aaa | Joe Rinehart's Blog

Archive for aaa

No Strings (Wires) Attached: Wireless LANs, Part IV

Posted in Cisco Certification with tags 2.4 GHZ, 5.0 GHZ, 640-802, 640-816, 640-822, 802.11, 802.11a, 802.11b, 802.11g, 802.11i, 802.11n, 802.1x, aaa, access point, address, airespace, aironet, analog, ap, authentication, autonomous, breach, broadcast, BSS, bssid, catalyst, ccdp, ccent, ccie, ccmp, ccna, ccna wireless, ccna_exam, CCNP, certification, channel, cisco, cisco_certification, csma/ca, DSSS, eap, eap-fast, eap-tls, education, ESS, exam_preparation, fcc, federal communications commission, FHSS, filter, flood, forward, forward delay, forwarding, frequencies, frequency, ghz, hello, IBSS, icnd, icnd1, icnd2, industrial scientific mechanical, internet, ism, jjrinehart, joe rinehart, joseph rinehart, LAN, layer 2, leap, learning, lesson, licensed frequencies, licensed frequency, lightweight, LinkedIn, listening, lwapp, material, materials, max age, mhz, mst, networking, OFDM, peap, preparation, radio, rc4, receiver, RF, rinehart, root, root port, rstp, seacug, seattle cisco users group, security, spanning-tree, SSID, storms, stp, switch, switches, switching, tech, technology, tkip, transmitter, unlicensed frequencies, unlicensed frequency, Virtual LAN, VLAN, WCS, wep, wi-fi, wifi, wired equivalent privacy, wireless, wireless lan, wlan, WLC, wpa, wpa2 on September 9, 2011 by jjrinehart

Up to NO Good!

When the 802.11 wireless standard first came out, security was seemingly an afterthought…one of the greatest criticisms of the technology in the “early days” was the fact that just about anyone could access the wireless medium with relative ease. Stories abounded of hackers with antenna arrays made out of Pringle’s cans not only getting access to a company’s network, but having access to restricted information resources as well. To combat these very real threats, the first security measure, called Wired Equivalent Privacy, or WEP, was released.

Any early adopter of technology will tell you that the first release of just about anything, now matter how cool, is going to have some significant problems. Most seasoned engineers or administrators will typically pass on the first release of a new product or version of code for that very reason (why make your job harder than it needs to be, right?) WEP was no exception to that rule, for several reasons. First, it used static preshared keys that were rarely, if ever, changed. I know of a large healthcare institution where an ex-employee, just out of curiosity, checked to see if the WEP keys one supposedly secure wireless network had been changed, after several years of being gone. Not only were the WEP keys the same, but so were most of the passwords on the servers and network! Had this individual had unhealthy motives, it could have resulted in a significant security breach resulting in RGE’s (resume generating events) for members of the network staff. To complicate the death knell for WEP, the keys were easily cracked and the methods for doing so were readily available to both the hacker community as well as publicized on the Internet. NOT a good start for wireless security.

The next generation of wireless security was advanced by the Wi-Fi Alliance, and titled WPA or Wi-Fi Protected Access. WPA introduced more thorough methods of authentication (that is, verification of the identity of legitimate users before granting access) as well as strong encryption. WPA was released prior to an actually IEEE standard, so not long after WPA2 was released, matched to the 802.11i standard, and made even stronger, particularly on the encryption front.

The final area of wireless security had nothing to do with technology, and everything to do with policy management: security policies. Many times the reasons networks have serious points of vulnerability have less to do with technology protection mechanisms and more to do with the foibles of internal users. A strong security policy can prevent either intentional or unintentional problems by regulating risky behavior. Next time, we will consider IP addressing and services…

– Joe