Securing Wireless LAN

The primary and foremost fact to remember when securing an 802.11 wireless LAN is that 802.11 devices are shipped with all security features disabled. It is the responsibility of those involved in deployment to ensure that appropriate security measures are taken.

A secured wireless LAN includes provisions for authentication of devices and users, all APs are managed by using proper security, and the data is transmitted in an encrypted form.

User Authentication

All users in a secure wireless LAN must be authenticated. They can be authenticated using WEP−based authentication for minimal authentication security, 802.1X for moderate security, and VPNs for high−level security.

In addition to the wireless LAN authentication security, the LAN devices using the wireless LAN, or any other networks that wireless LANs may have access to, must enforce operating system (OS).

Level security requiring at least username and password to authenticate the users in the LAN. The OS−level authentication is necessary because it supplies security to the network resources that might be available in a network.

For example, a file server on a LAN must require OS authentication to allow only those users access to the data on the file server that have been successfully authorized by the OS authentication mechanism to ensure that the users attempting to access the files are in fact authorized to do so.

802.1X can be used for authenticating wireless LAN users on a given wireless LAN. Mostly 802.1X will be used to authenticate users in a LAN environment in which a wireless LAN is connected with a wired LAN, and wired LAN provides authentication services to the APs connected to it.

VPNs must be deployed any time data security is critical, especially when a wireless LAN device connects to a remote LAN using an AP connected to the Internet. In this scenario, an AP must not be connected with the remote LAN directly.

Instead the users of the wireless LANs who establish direct connection between their devices and the remote corporate LAN must use VPN to establish such connections. VPNs and 802.1X can be combined to provide wireless and wired LAN security to networks that include both local LANs and remote LANs.

In this case all wireless devices are authenticated using the 802.1X protocol, and VPN is used to provide enhanced data security between the wireless devices, local wired LANs, and the remote LANs.

Data Confidentiality and Privacy

For a wireless LAN to be called a secured LAN, all traffic through the LAN must be properly transmitted in an encrypted form. The data between wireless devices and the AP can be secured using WEP security for minimal security, and using VPN technology to provide high−level security.

WEP protocol uses the RC4 algorithm to provide data confidentiality and privacy. The security experts have heavily criticized the insecure use of RC4 in WEP protocol, where the initialization vector and encryption keys are considered the weakness of the protocol.

802.1X solves the problems in the basic WEP protocol by providing a better mechanism for changing keys and authenticating users. For minimal security needs, the basic WEP encryption may be used with extreme caution, but if more reliable and medium−level security is desired, the 802.1X−based security primitive must be used.

For high−level data confidentiality and privacy, VPNs must be used. VPNs provide data confidentiality by encrypting all data that is transmitted by communicating entities.

VPNs can also be used with 802.1X to restrict only authorized users' access to the wireless LANs, thereby allowing access to LAN resources to only those users who are authorized by 802.1X security and the VPN security provisions.

Wireless LAN Passwords and Usage Policies

Users and administrators of any LAN, especially wireless LANs, must be required to regularly change passwords. All users should be encouraged to use passwords that are hard to guess.

Users must be strongly discouraged from sharing their passwords with other individuals. Access to resources requiring high security must be restricted, and users must not be allowed to use wireless LANs with security features turned off.

Frequent Network Traffic and Usage Analysis

Administrators of wireless LANs should monitor network traffic and usage on a regular basis to ensure that network security is not compromised. Authentication logs must be frequently observed to identify any security breaches or any attempts that are targeted to attack a network.