Wi-Fi operates at a low level in the network layer hierarchy. Protocols such as TCP/IP operate at a higher layer and depend on the lower layers to transport data from place to place. One of the problems in the original security concept for Wi-Fi was that the security system was all contained within the lower layers. This led to problems and, most of all, it made it very difficult to provide centralized management of secret keys. The solution came by the use of upper-layer authentication methods.
A number of security protocols have been developed and tested over the years and are well trusted by corporate system administrators. These systems have been developed for use in large secure networks using centralized and remote management. We call these methods upper-layer authentication methods because they work at the top of the protocol stack rather than at the bottom. This chapter describes several methods that can be used in conjunction with RSN and WPA Wi-Fi networks.
First we reviewed TLS, which is closely related to SSL. We provided an overview of certificate-based security and described the message exchange involved in TLS. For a more in-depth look at TLS, you could also refer to Eric Rescorla's book SSL and TLS (Rescorla, 2001). We showed how TLS could be used in conjunction with EAP and RADIUS so it could be applied to key management in WPA and RSN.
Next we looked at Kerberos v5. Kerberos is based on the concept of service tickets managed though central servers. We showed how Kerberos could be applied to RSN without using RADIUS through an interesting technique of proxy servers.
At the end of the chapter we covered Cisco LEAP, a proprietary approach introduced for use with WEP to assist in the management of keys. LEAP was the first Wi-Fi related security approach to be based on IEEE 802.1X and has been deployed in many corporate sites. Finally, we looked at two newer methods, PEAP and GSM-SIM. GSM-SIM is interesting because it bridges the gap between the cellular phone industry and the networking industry, allowing Wi-Fi systems to be authenticated by the cellular phone infrastructure.