10.6 Conclusion

Cracking the default WEP encryption is much harder than you might expect. The short IV allows hackers to crack WEP code by simply using freeware tools in about one second; however, before they get to that point, they must spend somewhere between several hours and several days capturing wireless data from the wireless network. TKIP is an upgrade to the standard WEP and is seen as a temporary fix until the next generation of security standards has been improved and accepted by the market. TKIP uses WEP as a framework to build on by using the same RC4 cipher with a much longer IV number. TKIP provides for a dynamically changing 128-bit key, the addition of a MIC to prevent malicious data insertion, and Broadcast Key Rotation. Although this is a great improvement over WEP, it still lacks a user authentication mechanism and does not provide the level of strength expected by many users.

802.1 x and the Extensible Authentication Protocol (EAP) are used in combination on WLAN segments. 802.1 x has been used for some time now on wired LANs and is a simple, but effective, way of blocking data frames from any unauthenticated users. EAP provides for user authentication, and the 802.1 x protocol allows traffic to flow onto the LAN. Many different varieties of EAP exist, and they have proprietary protocols to support multiple authentication methods , which can be used in WLANs with varying levels of strength and difficulty of deployment and management. Although EAP was originally created for use with Point-to-Point Protocol (PPP), it has been adopted for use with IEEE 802.1 x Network Port Authentication. The use of IEEE 802.1 x offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1 x ties EAP to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication.

VPNs are a valuable component of an enterprise-level WLAN. VPNs combine point-to-point tunneling, user authentication, and encryption to allow the use of a public network, such as the Internet, to securely connect to a private corporate network. VPN concentrators are often used with servers located on a secure portion of the corporate LAN to enable many simultaneous connections to corporate resources. There are also many types of VPN protocols used with WLANs, such as PPTP, L2TP, SSH2, IPSec/ IKE, and Mobile IP. They all rely on tunneling and have varying degrees of encryption. VPNs attempt to aggregate machines that are physically separated into groups or domains that act as though they are colocated ; in contrast, VLANs segregate physically connected machines into groups or domains that act as though they are not physically connected.

Segmentation devices can be used to enhance WLAN security. Segmentation devices such as routers, Layer 3 switches, VPN concentrators, firewalls, EEGs, and Enterprise Wireless Gateways (EWGs) are used as security devices when implementing segmentation between wired and wireless networks to mitigate the risk of exposure to the wired network from the wireless LAN. EEGs and EWGs are relatively new to the market and have cost, performance overhead, and implementation issues that need to be considered before including them in your design. EEGs are hardware devices that provide hardware-assisted encryption/decryption and segmentation. EWGs add to the functionality of EEGs by adding Role-Based Access Control (RBAC) and Quality of Service (QOS) features.

Additional security techniques such as network segmentation redundancy will help reduce single points of failure. The use of NAT/NAPT and RBAC to protect and control access to and from the WLAN and its resources are important factors to consider when designing a strong security architecture for WLANs. It is also important to consider security issues such as rate limitation and subnet roaming to provide a better QoS to the users of your WLAN.