What Level of Protection Do You Need?

Authentication and encryption are fundamental requirements of WLAN security. First, a sender must be authenticated, so you know the user is allowed on the network. Second, you must ensure message integrity, so you can prove that the message came from that user to prevent a man-in-the-middle attack where a session is hijacked. Third, the data must be encrypted, so an intervening device cannot read clear text.

The industry has rallied around 802.1X as the standard for strong authentication of users. As testament to the dominance of 802.1X, Microsoft has provided updates to its operating systems all the way back to the Windows 98 release to add support for 802.1X, marking the first time Microsoft has updated such dated releases to add a feature.

While 802.1X is widely accepted as the solution for authentication on a WLAN, multiple options remain for wireless encryption. They include dynamic Wired Equivalent Privacy (WEP) with rolling keys; Wi-Fi Protected Access (WPA) 1.0, which uses 802.1X and the Temporal Key Integrity Protocol (TKIP); WPA 2.0, which uses 802.1X and the Advanced Encryption Standard (AES); and IPsec virtual private networks (VPNs), which may be deployed as a standard VPN solution or as an ultra secure Federal Information Processing Standard (FIPS) 140- 2 Level 1 or Level 2 solution, particularly for government deployments. The IEEE is expected to finalize the 802.11i standard in 2004, which defines both TKIP and AES.

To determine the right level of encryption for your environment, think of securing your corporate facilities as if you were securing your house using the following options:

Lock your doors, leave the key under the mat. Static WEP is the equivalent of locking the corporate front door, but then leaving the key under the welcome mat. Anyone can—and will—find the key and get inside. Unless you’re securing the wireless connection to your printers, static WEP deserves its bad reputation.

Lock your doors, take the key with you. 802.1X with dynamic WEP is the equivalent of taking the key with you after you’ve locked the door. Given plenty of time, a lock can be picked, but the average thief won’t be able to enter the house. Most people find this level of security sufficient.

Lock your doors, turn on the alarm. For WLANs, this is the equivalent of deploying WPA 1.0 with TKIP encryption. If someone attempts to break in to your house, the alarm system will alert you and the proper authorities. TKIP will do the same—upon detecting an attack, TKIP will invalidate the keying material to thwart admission to the network and alert the administrator that it has taken this counter-measure.

Build a safe room. The totally risk averse homeowner can build a safe room in the basement. If this is you, then WPA 2.0 or 802.11i with AES, the strongest encryption possible for non-military use, is right for you. With AES, you can be absolutely confident in your security.

Sell the house and move. Head for the hills and build a subterranean bunker with reinforced concrete walls. Produce your own clean air and fresh water, and have a year’s supply of ready-to-eat meals. That’s the home security equivalent to IPsec VPNs with the super-secure FIPS 140-2 Level 2 or greater certification, which may be required to do business with some agencies in the U.S. and Canadian governments.

But let’s keep things in perspective. An attacker can show up at your door impersonating a deliveryman with package in hand, and gain access to your facilities. Any of the above strategies can be defeated by an adversary who is intent on wrongdoing. There is no such thing as perfect security. Security is a system wide issue, and there will always be weak links. The challenge is to strike a reasonable balance between protection and service.

For more information on Wireless security please contact us at info@primecaretech.com.