Understanding WLAN Security

Wireless LANs

ICND1 v1.03-1

Wireless LAN Security Threats

ICND1 v1.03-2

Mitigating the Threats

Control and Integrity Authentication Ensure that legitimate clients associate with trusted access points.

Privacy and Confidentiality Encryption Protect data as it is transmitted and received.

Protection and Availability Intrusion Prevention System (IPS) Track and mitigate unauthorized access and network attacks.

ICND1 v1.03-3

Evolution of Wireless LAN Security

1997 2001 2003 2004 to Present

WEP

802.1x EAP

WPA

802.11i / WPA2

Basic
encryption

No strong
authentication

Dynamic keys Improved

encryption

Standardized Improved
encryption

AES strong
encryption

Static,
breakable keys

User
authentication

Strong, user
authentication (such as, LEAP, PEAP, EAPFAST)

Authentication Dynamic key

management

Not scalable MAC filters and

SSID-cloaking also used to complement WEP

802.1X EAP
(LEAP, PEAP)

RADIUS

ICND1 v1.03-4

Wireless Client Association

Access points send out beacons Client scans all channels. Client listens for beacons and
strongest signal. announcing SSID, data rates, and other information.

Client associates to access point with Client will repeat scan if signal During association, SSID, MAC
becomes low to reassociate to another access point (roaming). address, and security settings are sent from the client to the access point and
ICND1 v1.03-5

responses from access points.

How 802.1X Works on the WLAN

ICND1 v1.03-6

WPA and WPA2 Modes

WPA
Enterprise mode (Business, education, Government) Authentication: IEEE 802.1X/EAP Encryption: TKIP/MIC

WPA2
Authentication: IEEE 802.1X/EAP Encryption: AES-CCMP

Personal mode
(SOHO, home and personal)

Authentication: PSK
Encryption: TKIP/MIC

Authentication: PSK
Encryption: AES-CCMP

ICND1 v1.03-7

Summary

It is inevitable that hackers will attack unsecured WLANs. The fundamental solution for wireless security is authentication

WLAN standards evolved to provide more security.

o WEP o 802.1x EAP o WPA o 802.11i/WPA2

and encryption to protect wireless data transmission.

Access points send out beacons announcing SSIDs, data rates,

and other information.

ICND1 v1.03-8

Summary (Cont.)

With 802.1X, the access point, acting as the authenticator at the

WPA provides authentication support via IEEE 802.1X and PSK.

o Enterprise mode is a term given to products that are tested to be interoperable in both PSK and IEEE 802.1x/EAP modes of operation for authentication. o Personal mode is a term given to products tested to be interoperable in the PSK-only mode of operation for authentication.

enterprise edge, allows the client to associate using open authentication.

ICND1 v1.03-9

ICND1 v1.03-10