Wireless Security Basics
When you’re securing a wireless 802.11 network, three major components are normally required:
- Strong encryption
- Mutual authentication
- Segmentation
Because data is transmitted freely and openly in the air, proper protection is needed to ensure data privacy, so strong encryption is needed. The function of most wireless networks is to provide a portal into some other network infrastructure, such as an 802.3 Ethernet backbone.
The wireless portal must be protected and therefore an authentication solution is needed to ensure that only authorized users may pass through the portal via a wireless access point. The wireless network should always be treated as untrusted and should also be segmented in some fashion from the wired infrastructure.
Encryption
802.11 wireless networks operate in license-free frequency bands and all data transmissions travel in the open air. Protecting data privacy in a wired network is much easier because physical access to the wired medium is more restricted.
However, physical access to wireless transmissions is available to anyone in listening range. Therefore, using cipher encryption technologies to obscure information is mandatory.
A cipher is an algorithm used to perform encryption. The two most common algorithms used to protect data are the RC4 algorithm (RC stands for Ron’s Code or Rivest’s Cipher) and the Advanced Encryption Standard (AES) algorithm.
Some ciphers encrypt data in a continuous stream while others encrypt data in blocks. The RC4 algorithm is a streaming cipher used in technologies that are often used to protect Internet traffic, such as Secure Sockets Layer (SSL).
The RC4 algorithm is used to protect 802.11 wireless data and is incorporated into two encryption methods known as WEP and TKIP. The AES algorithm, originally named the Rijndael algorithm, is a block cipher that offers much stronger protection than the RC4 streaming cipher.
AES is used to encrypt 802.11 wireless data using an encryption method known as Counter mode with Cipher Block Chaining–Message Authentication Code (CCMP). The AES algorithm encrypts data in fixed data blocks with choices in encryption key strength of 128, 192, or 256 bits.
The AES cipher is the mandated algorithm of the United States government for protecting both sensitive and classified information. The bodies of management frames contain layer 2 information necessary for the operation of the 802.11 network and therefore are not encrypted.
Control frames have no body and also are not encrypted. The information that needs to be protected is the upper-layer information inside the body of 802.11 data frames.
Most of the encryption methods discussed in this chapter use layer 2 encryption, which is used to protect the layer 3 through 7 information found inside the body of an 802.11 data frame.
AAA
AAA is a computer security concept that refers to authentication, authorization, and accounting. Authentication is the verification of user identity and credentials. Users must identify themselves and present credentials such as usernames and passwords or digital certificates.
More secure authentication systems exist that require multifactor authentication, where at least two sets of different credentials must be presented. Authorization involves granting access to network resources and services.
Before authorization to network resources can be granted, proper authentication must occur. Accounting is tracking the use of network resources by users. It is an important aspect of network security, used to keep a paper trail of who used what resource and when and where.
A record is kept of user identity, which resource was accessed, and at what time. Keeping an accounting trail is often a requirement of many industry regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Remember that the usual purpose of an 802.11 access point is to act as a portal into an 802.3 wired network. It is therefore necessary to protect that portal with very strong authentication methods so that only legitimate users with the proper credentials will be authorized onto network resources.
Segmentation
While it is of the utmost importance to secure an enterprise wireless network utilizing both strong encryption and an AAA solution, an equally important aspect of wireless security is segmentation. Prior to the introduction of stronger authentication and encryption techniques, wireless was viewed as an untrusted network segment.
Therefore, before the ratification of the 802.11i security amendment, the wireless segment of a network was always treated as the untrusted segment while the wired 802.3 network was considered the trusted segment.
However, if the proper encryption and authentication solutions are deployed, the wireless network can be just as secure if not more so than the wired segments of a network. It is still important to segment users in proper groups, much like what is done on any traditional network.
Once authorized onto network resources, users can be further restricted as to what resources may be accessed and where they can go. Segmentation can be achieved through a variety of means, including firewalls, routers, VPNs, and VLANs.
The most common wireless segmentation strategy often used in 802.11 enterprise WLANs is layer 3 segmentation using Virtual LANs (VLANs). Segmentation is often intertwined with role-based access control (RBAC).