July 2008
 
www.moxa.com  
  FEATURED TOPIC
 

  The Security of IEEE 802.11
 

Why do We Need WLAN Security?

 If you're new to wireless, the first thing you should realize is that the signals you send and receive from a nearby access point are easily intercepted by anyone in the vicinity who has a wireless card and a computer. The purpose of WLAN security techniques is to render the connection unusable and the data unreadable by anyone but yourself and the person (or machine) you're communicating with.

Although most people do not need in-depth knowledge of WLAN security, understanding the basics can make it easier for you to find the right product for your application. For example, one of the most basic questions you can ask is whether or not a product supports WPA and/or WPA2. But why should you care? Whereas most wireless products available on the market today support WEP, we point out in the next section that WEP may protect your data from the casual passerby, but still leaves you vulnerable to attack from someone with some basic network knowledge and some time on their hands.

A Peek at the Technology

There are two basic aspects to wireless security: authentication and encryption. Simply put, a system uses authentication to check a user's credentials and determine if the user should be given access to the data and resources provided by the protected network. Encryption, on the other hand, encodes the data so that anyone who does not have the secret "key" will not be able to read the data.

Authentication
 The 802.1x standard dictates how authentication on wired and wireless LANs is carried out. 802.1x authentication uses port-based access control, which means that the various entities involved in the authentication process gain access to each other's resources by connecting through "ports." In effect, the authentication procedure involves placing a "guard" at each port to prevent unauthorized users from gaining access to protected data.

The 802.1x authentication procedure involves three basic players:

  1. The supplicant is the client (PC or laptop computer, for example) who would like to gain access to network resources through the wireless network.
  2. The authenticator, which for a wireless network is usually an access point (AP), plays the role of gatekeeper.
  3. The authentication server, which connects to the AP over a wired network, handles the authentication procedure. More often than not a RADIUS server is used


Better Fault Tolerance For Your PLC Network

In effect, the authenticator and authentication server work as a team to verify the identity of the supplicant. The authentication server also takes responsibility for computing the "keys" that the encryption algorithm will use. Although the details of authentication may be complex, the overall procedure is easy to describe:

STEP 1: The Authenticator relays authentication messages between the WLAN and the Ethernet.
STEP 2: The Authentication Server and Supplicant establish a secure tunnel that is used to pass encrypted messages.
STEP 3: The Authenticator performs the authentication check based on the agreed upon method (TLS, PEAP-MSCHAP-V2, TTL-PAO, etc.).

Encryption
 The science of encryption, or in more down-to-earth terms the making and breaking of codes, is one of the most crucial aspects of WLAN technology. This is because the radio waves used to transmit data packets between your computer and the wireless access point can pass through walls, floors, and other barriers. People who use laptops that have a wireless LAN card will know this first-hand, since it is often possible to pick up signals from wireless access points located in nearby apartments. Using a password to restrict entry to your network may not provide enough protection, since a reasonably clever person can still intercept your data packets. In fact, if the person intercepting the wireless data is just a tad cleverer than "reasonably clever," he or she may also be able to download and read the contents of the packets.

As illustrated in the schematic below, wireless encryption has evolved from WEP, which was released in 1999, to the 802.11i standard, more commonly referred to as WPA2.

Better Fault Tolerance For Your PLC Network

The Evolution of Wireless Encryption

  • WEP—Wired Equivalent Privacy (WEP) provides a basic level of security to prevent unauthorized access to the network and protect wireless data. Static shared keys (fixed length alphanumeric/hexadecimal strings) are used to encrypt data and are manually distributed to all wireless stations that want to use the wireless network. WEP has been found to have serious flaws and is not recommended for networks that require a high level of security. For more robust wireless security, most access points support Wi-Fi Protected Access (WPA or WPA2) for improved data encryption and user authentication.

  • 802.1x—802.1X is an authentication method that prevents unauthorized users from entering the network. It is used with WPA to form a complete WLAN security system. On many wireless systems, users either log into individual access points, or can freely enter the wireless network but cannot get further without additional authentication. 802.1X makes users authenticate to the wireless network itself, not to an individual AP, and not to some other level like VPN. This is more secure, as unauthorized traffic can be denied right at the AP.

  • WPA—Wi-Fi Protected Access (WPA) is a stronger security method that was created in response to the flaws discovered in WEP. It was intended as an intermediate measure until further 802.11i security measures were developed. When implemented with authentication methods such as RADIUS, WPA is considered secure enough for all but the most sensitive enterprise applications. For most home and small business use, an effective level of security can be obtained by using WPA with a pre-shared key (PSK) that is shared by all users.

  • WPA2—WPA2 is the second generation of WPA. The primary difference between WPA and WPA2 is the technology used for data encryption. WPA uses Temporal Key Integrity Protocol (TKIP) for data encryption, whereas WPA2 uses Advanced Encryption Standard (AES), a stronger encryption technology suitable for industries that require highly secure networks.

Using a Firewall as an Additional Safeguard
 One of the most basic aspects of maintaining the security of your network involves using a firewall to filter out unwanted traffic. To protect a private LAN from unwanted traffic originating outside the LAN, firewall software often runs on a gateway that connects the LAN to the Internet. The firewall is configured to filter out traffic based on various characteristics of the incoming packets, such as IP address, MAC address, type of protocol, etc.

Even if your private LAN does not connect to a public network, once you allow access to the LAN through a wireless AP you open the network to possible attack from the fringes. As an added safeguard, some manufacturers include firewall software on the access point to filter out traffic accessing the network through the AP. Moxa's AWK-3121 for example, in addition to supporting the latest encryption technology (WEP, WAP, WAP2), also allows system managers to filter traffic by MAC address, IP, as well as TCP/UDP filtering options. Click here for detailed information about the AWK-3121.

» Back to index
Forward Forward to a friend
  CONTACT MOXA
  
  » Technical Support  
  » Get Free Catalogs  
  » Feedback
  
  » Where to Buy  
  LEARN MORE ABOUT...  
  Ready to Run Intelligent Ethernet I/O for Remote Monitoring and Alarms  
  USB to RS-232 Converter  
  High-Performance Layer 3 Ethernet Switch  
 
Subscribe
 Subscribe to Moxa's e-Newsletters
 
© 2008 Moxa Inc. All rights reserved