Chapter 7: Security and Wireless LANs

Cisco Press

1 2 3 4 5 Page 3
Page 3 of 5
  1. Bind Pair-Wise Master Key (PMK) to STA and AP.

  2. Confirm that both AP and STA possess a PMK.

  3. Generate new Pairwise Transmit Key (PTK).

  4. Prove each peer is live.

  5. Synchronize PTK use.

EAP Types

The Extensible Authentication Protocol (EAP) is a framework for sending authentication information and encryption keys from the authentication server (AS) to the client (STA) and AP (Auth). The authentication methodology—password-based, public key infrastructure (PKI), or certificate—is set by the organization.

The EAP session thus adopts the following event sequence:

  1. A wireless client associates with an access point, which prohibits the client from gaining access to anything (except the authentication server) on the network until it has logged in and authenticated.

  2. The client (STA) and AP (Auth) perform a mutual authentication (handshake). The AP receives an authentication request from the client and sends back a challenge. The client then completes this challenge. The AP then forwards the information to the authentication server (AS), using the client's and AP's credentials.

  3. When successful, the client and authentication server derive an encryption key. The key can be derived in several ways, and each EAP type defines the specifics. Additionally, during the process, the client and server also derive a broadcast key. All data is subsequently encrypted using this key pair.

  4. As a further measure to maintain integrity, the key pairs can be changed at regular intervals. The AAA server manages this function.

The following list describes different EAP types. Note that this is not a comprehensive catalog of all EAP types. However, it does include all the mainstream versions:

  • EAP-TLS (Transport Layer Security)—Developed by Microsoft as a LAN-based authentication type.

  • EAP-LEAP (Lightweight Extensible Authentication Protocol)— The Cisco version that was developed exclusively for WLAN security. It is also known as Cisco-EAP.

  • EAP-PEAP (Protected Extensible Authentication Protocol)—Developed by Microsoft, Cisco, and RSA Security.

  • EAP-FAST (Flexible Authentication via Secure Tunneling)—Second-generation WLAN security EAP type from Cisco.

  • EAP-TTLS (Tunneled Transport Layer Security)—Developed by Funk Software and Certicom.

Table 7-3 summarizes the features of different EAP types.

Table 7-3: EAP Type Features

Security TypeUser AuthDevice AuthTunneledCertificate Based ServerCertificate Based ClientTKIP / MIC
WEP X    
Cisco-EAP (LEAP)X    X

Building a Secure WLAN

This section provides guidelines for building a secure WLAN. These recommended practices are offered as tried and tested methodologies for addressing this challenging topic. Every enterprise comes with its own unique environment, infrastructure, and security challenges, but by following these suggestions and tailoring them to your specific needs, you can be sure that you have addressed the most common security issues encountered today.

Trusted Versus Untrusted Wireless Networks

One of your first decisions is whether your wireless network will be trusted or untrusted. This is an architectural issue, but it has a fundamental impact upon the security model you adopt. In the trusted model, you consider your WLAN to be an integral part of your intranet. The WLAN lies inside your secured fortress. In the untrusted model, you regard your WLAN as an extranet. The WLAN lies outside the secured perimeter of the organization. As such, you should make this decision very early in the planning or design phase of the PPDIOO lifecycle.

Trusted WLANs

Trusted wireless networks are fully integrated into the existing enterprise network. It is assumed that the integrity of the network is implicitly protected. WLAN security is placed at the network edge, where the clients or devices authenticate and the traffic is encrypted. From a security perspective, trusted wireless networks are the preferred type of deployment today.

The advantages of a trusted WLAN include

  • Ease of use

  • Variety of EAP mechanisms

  • Possibility of single sign-on

  • Capability to roam across Layer 2 and Layer 3

  • Ability to support wireless voice and multicast traffic multicast traffic

Untrusted WLANs

In an untrusted wireless network, the assumption is that the network integrity is easily compromised. This assumption indicates that security does not exist or is incapable of providing necessary protection. Data in an untrusted WLAN is therefore considered "open," and hence there is the need to be explicit about security.

The advantages of an untrusted WLAN include:

  • No differentation among traffic as all traffic is considered suspect.

  • Isolation of WLAN attacks as the WLAN is separate from the enterprise network.

  • No additional infrastructure is needed to support WLAN security.

Define a Clear Security Posture

A security posture is a framework of terms, protocols, standards, and policies that relate to protecting your wireless environment. It should at a minimum provide guidelines for

  • The particular encryption protocols you choose

  • The authentication method and standards adopted

  • Your password policy

  • A user access policy

  • A list of the devices and clients your WLAN will support

The critical steps of selecting an authentication mechanism and encryption strategy for your WLAN are discussed next.

Note - A common mistake when developing a security plan is to confuse authentication with encryption. Authentication is the process of validating an end user or device, whereas encryption is the function of hiding the original text in a cipher.

Define Your Authentication Mechanism

Earlier in this chapter, you learned about the two authentication types: user-based and machine-based. The most commonly adopted and recommended authentication mechanism is EAP. An added advantage of EAP is that it supports both types of authentication. Your choice of EAP type is impacted by many factors, including the following:

  • The client devices you intend to support

  • Your existing security policy

  • Your existing security infrastructure

  • The capabilities of your security system to support different authentication methods, especially different ones, simultaneously

Some EAP mechanisms make it extremely difficult to compromise a WLAN; however, they are correspondingly difficult to set up and maintain in large deployments. If security is of the utmost importance, this additional operational overhead is probably acceptable. On the other hand, some EAP mechanisms offer less protection and should not be seriously considered for an enterprise-class deployment. Carefully consider the tradeoffs between robustness of the authentication scheme, ease of management, and computational requirements on the client's end. Unavailability of appropriate software on clients typically limit the type of EAP you can practically use. Supporting a wide range of devices adds more analysis of the EAP type selection process. Refer to the section "EAP Types" for more information.

The impact that clients have on your EAP selection are directly related to the following questions:

  • Does your enterprise certificate require a Certificate Authority (CA)?

  • Do you use shared keys, which require a public key infrastructure (PKI)?

  • What client platforms will you support?

  • What client authentication systems are you already using?

Different EAP types strike a different balance between complexity and security. Figure 7-4 depicts the trade-off for common EAP types.

Figure 7-4

Figure 7-4

The Difficulty, Complexity, and Level of Security for EAP Types

Select Your Encryption/Data Integrity Type

Another significant decision for wireless security is choosing an appropriate encryption type for your environment. Although you might be inclined to choose the most secure option available, this choice might not be practical for your environment. Complexity, computational power, and user convenience are also key considerations. Yet again, a balance is required.

Currently, the most popular standard is 802.11i using the Advanced Encryption Standard (AES). AES's benefit of robustness comes at the expense of increased computational overhead. Devices that intend to use AES should be foreseen of sufficient computing power so that they can process encryption transparently without negatively impacting other tasks of the device. Therefore, the more practical issue you need to consider is determining the most secure method that all your approved devices can handle given their existing compulational horsepower. An alternative strategy is to deploy multiple security types in function of the capabilities of the devices you support.

Establish a Password Policy

In any networked enterprise, it is important to have a password policy, and it is highly likely that you have already defined yours.

In some enterprise deployments, a completely separate set of user credentials is used to provide access to the wireless network. One-time passwords (OTPs) are a good example. Users do not enter their "native" credentials to access the WLAN; instead, they use a randomly generated OTP provided by a smart card or by software on the client device.

Just like any of the other security decisions you make, the password policy must take into account conflicting goals such as ease of use, deployment, and support (for users and devices).

Here are some considerations:

  • OTPs:

    • Select a smart card vendor or manufacturer if you have not already.

    • Consider the back-end infrastructure to support the OTP system.

    • Consider the operational overhead and support impact of deploying OTP software or physical smart cards to every user.

  • Native user credentials:

    • Implement a strong password policy that requires complex passwords: a mixture of uppercase, lowercase, and extended characters.

    • Require passwords that are longer than the usual eight characters.

  • Wireless-only alternate user credentials:

    • Consider the overhead of maintaining a set of alternate user credentials.

    • Consider the impact of users having to remember another set of credentials.

    • Alternatively, if you choose to store or cache the credentials on the device, you must assess the risk of them being compromised.

Note - There is an added risk concerning the protection of authentication credentials when they are cached on a device. Sometimes, however, this does not outweigh the benefits of caching credentials. For example, hospitals often store user IDs and passwords on devices so that doctors are not troubled with entering them.

Define a Clear WLAN Security Policy

Defining a clear and consistent security policy is an essential part of securing your WLAN. This WLAN security policy should provide quidelines for

  • Who has "ownership" of the RF airspace within the enterprise?

  • Who can install access points or WLANs?

  • What operating systems are supported?

  • What client devices are supported?

Note - A security policy is a collection of practices and guidelines that set a standard for behavior and use on the network. A security policy is different from a security posture in that a security posture represents a collection of actions that are used to provide a level of protection for the network.

Secure Your APs

Policies and procedures only set guidelines. As such, specific measures must be in place to reduce risk. Configuring your access points correctly is a critical step in securing your WLAN._ We recommend that you specifically address the following parameters of access points.


As described in Chapter 1, "Introduction to Wireless LAN Technologies," the Service Set Identifier (SSID) is analogous to a network name. It is used only to identify your network to client devices. Hence, it is not a true security measure. SSIDs are part of operational recommended practices. They are the first step toward compromising your network. Any default setting is an open invitation for malicious attack and therefore should be changed. An added security measure is not allowing your SSID to be broadcast openly. This measure helps to eliminate any accidental discovery of the SSID. If broadcasting the SSID is necessary (such as guest networks), it should be put into a separate network space, such as VLANs.

Implement a Secure Management Policy for APs

To secure your WLAN, you must also implement a policy to manage your APs so that standards can be updated and enforced. The following list outlines the essential steps:

1 2 3 4 5 Page 3
Page 3 of 5
IT Salary Survey: The results are in