| Network Authentication Process | | | | root CA digital certificate |
| The process of a client associating and authenticating | | | | • Client side authentication with RADIUS server |
| to an access point is standard. Should shared key | | | | from Microsoft MS-CHAP v2 client with username and |
| authentication be selected at the client, there are | | | | password encrypted credentials |
| additional packets sent confirming the keys authenticity. | | | | Wireless Client EAP Network Authentication Process |
| The following describes EAP network authentication. | | | | 1. Client associates with access point |
| 1. Client sends probe to all access points | | | | 2. Access point allows 802.1x traffic |
| 2. Access point sends information frame with data | | | | 3. Client authenticates RADIUS server certificate |
| rate etc | | | | 4. RADIUS server sends username with password |
| 3. Client selects nearest matching access point | | | | encrypted request to client |
| 4. Client scans access point in order of 802.11a, 802.11b | | | | 5. Client sends username with password encrypted to |
| then 802.11g | | | | RADIUS server |
| 5. Data rate is selected | | | | 6. RADIUS server and client derive WEP key. RADIUS |
| 6. Client associates to access point with SSID | | | | server sends WEP key to access point |
| 7. With EAP network authentication the client | | | | 7. Access point encrypts 128 bit broadcast key with |
| authenticates with RADIUS server | | | | that dynamic session key. Sends to client. |
| Open Authentication | | | | 8. Client and access point use session key to encrypt |
| This type of security assigns a string to an access | | | | decrypt packets |
| point or several access points defining a logical | | | | WPA-PSK |
| segmented wireless network known as a service set | | | | WPA pre-shared keys use some features of static |
| identifier (SSID). The client can't associate with an | | | | WEP keys and dynamic key protocols. Each client and |
| access point unless it is configured with that SSID. | | | | access point is configured with a specific static |
| Associating with the network is as easy as | | | | passcode. The passcode generates keys that TKIP |
| determining the SSID from any client on the network. | | | | uses to encrypt data per session. The passcode |
| The access point can be configured to not broadcast | | | | should be at least 27 characters to defend against |
| the SSID improving security somewhat. Most | | | | dictionary attacks. |
| companies will implement static or dynamic keys to | | | | WPA2 |
| supplement security of SSID. | | | | The WPA2 standard implements the WPA |
| Static WEP keys | | | | authentication methods with Advanced Encryption |
| Configuring your client adapter with a static wired | | | | Standard (AES). This encryption method is deployed |
| equivalency private (WEP) key improves the security | | | | with government implementations etc. where the most |
| of your wireless transmissions. The access point is | | | | stringent security must be implemented. |
| configured with the same 40 bit or 128 bit WEP key | | | | Application Layer Passcode |
| and during association those encrypted keys are | | | | SSG uses a passcode at the application layer. Client |
| compared. The issue is hackers can intercept wireless | | | | can't authenticate unless they know the passcode. |
| packets and decode your WEP key. | | | | SSG is implemented in public places such as hotels |
| Dynamic WEP keys (WPA) | | | | where the client pays for the password allowing |
| The deployment of dynamic encrypted WEP keys per | | | | access to the network. |
| session strengthens security with a hash algorithm that | | | | VLAN Assignments |
| generates new key pairs at specific intervals making | | | | As noted companies will deploy access points with |
| spoofing much more difficult. The protocol standard | | | | SSID assignments that define logical wireless |
| includes 802.1x authentication methods with TKIP and | | | | networks. The access point SSID will then be mapped |
| MIC encryption. Authentication between the wireless | | | | to a VLAN on the wired network that segments |
| client and authentication RADIUS server allows for | | | | traffic from specific groups as they would with the |
| dynamic administration of security. It should be | | | | conventional wired network. Wireless deployments |
| mentioned that each authentication type will specify | | | | with multiple VLANs will then configure 802.1q or ISL |
| Windows platform support. An example is PEAP | | | | Trunking between access point and Ethernet switch. |
| which requires Windows XP with service pack 2, | | | | Miscellaneous Settings |
| Windows 2000 with SP4 or Windows 2003 at each | | | | - Turn Microsoft File Sharing OFF |
| client. | | | | - Implement AntiVirus Software and Firewall |
| The 802.1x standard is an authentication standard with | | | | - Install your company VPN client |
| per user and per session encryption with these | | | | - Turn OFF Auto Connect to any wireless network |
| supported EAP types: EAP-TLS, LEAP, PEAP, | | | | - Never use AdHoc Mode - this allows unknown |
| EAP-FAST, EAP-TTLS and EAP-SIM. User network | | | | laptops to connect |
| authentication credentials have nothing to do with the | | | | - Avoid signal overrun with a good site survey |
| client computer configuration. Any loss of computer | | | | - Use minimal transmit power setting |
| equipment doesn't affect security. The encryption | | | | Anti Theft Option |
| process is handled with TKIP an enhanced encryption | | | | Some access points have an anti theft option available |
| standard improving WEP encryption with per packet | | | | using padlock and cabling to secure equipment while |
| key hashing (PPK), message integrity checking (MIC) | | | | deployed in public places. This is a key feature with |
| and broadcast key rotation. The protocol uses 128 bit | | | | public implementations where access points can be |
| keys for encrypting data and 64 bit keys for | | | | stolen or there is some reason why they must be |
| authentication. The transmitter adds some bytes or | | | | mounted below the ceiling. |
| MIC to a packet before encrypting it and the receiver | | | | Security Attacks |
| decrypts and verifies the MIC. Broadcast key rotation | | | | • Wireless packet sniffers will captures, decode |
| will rotate unicast and broadcast keys at specific | | | | and analyzes packets sent between the client |
| intervals. Fast reconnect is a WPA feature that is | | | | computer and access points. The purpose is to |
| available allowing employees to roam without having to | | | | decode security information. |
| re-authenticate with the RADIUS server should they | | | | • Dictionary attacks attempt to determine the |
| change floors or rooms. The client username and | | | | decryption key configured on the wireless network |
| password is cached with the RADIUS server for a | | | | using a list or dictionary with thousands of typical |
| specified period. | | | | passcode phrases. The hacker captures information |
| EAP-FAST | | | | from the authentication process and scans each |
| • Implements symmetric key algorithm to build | | | | dictionary word against the password until a match is |
| secure tunnel | | | | found. |
| • Client and RADIUS server side mutual | | | | • The specific mode assigned each wireless client |
| authentication | | | | affects security. Ad Hoc mode is the least secure |
| • Client sends username and password credential | | | | option with no access point authentication. Each |
| in secure tunnel | | | | computer on the network can send information to an |
| EAP-TLS | | | | Ad Hoc neighbor computer. Select infrastructure mode |
| • SSL v3 builds an encrypted tunnel | | | | where available. |
| • Client side and RADIUS server side assigned PKI | | | | • IP spoofing is a common network attack involving |
| certificates with mutual authentication | | | | faking or replacing the source IP address of each |
| • Dynamic per client per session keys used to | | | | packet. The network device thinks its communicating |
| encrypt data | | | | with an approved computer. |
| Protected EAP (PEAP) | | | | • SNMP is sometimes a source of compromised |
| • Implemented at Windows clients with any EAP | | | | security. Implement SNMP v3 with complex community |
| authentication method | | | | strings. |
| • Server side RADIUS server authentication with | | | | |