VPN and Wireless Security
Wireless Security Methods
A Wireless Local-Area Network (WLAN) uses radio frequency technology to transmit
and receive data over the air, providing all the features and benefits of
traditional LANs but without the limitations of a cable.
WLANs have become widely accepted for both home and business use. However, as
WLANs become widespread, the need in business for a more robust security
solution is required. Recent demonstrations of the vulnerability of Wired
Equivalent Privacy (WEP) encryption, make it clear that WEP protection alone is
inadequate. A robust and scalable security solution is available by using
Virtual Private Network (VPN) technologies.
To safeguard data on WLANs, the 802.11 standard specifies three basic methods of
securing access to wireless Access Points (APs):
- Service Set Identifier (SSID)
The SSID allows a WLAN to be segmented into multiple networks, each with a
different identifier. Each of these networks is assigned a unique identifier,
which is programmed into one or more APs. To access any of the networks, a
client computer must be configured with the corresponding SSID identifier for
that network. Thus, SSID acts as a simple password, providing a measure of
security. A weakness is that the SSID is widely known and shared.
- Media Access Control (MAC) address filtering
To increase security, each AP can be configured with a list of MAC addresses
associated with the client computers that are allowed access to the AP. If a
client's MAC address is not on the list, the AP will deny access. This method
provides good security but is only suited to small networks. The
labor-intensive work of entering MAC addresses and maintaining up-to-date
lists on all of the AP devices obviously limits the scalability of this
approach.
- Wired Equivalent Privacy (WEP)
To minimize the risk of radio frequency (RF) interception by somebody nearby,
WEP is specified for encryption and authentication between clients and APs
according to the 802.11 standard. WEP security is based on an encryption
algorithm called RC4. The encryption algorithm is generated based on a key (a
number sequence) entered and controlled by the user. All clients and APs are
configured with the same key to encrypt and decrypt transmissions of data. WEP
keys are 40 or 128 bits in length.
An AP can be set up to provide encryption-only protection in open-system mode,
or to add authentication in shared-key mode. MAC address filtering is often
used together with this encryption. WEP security is best suited for small
networks, as there is no key management protocol. As a result, keys must be
manually entered into every client. This can be a huge management task,
especially as keys should be changed regularly to provide a higher level of
security.
Virtual Private Networking (VPN)
This technology makes it possible for users on an un-trusted network to connect
to a private network in an easy and secure manner. For business networks, a VPN
solution for wireless access is currently the most suitable alternative to WEP
and MAC address filtering.
Internet Protocol Security (IPSec), as defined by IETF, is the most
widely used mechanism for securing VPN traffic. IPSec can use multiple
algorithms for encrypting data, keyed hash algorithms for authenticating
packets, and digital certificates for validating public keys. VPNs also support
a variety of user authentication methods. These standards-based methods allow
for easy integration into existing network infrastructures.
The IPSec protocol includes three principal security elements:
- Authentication Header (AH)
The AH provides authentication and integrity by adding authentication
information to the IP data. This ensures that the data will not be available
to an unauthorized client and will not be altered en route. Authentication
techniques used are MD5 (Message Digest Algorithm 5) and SHA (Secure Hashing
Algorithm).
- Encapsulation Security Payload (ESP)
The ESP provides confidentiality. It can also provide integrity and
authentication, depending on the algorithm used. With the ESP in use, part of
the ESP header itself and all data is encrypted. Tunnel or transport modes are
available, with tunnel mode being the choice for remote access. Encryption
techniques used are DES (Data Encryption Standard) which uses 56 bit length
keys and Triple-DES or 3DES which uses 168 bit length keys.
- Internet Key Exchange (IKE)
These are the management protocols that are used to negotiate the
cryptographic algorithm choices to be employed by the AH and ESP. The
mechanisms used provide for an extremely scalable solution. Keys are
maintained, exchanged, and verified using these protocols.
What Does All This Say?
For home and small business: The combination of SSID + MAC + WEP is most likely
an acceptable alternative for wireless security. That is, a deliberate attempt
to access the network is required. Linksys products that utilize this level of
security include: BEFW11P1, BEFW11S4, WAP11, WDT11, WPC11 and WUSB11.
For medium and enterprise business: With centrally managed administration for a
large number of users and the ease of deployment and control, VPN is the best
choice for wireless security. That is, powerful methods are employed to ensure
that network access is strictly limited to users who can be authenticated and
that privacy of message traffic is ensured in the event of interception.
|
