example, one level can provide blanket access to the Internet; another can provide access to the Internet as well as to e-mail communications; yet another account class can provide access to the Net, email and the secure business file server.

Like other sophisticated security technologies already mentioned, RADIUS comes in a variety of types and levels. You can use the free RADIUS provided by Microsoft for its advanced server operating systems, or you can use a sophisticated hardware and software solution.

--------------------------------------------------------------------------------

Kerberos

Another way to protect your wireless data is by using a technology called Kerberos. Created by MIT, Kerberos is a network authentication system based on key distribution. It allows entities that communicate over a wired or wireless network to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.

After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

Kerberos works by providing principals (users or services) with digital tickets that they can use to identify themselves to the network and secret cryptographic keys for secure communications. A ticket is a sequence of a few hundred bytes that can be embedded in virtually any other network protocol, thereby allowing the processes implementing that protocol to be sure about the identity of the principals involved.

Kerberos is available free from MIT and as a product from many different vendors.

--------------------------------------------------------------------------------

802.1x and Other New Security Technologies

With the burgeoning success and adoption of Wi-Fi networks, many other security technologies have been developed and continue to be developed. Security is a constant challenge, and there are thousands of companies developing a cornucopia of solutions.

There are a variety of proprietary third-party security solutions that effectively "ride on top of" a standard Wi-Fi transmission and provide encryption, firewall and authentication services. Many Wi-Fi manufacturers have also developed proprietary encryption technologies that greatly enhance basic Wi-Fi security.

Encryption techniques use special technologies to scramble transmissions on one end and then unscramble them on the other. Other techniques use special keys or codes that enable the computers to talk to each other: the sender's computer transmits a key or code to the receiving computer, and if the keys match, the sender is allowed into the system.

The Wi-Fi Alliance, the IEEE 802.11 standards committee and many Wi-Fi members are working to develop new security standards such as 802.11i and 802.1x . These new security standards will use advanced encryption technologies such as AES and TKIP, as well as secure key-distribution methods.

Hackers can break encryption codes by intercepting and analyzing large amounts of data, but breaking codes takes time. By automatically "changing" the encryption keys every five minutes or so, the Wi-Fi network is already using a new code by the time a hacker has managed to intercept and crack the old one. Most enterprise-level Wi-Fi networks already enable IT managers to change the codes manually, but 802.1x makes the process automatic.

--------------------------------------------------------------------------------

Putting Technologies Together

Individuals and companies that have the desire to go beyond basic security mechanisms can choose to implement and combine these basic technologies to increase protection for their mobile workers and their data. As with any network, wired or wireless, the more layers of security that are added, the more secure your transmissions can be.

--------------------------------------------------------------------------------

Security in Public Spaces

Wireless networks in public areas and "HotSpots" like Internet cafes may not provide any security. Although some service providers do provide this with their custom software, many HotSpots leave all security turned off to make it easier to access and get on the network in the first place. If security is important to you the best way to achieve this when you are connecting back to your office is to use a VPN. If you do not have access to a VPN and security is important, you may want to limit your wireless network use in these areas to non-critical e-mail and basic Internet surfing.

The good news is that many HotSpot providers and Wi-Fi manufacturers are implementing improved security technologies to protect Wi-Fi users against interception and eavesdropping in public HotSpots.