By itself, there's not much IT professionals can do to strengthen Wi-Fi security, beyond making sure standard defaults are reset and stronger SSIDs are used. That said, there are plenty of additional security options and add-ons that savvy IT professionals use to create much-improved security regimes for WLANs. A chain is only as strong as its weakest link, but information security is as strong as its strongest link (as long as that link applies to sensitive information in transit). Thus, deficiencies in WLAN security that derive from specifics of the 802.11 implementation are relatively easy to overcome, using one or more of the following methods or approaches which basically augment or supplement 802.11 security with stronger tools and technologies:
- IPSec (IP Security) protocols: IPSec protocols provide mechanisms for establishing security associations between pairs of devices. In fact, IPSec may be used to establish private end-to-end communications between pairs of computers, so that an additional layer of security is imposed above and beyond whatever Wi-Fi controls may be in place. This mechanism is quite similar to that used in VPNs (virtual private networks), in which additional security is used to make connections across inherently unsecure links.
- VPN links: Special added protocol layers and encryption services allow traffic between a sender and a receiver to be further secured while in transit across public or other unsecure network links (such as the Internet). Most experts recommend the use of VPN or similar technologies any time sensitive data must traverse unsecure links or media (such as WLANs).
- IKE (Internet Key Exchange): The IKE protocols are often used with VPN or IPSec technologies, because they provide a secure means to exchange shared keys across inherently unsecure links (such as WLANs). Essentially, IKE comes into play as communications between pairs of devices are negotiated and provides a mechanism for exchanging highly sensitive data (such as shared keys).
- MAC address filtering: This mechanism registers valid MAC (media access control) addresses in use (these are burned into network access devices during manufacture and are designed to be unique) and permits only recognized MAC addresses to establish communication with wireless access points. But although this mechanism sounds foolproof, it isn't: software tools permit such addresses to be imitated, or spoofed, and ongoing monitoring of wireless communications often allows valid MAC addresses to be learned over time. MAC address filtering is most effective when it's used in conjunction with the other approaches mentioned in this list.
- Stronger encryption keys: Various wireless implementations use longer, stronger keys for WEP or other wireless protocols. Although all WEP implementations are subject to the weaknesses of 24-bit IVs, other stronger protocols are not. These keys are best used in the context of IKE, Kerberos, RADIUS, VPN, and/or IPSec approaches.
- RADIUS (Remote Authentication Dial-In User Server/Service): RADIUS is designed to provide reliable, secure third-party authentication services for all kinds of remote network access, including wireless access. Environments that use RADIUS can rely on strong authentication from a RADIUS server and secure mechanisms for key exchange between entering workstations and the access point. (RADIUS provides key exchange and management mechanisms that Wi-Fi itself lacks.) Because RADIUS is widely used, and is available in implementations for Windows, Macintosh, and most Unix or Linux servers, this turns out to be a surprisingly workable solution.
- Kerberos: Kerberos is a standard set of Internet protocols, services, and identity proofs that's becoming part and parcel of authentication in many networking environments (particularly those based on Unix, Linux, or Windows). By providing mechanisms to publish asymmetric user keys or certificates and managing validity information for such keys, Kerberos provides both strong authentication and strong encryption services that may be used in tandem with wireless networking. Kerberos is highly recommended.
- TLS (Transport Layer Security): TLS is a session protocol that provides privacy for Internet sessions between an application and a client or user. In wireless applications (where it's sometimes known as WTLS), it allows a client to access a server through an access point for authentication, and then helps choose encryption mechanisms and keys to use before allowing network access or any exchange of real data. This is also highly recommended.
- Broadcast key rotation: Access point vendors enable mechanisms to create and manage short-lived, dynamically generated broadcast WEP keys for access to services such as DHCP (Dynamic Host Configuration Protocol) or ARP (Address Resolution Protocol). (This can occur before log on and cannot therefore be secured with stronger authentication or encryption mechanisms that ultimately depend on valid proofs of user identity to control access.) Short timeouts on key life make it extremely difficult to crack such keys, but they only work for broadcast services (such as DHCP and ARP) and offer no improvements for user security. Because earlier WEP implementations often shared keys for both broadcast and unicast communications, this mechanism does boost communications security overall.
- Closed system: A technique developed by Lucent wherein access points do not broadcast SSID beacon frames (and thereby do not advertise SSID information at all). This defeats simple scanning tools that can otherwise find wireless networks inside their broadcast ranges with ease. This helps prevent so-called war driving attacks where outsiders cruise neighborhoods looking for wireless networks to freely access.
Through judicious use or combinations of these various approaches, it's possible to strengthen wireless security appreciably, and to mitigate potential vulnerabilities or exposures that Wi-Fi could otherwise present.
|
Printable version
