Securing Wireless Communications

The next step to securing the wireless network (which is where most people start and often stop) is securing the actual wireless communications over the air between the client device and the wireless access point. There are two best practices to follow: authentication and encryption.

Authentication of wireless clients by the network insures that only authorized devices are allowed to join the wireless network. The best practice for authentication is to implement Extensible Authentication Protocol (EAP) and Flexible Authentication via Secure Tunnel (FAST). Using a set of credentials on the client device, the wireless network can authenticate the endpoint against the credentials stored in the corporate identity database. If a match is not achieved, access to the wireless network is denied. (Wired networks are implementing an equivalent technique via 802.1x.)

Just as important as the network authenticating a wireless client is for the wireless client to authenticate the network to which it is connecting. "Imposter" access points can be setup posing as legitimate corporate wireless network access points. If only the SSID is used to determine the network authenticity, this is trivial to imitate. The wireless client needs to use additional factors and credentials to authenticate that the access point it is trying to connect to is really a corporate network access point. This mutual authentication is also part of the EAP-FAST authentication process.

Once an endpoint is authenticated, the next critical security measure is to encrypt all communications between the client and the access point. The best practice is to implement Wi-Fi Protected Access (WPA). Whereas previous encryption techniques including WEP have proven vulnerable to hacks, WPA is far more secure and implements specific measures to thwart all known attacks on WEP.

WPA was further improved by the addition of the Advanced Encryption Standard (AES), which when added to WPA is often called WPA2. It is highly recommended to use WPA2 if available, or if not then WPA at a minimum. Use of WEP is not recommended due to known vulnerabilities that can be cracked in a matter of minutes. For simplicity, WPA and WPA2 are referred to collectively as WPA in the remainder of this article.

Two of the improvements incorporated into WPA are dynamic keys per session and periodic key changes. Each client negotiates a key for the duration of its session with the access point, and then at defined time intervals a new key is created between the two. Even if it were possible to hack the key in an hour, changing the keys renders the key of no further value.

Tune in for part 3...