Lose the wires, keep the security: 6 wireless access points tested

  Wireless security
  Introduction (cont.)

  ANTLabs
  D-Link
  Netgear
  Nortel
  SonicWALL
  3com

 Specifications
 How we tested
 Sample Scenario
 Final words
 Editor's choice
 About RMIT
The basic premise in corporate WLAN security deployment is similar to the concept of a Virtual Local Area Network (VLAN) available in most modern network switches; the WLAN should be as separate as possible from the rest of the LAN. This has several benefits. Firstly, this makes it easier to manage and contain threats should a problem arise on the WLAN. Secondly, it provides a single point of connection between the WLAN and the wired network, enabling the security team to monitor that single connection for any suspicious behaviour and to deploy adequate equipment such as internal firewalls and dedicated wireless security gateways.

VLAN is not only a comparable technology, it is also a complementary one. Instead of investing in brand-new infrastructure such as dedicated cabling and switches to support the new wireless deployment, many companies are simply enabling a VLAN on their existing network switches and separating the ports that have the APs plugged into them onto their own VLAN. This VLAN is then a virtual separate network (it can even have different IP ranges etc) and a gateway can then be plugged in between that VLAN and the rest of the corporate network.

The main benefit of the truly enterprise-level wireless equipment now on the market is centralised management. While many other technologies have needed to be redesigned with this concept in mind, these wireless systems seem to have been developed at the right time to take advantage of centralised management immediately without needing any fiddly upgrades or add-ons to enable it. Most are still proprietary to each vendor, however this factor is more than offset by the savings made in deployment, management, and support costs by deploying a single-vendor solution, particularly if used by a larger enterprise requiring many distributed access points.

There are also two other developments in wireless security, that have only recently begun to be incorporated into the equipment, namely Wi-Fi Protected Access (WPA) and 802.11i. Many vendors started to offer WPA -- which is basically a subset of some of the proposals found in the 802.1i specification -- as an interim security measure before the 802.11i standard was passed. We will most likley see WPA falling into the background as vendors move to 802.11i.

Both use AES encryption, however there are a a few minor differences, mainly in the way keys are handled. WPA mostly uses the temporary key integrity protocol (TKIP) and 802.11i uses AES-CCMP (CCMP somehow stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). CCMP is technically the stronger of the two, however it would still take several hundred years to crack encrypted data using TKIP's data encryption enhancements. This is a very interesting debate and I would enourage anyone with more than a passing interest in this subject to do some further research. A good starting point is www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf

WPA uses the 802.1x standard for authentication and requires a separate RADIUS authentication server. (RADIUS stands for remote authentication dial-in user service, but it's not only used for dial-in connections.) If a small business does not have the resources to deploy a RADIUS server, an alternative is to run WPA-PSK -- a shared passkey system. When using WPA-PSK, the administrator must be careful though because it introduces some potential vulnerabilities. If the option exists to run a RADIUS server then that path is definitely the more secure option.

< Prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Next >
Advertisement

Print feature brought to you by Adobe

Talkback 0 comments

Back to top

Featured