Mobility is one of the biggest challenges for information security professionals. Now we are in our offices with many customers that use wireless technology and not only laptops, but phones, tablets and other devices for corporate use. How can we provide access to the company's wireless network to devices that have staff members and third people?
We have to select a proper authentication and cypher mechanism for the wireless network. Known authentication schemes are:
1. PreShared Key (PSK): This is known as the standard "personal network" authentication scheme. The client must supply the PSK to gain association and connectivity to the wireless network.
2. Certificates | Username/password: This is known as the "Enterprise" authentication scheme. The client must supply valid credentials to log-in, including but not limited to username and password and certificates. RADIUS is mandatory for this type of authentication and it must include the appropiate dictionary to interact smoothly with the network equipment you have in your company. 802.1X is the best option you can use to enforce secure authentication to the wireless network. To determine which level of security you want to implement in the authentication level, there is a wide range of authentication protocols within the Extensible Authentication Protocol standard to choose from like:
How can we protect the WLAN traffic against eavesdropping? Known protection mechanisms are:
1. Wired Equivalent Privacy (WEP): It's a weak security algorithm that uses the RC4 stream cipher for confidentiality and the CRC-32 checksum for integrity. The vulnerability of this protocol lies in the stream cipher algorithm used, as the same key for encryption of traffic can not be used more than once. Because in practice there is no such scheme implemented for this protocol that allows different keys for each packet, you can get the encryption key for the network by monitoring wireless network packets. There are several documented attacks about this protocol and many tools as aircrack and kismet that implements them. This protection mechanism is deprecated and should not ever be used in production environments where unauthorized access is critical.
2. Wi-Fi Protected Access (WPA): This protocol is part of the IEEE 802.11i standard. The encryption key problem is solved by using Temporal Key Integrity Protocol (TKIP) generating 128-bit key per packet transmitted on the network. This protocol was deprecated by IEEE in January 2009.
3. Wi-Fi Protected Access 2 (WPA2): This protocol is also part of the IEEE 802.11i standard. As TKIP is insecure, WPA2 replaces it with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). It combines the Counter-Mode block cipher mode (CTR) for data confidentiality and Cipher Block Chaining Message Authentication Code (CBC-MAC).
Which combination of authentication and encryption scheme should you choose? It should be done according to the level of risk to which you are exposed. I always recommend Enteprise PEAP authentication with WPA2 because it is not difficult to implement and provide a good level of security with a broad level of interoperability for devices that want to connect to the network. If you are paranoic, you can always use enteprise authentication with EAP-TLS/EAP-TTLS with WPA2.
Please don't forget to review the quick wins list for this control. They are really helpful when developing a plan to implement a Wireless Device Control Architecture.
Manuel Humberto Santander Peláez
Manuel Humberto Santander Pelaacuteez
Oct 20th 2011
8 years ago
"...should not ever be used in production environments where unauthorized access is critical. "
Don't you mean:
"...should not ever be used in production environments where unauthorized access _protection_ is critical. "
Oct 21st 2011
8 years ago