This tutorial presents the security principles that you should employ on your wireless network to protect yourself from nasty people on the internet. You will also discover the standards that are employed in wireless technology
WiFi and security
- 1 - Introduction and Pre-requisites
- 2 - Different wireless network types – Part 1
- 3 - Different wireless network types – Part 2
- 4 - Basic principles for wireless network security – WEP Encryption – Part 1
- 5 - Basic security principles of a wireless network – WPA and WPA2 encryption – Part 2
- 6 - Auditing under Linux – Penetrating a wireless network – Part 1
- 7 - Auditing with Linux – Penetrating a WiFi network – Part 2
- 8 - Auditing with Windows – Penetrating a Wi-Fi network
- 9 - How to crack WPA keys under Linux '
- 10 - Conclusion
WPA is a “reduced” version of the 802.11i protocol, composed of authentication protocols and a strong encryption algorithm: TKIP (Temporary Key Integrity Protocol). The TKIP protocol allows the random generation of keys and makes it possible to modify the coding key several times per second, for more security.
On the other hand if for your network is for professional use then this solution is not sufficient, so other means are available to you to ensure a better level of security, by using WPA2.
2.3 WPA2 / 802.11i
802.11i was ratified on the 24th of June 2004 finally providing a security solution for pushed WiFi networks. It is based on the TKIP encryption algorithm, like that of WPA, but also supports AES (Advanced Encryption Standard) making it more secure. WiFi alliance thus created a new certification, baptised WPA2, for all materials supporting the standard 802.11i protocol. Contrary to WPA, WPA2 allows you to secure both infrastructure and ad hoc wireless networks.
The IEEE 802.11i standard defines two function modes:
- Personal WPA: the mode “personal WPA” makes it possible to implement protected infrastructure based on WPA without having to also implement an authentication server. Personal WPA still uses a shared key, called PSK for Pre-Shared Key, that is configured in the access points as well as the client computers. Unlike WEP, it is not necessary to provide a preset key length. Indeed, WPA makes it possible to use a “pass phrase”, translated into PSK by a chopping algorithm.
- Enterprise WPA: The enterprise version undertakes the use of 802.1x authentification infrastructure based on an authentification server, generally a RADIUS (Remote Authentication Dial-in Using Service) server, and a network controller (access point). This solution is currently the safest as there is no stronger authentication system available. But be careful, nothing is taken lightly and it is a sure bet that this solution won’t be safe from hackers for long.
NB. Not all equipment is MPA2 compatible; verify when you are purchasing your equipment that it has the options that you require.
MAC address filtering, yet another solution
Each network adaptor has a physical address that is unique to it (called a MAC address). This address is represented by a 12 digit hexadecimal number, grouped into pairs and separated by hyphens. Access points generally allow in their configuration interface to manage an access list (called an ACL) based on the MAC addresses of authorised equipment to connect to the wireless network.
This precaution is constrictive making it possible to limit the access to the network to a certain number of machines. Be aware though that this will not resolve any confidentiality problems while exchanging data.
2.4 Securing Architecture
Beyond just choosing your algorithm, the problem still remains in choosing the location for your access point so that all the equipment you wish to connect to it will be within range. You should also be sure that your network is not overloaded right from the start of your installation. This precaution is essential, because the less your network range “overflows”, the more discrete you network is, making it less accessible from the outside world.
|Previous review||Next review|
|Firewall IPCop : Presentation of the Web interface and administration||Firewall IPCop : Services Guide|