Hardening Wireless LAN Connections, Part 2 - Hardening WiFi Protected Access (WPA) (Page 3 of 8 ) WPA is a subset of the 802.11i standard and was created to address the vulnerabilities of WEP. 802.11i 802.11i is an emerging technology that is designed to address all the security flaws related to WEP and is the direction that wireless security is heading. 802.11i incorporates all the aspects of WPA, including 802.1x authentication, Temporal Key Integrity Protocol (TKIP), and Michael Message Integrity Check (MMIC). In addition, 802.11i addresses a number of issues that WPA does not. 802.11i uses stronger encryption than WPA through the implementation of Advanced Encryption Standard (AES). This presents one of the biggest hindrances to 802.11i, however, because the processing overhead of AES is significant enough to require hardware upgrades to support it in many cases. 802.11i will also support roaming, which allows users to move between WAPs without losing their connection when they switch from the old WAP to the new WAP. If you do not need wireless now, I recommend that you wait for 802.11i to be finalized and for 802.11i products to come out. |
In fact, the hardening procedure for WEP is simply to use WPA instead. WPA is actually a combination of a few different techniques that mitigate the problems that WEP exposes. The first is the use of 802.1x authentication to address authentication issues. The second is the use of Temporal Key Integrity Protocol (TKIP) to address encryption issues. The final is a Michael Message Integrity Check (MMIC) to address message integrity. WPA is forward compatible with 802.11i. 802.1x Authentication The 802.1x specification was originally defined for wired networks and provides a mechanism for allowing a client (known as a supplicant) to be authenticated by a network device such as a WAP (known as an authenticator) through the use of a RADIUS server (known as an authentication server). It is important to understand that the WAP does not perform the authentication; rather, it acts as a middleman by passing the client’s credentials to the RADIUS server and letting it handle the actual authentication of the client. 802.1x uses a combination of the Extensible Authentication Protocol (EAP) and RADIUS for authenticating clients and distributing keys. RADIUS is used primarily for carrying the authentication and configuration information between the authenticator and the RADIUS server. RADIUS does not have a mechanism for using anything other than password-based authentication. To address this, EAP is used to provide the means to support authentication, such as public key–based authentication (that is, shared secret). Essentially, the WAP uses EAP to communicate with the client and RADIUS to communicate with the RADIUS server, encapsulating the data as required. EAP utilizes three common authentication means: EAP-MD5, EAP-TLS, and EAP-TTLS. In addition, Cisco has a proprietary implementation known as Lightweight EAP (LEAP). However, LEAP uses a weaker authentication algorithm. This, combined with its proprietary nature, makes LEAP not a recommended solution. Finally, Microsoft has implemented Protected EAP (PEAP), which was designed to overcome some of the limitations and vulnerabilities of the other EAP methods. PEAP can use MS-CHAP-v2 authentication within the EAP-TTLS tunnel to actually authenticate the user based on Active Directory. Many vendors support PEAP, so much so that it is currently undergoing evaluation to become a standard.  This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now. |
 |
/ 12 
