Wireless Security

Before you start

Objectives: Learn about common authentication types and security implementations used in wireless networks today.

Prerequisites: no prerequisites.

Key terms: key, wireless, authentication, WPA, encryption, security, network, WEP, AP, server


Security

First wireless networks were not very secure. Trough time, security of wireless networks has improved. To protect our wireless network we must configure authentication and encryption. Authentication is the first thing that happens when we connect to a wireless network. Authentication is the process in which we have to provide either a valid user credentials such as username and password, or a proof that we have been configured with an authentication key before being allowed to send data on the wireless network. Basically, authentication is the process of proving our identity. In wireless networks there three ways to implement authentication: Open, Shared Key and 802.1x.

One other thing we have to do is protect our data during wireless transmission. This is done using encryption. Encryption is the process of changing the content of the data into an unreadable format, so that only the intended receiver can decrypt and read the original content.

Authentication Methods

802.11 Open

This is the original standard that defines an open system in which clients provide their MAC address to gain access to the wireless network. This basically means that any client is allowed to access our network, since all MAC addresses are allowed by default. This is typically used on public networks. However, we can implement MAC address filtering to allow only specific MAC addresses. This way certain MAC addresses will not be allowed to connect. Beware that MAC addresses can be spoofed.

Shared Key

With shared key authentication method we configure our clients with a shared key. Shared key is sometimes also referred to as a secret, a pass-phrase or a password. In this method, only devices with the correct shared key can connect to the wireless network. With shared key authentication all clients and access points use the same authentication key.

802.1x

802.1x authentication uses usernames and passwords, certificates, or smart cards to authenticate wireless clients. This standard is adapted from wired networks. It provides much stronger authentication than the original 802.11 standard. It is designed for medium to large wireless networks that contain the infrastructure that supports authentication that uses a RADIUS server. The RADIUS server will work in conjunction with a user database to authenticate users on the wireless network. In this method, when the connection between the client and the AP is established, the authentication method is negotiated. The client then sends its credentials to the AP, but the AP doesn’t perform the authentication itself. Instead, AP passes the authentication credentials to the RADIUS server. The RADIUS server maintains information about users accounts, so the credentials are actually validated on the RADIUS server. The RADIUS server then sends information back to the AP to tell it whether the access has been granted or denied.

So, to use 802.1x authentication method we must have a central RADIUS server. One other thing we have to use are certificates. At minimum, the RADIUS server must have a certificate that identifies it as a server that can perform authentication.

To support mutual authentication, each client must also have a certificate. So, instead of using usernames and passwords, or in addition to using usernames and passwords, we can also use certificates on the wireless clients. We can use smart cards which include proper certificate, and allow access only to devices that have a smart card. With 802.1x all users authenticate with unique usernames and passwords.

Security Implementations

When we talk about wireless security, we usually talk about different security implementations. As we said, authentication is only the first part of wireless security. The other part is encrpytion of data. In general, there are three general security implementations for wireless networks: WEP, WPA and WPA2.

WEP (Wired Equivalent Privacy)

WEP was designed to provide wireless networks with the same security as wired connections. It uses hashing encryption with a static Pre-Shared Key (PSK) which is configured an all access points and clients. The shared key is used to perform the hashing function which provides the encryption. WEP encryption can use either 40 bit or 104 bit encryption. WEP is not very secure because the shared key is used for hashing, and because the shared key doesn’t change. Users with the right tools can intercept wireless data, break the hashing mechanism, and reveal the shared key. All this can be done in less than 10 minutes, depending on the level of traffic on the network. In fact, WEP is considered deprecated, since it fails to meet security standards used today. Unfortunately it is still widely used due to the ease of configuration.

When it comes to authentication, WEP supports two separate types. One type is Open authentication (requires only MAC address), and the other is Shared key (password, secret value). Remember that WEP uses the same shared key for authentication and for encryption, which is the source of problem in WEP.

To deal with the problems of WEP, the 802.11i committee was formed, to add security to wireless. This committee began working on a set of specifications for wireless security. This process took a while, and as time flew by, various device vendors decided to implement security mechanisms faster then the commitie released them. So, vendors implemented security measures which will be compatible with the final 802.11i draft. This work of the vendors is known as the WPA specification for wireless security.

WPA (Wi-Fi Protected Access)

WPA basically replaces WEP with a stronger encryption method called TKIP or Temporary Key Integrity Protocol. The most important thing that TKIP brings is the periodic rotation of the keys. In contrast to WEP which uses static shared key with the hashing algorithm, the WPA actually rotates multiple keys. So, with WPA the connection is established between AP and clients. During the connection establishment they also decide which key is going to be used for encryption. From time to time, this key is replaced with another key value. This way instead of having static key like in WEP, in WPA the key is constantly changed. This makes it much harder for malicious users to discover the key. WPA also allows the optional use of AES or Advanced Encryption Standard for encrypting wireless transmissions.
When it comes to authentication, WPA also supports Open, Pre-shared key, and 802.1x authentication. Depending on the authentication type, we differentiate different WPA modes: WPA Personal and WPA Enterprise. In the WPA Personal mode, a Pre-Shared Key (PSK) is used for authentication. The same key is provided to each user. The personal mode is usually used in home or small business wireless networks. Remember that the shared key in WPA is not used for encryption. In the WPA Enterprise mode, individual keys are distributed to users trough 802.1x server. The Enterprise mode is usually used in medium or large wireless networks, when there is a need for usernames and passwords or some other form of authentication. Remember that in the WPA Enterprise mode we have to have additional server and we have to configure certificates.

Almost all access points now support WPA. If we have some older AP, usually it is enough to upgrade the firmware on AP in order to enable support for WPA

WPA2

WPA2 is the final implementation of 802.11i encryption standard which was deployed in 2005. It is built upon the idea of Robust Secure Networks (RSN). WPA2 uses Advanced Encryption Standard (AES) for encryption. AES is similar to TKIP (uses rotating keys), but it is considered to be more secure. AES requires special hardware to perform encryption. This means that we can’t simply update firmware on our older AP to enable support for WPA2. Newer devices have support for WPA2.

Similar to WPA, the WPA2 is also available in two different modes – Enterprise and Personal. The main thing to remember is that in WPA Enterprise each client will receive its own individual unique key, while in WPA Personal we configure one key that is shared between all clients on the wireless network.

Additional Measures

To make our wireless network even more secure we should always change the default SSID on our AP. We can also choose not to broadcast our SSID. This way our network will not be detectable in the range of the wireless network. Of course we should always change the default administrator password on our Access Point (APs come preconfigured with default, well known passwords). Instead of WEP we should always use WPA or WPA2. We can also enable MAC address filtering on our AP to only allow certain clients on the network. We could also configure the firewall on the AP, if our AP has one built-in. We can also enable IPSec on our connections to provide encryption of data transmissions, but this is another topic altogether.