Wireless Network Security - The Basics of Securing a Wireless LAN
Network Authentication Process
The process of a client associating and authenticating to an access point is standard.
Should shared key authentication be selected at the client, there are additional packets
sent confirming the keys authenticity.
The following describes EAP network authentication.
1. Client sends probe to all access points
2. Access point sends information frame with data rate etc
3. Client selects nearest matching access point
4. Client scans access point in order of 802.11a, 802.11b then 802.11g
5. Data rate is selected
6. Client associates to access point with SSID
7. With EAP network authentication the client authenticates with RADIUS server
This type of security assigns a string to an access point or several access points
defining a logical segmented wireless network known as a service set identifier (SSID).
The client can't associate with an access point unless it is configured with that SSID.
Associating with the network is as easy as determining the SSID from any client on the
network. The access point can be configured to not broadcast the SSID improving security
somewhat. Most companies will implement static or dynamic keys to supplement security of SSID.
Static WEP keys
Configuring your client adapter with a static wired equivalency private (WEP) key
improves the security of your wireless transmissions. The access point is configured with
the same 40 bit or 128 bit WEP key and during association those encrypted keys are
compared. The issue is hackers can intercept wireless packets and decode your WEP key.
Dynamic WEP keys (WPA)
The deployment of dynamic encrypted WEP keys per session strengthens security with a
hash algorithm that generates new key pairs at specific intervals making spoofing much
more difficult. The protocol standard includes 802.1x authentication methods with TKIP and
MIC encryption. Authentication between the wireless client and authentication RADIUS
server allows for dynamic administration of security. It should be mentioned that each
authentication type will specify Windows platform support. An example is PEAP which
requires Windows XP with service pack 2, Windows 2000 with SP4 or Windows 2003 at each client.
The 802.1x standard is an authentication standard with per user and per session
encryption with these supported EAP types: EAP-TLS, LEAP, PEAP, EAP-FAST, EAP-TTLS and
EAP-SIM. User network authentication credentials have nothing to do with the client
computer configuration. Any loss of computer equipment doesn't affect security. The
encryption process is handled with TKIP an enhanced encryption standard improving WEP
encryption with per packet key hashing (PPK), message integrity checking (MIC) and
broadcast key rotation.
The protocol uses 128 bit keys for encrypting data and 64 bit keys
for authentication. The transmitter adds some bytes or MIC to a packet before encrypting
it and the receiver decrypts and verifies the MIC. Broadcast key rotation will rotate
unicast and broadcast keys at specific intervals. Fast reconnect is a WPA feature that is
available allowing employees to roam without having to re-authenticate with the RADIUS
server should they change floors or rooms. The client username and password is cached with
the RADIUS server for a specified period.