Network Authentication Process
The process of a client associate and authenticate to an access point is standard. Shared key authentication should be selected on the client, there are additional packages sent confirmation of key authenticity.
The following describes EAP authentication of the network.
1. Client sends probe all access points
2. Access point sends information frames with data rates etc
3. Clientselects the nearest suitable Access Point
4. Scans Client Access Point in the order of the 802.11a, 802.11b, then 802.11g
5. Data rate selected
6. Associates Client Access Point with SSID
7. With EAP-network authentication authenticates the client with RADIUS server
Open Authentication
This type of security has a string to an access point or multiple access points defines a logical segmentationWireless network known as the Service Set Identifier (SSID). The client can not connect to an access point, if they are configured with the SSID. Dealing with the network is as simple as determining the SSID from any client on the network. The access point can not be configured to broadcast the SSID to improve the security somewhat. Most companies will supplement static or dynamic key to implementation of the security of the SSID.
Static WEP Key
Configuring the Client Adaptera static wired equivalent private key (WEP) key increases the security of your wireless transmissions. The access point is configured with the same 40-bit or 128-bit WEP key and compared during the Association of the encrypted key. The question is, wireless hackers can intercept packets and decrypt your WEP key.
Dynamic WEP key (WPA)
The use of dynamic WEP keys per session is encrypted to protect the security, with a hash algorithm, the new key pairs generated in certainIntervals, make spoofing more difficult. The protocol includes standard 802.1x authentication methods, with TKIP and MIC encryption. Authentication between the wireless client and RADIUS authentication server enables the dynamic management of safety. It should be mentioned that will give each authentication Windows platform support. One example is PEAP requires Windows XP with Service Pack 2, Windows 2000 with SP4 or Windows 2003 with each client.
The 802.1x standardis a standard authentication with per user, per session encryption, with these supported EAP types: EAP-TLS, LEAP, PEAP, EAP-FAST, EAP-TTLS and EAP-SIM. Network user authentication credentials have nothing to do with the client computer configuration to do. For the loss of computer equipment has no impact on safety. The encryption is improved with TKIP encryption treated to improve standard WEP encryption with Per-Packet Key Hashing (PPK), Message Integrity Check (MIC) and broadcast keyRotation. The protocol uses 128-bit key for encryption of data and 64-bit keys for authentication. The transmitter adds a few bytes, or MIC, in order to decrypt a packet before encryption and the recipient, and verifies the MIC. Broadcast Key Rotation is unicast and broadcast keys to turn, at specific time intervals. Rapid Link is an EPA-function that is available, allowing employees to roam without re-authenticate with the RADIUS server, they need to change rooms or floors. The client user nameand password will be buffered with a RADIUS server for a specified period.
EAP-FAST
• Tools symmetric key algorithm to build secure tunnels
• RADIUS client and server side, the mutual authentication
• Client sends username and password credentials in the secure tunnel
EAP-TLS
• SSL v3 builds an encrypted tunnel
• RADIUS client side and server side, PKI certificates associated withMutual authentication
• Shared use per customer per session keys to encrypt data
Protected EAP (PEAP)
• Implemented on Windows clients with an EAP authentication method
• Server-side authentication with RADIUS server root CA digital certificate
• Client authentication with RADIUS server from Microsoft MS-CHAP v2 client with username and password encryptedCredentials
Wireless Client Network EAP Authentication Process
1. Client connects to access point
2. 802.1x access point allows traffic
3. Authenticates the RADIUS client server certificate
4. RADIUS server sends the user name and password are encrypted at the client
5. Client sends the username and password from the RADIUS server encrypts
6. RADIUS server and client-pull WEP key. RADIUS server sends WEP keyAccess Point
7. Access point is encrypted with 128-bit key to transfer that dynamic session key. Sends to the client.
8. Client and access point use session key to encrypt / decrypt packets
WPA-PSK
WPA Pre-Shared Keys using some features of static and dynamic WEP key key protocols. Each client and access point is configured with a specific static password. The passcode is generated key, TKIP uses to encrypt data per session. The passcode should be atat least 27 characters to defend against dictionary attacks.
WPA2
The WPA2 standard implements the WPA authentication methods with Advanced Encryption Standard (AES). This encryption method with the government implementations, etc., where the highest security requirements must be implemented, are used.
Application Layer passcode
SSG uses a password at the application level. Client can not authenticate when they know the passcode. SSG isimplemented in public places like hotels, if the customer pays for the password to access the network.
VLAN Assignments
How companies are using access points with SSID tasks that define the logical wireless networks. The access point SSID will then be assigned to a VLAN on the wired network that the traffic for specific groups such as compared to the traditional wired network. Wireless installations with multiple VLANs, then configureISL or 802.1q trunking between access point and Ethernet switch.
Miscellaneous Settings
Turn OFF Microsoft File Sharing
Implement antivirus software and firewall
Install your company's VPN client
Turn off auto-connect to any wireless network
Never use AdHoc mode - this allows laptops to connect to unknown
Avoid crossing signal with a good site survey
Use minimum power setting
Anti TheftOptions
Some access points are an anti-theft option available to use with a padlock and secure wiring to equipment while in public space. This is an essential feature of implementations where public access points can be stolen or there is a reason why they should be mounted under the ceiling.
Security Attacks
• Wireless packet sniffers is detected, decode and analyze packets between the client and access points. The purposeis to decrypt security information.
• Dictionary attacks attempt, the decryption key configured to identify the wireless network with a list or a dictionary with thousands of typical passcode rates. The hacker gathers information from the authentication and scans each dictionary word against the password until a match is found.
• The special mode assigned to each wireless client security concerns. Ad-hoc mode is the least secureOptions without an access point authentication. Every computer on the network can send information to an ad-hoc neighbors computer. Select Infrastructure mode, if available.
• IP spoofing is a common network attack involving forgery or replacing the source IP address of each packet. The network device stops communicating with an authorized computer.
• SNMP is sometimes a source of security risk. Implement SNMP v3 with complex communityStrings.
The book Cisco Wireless Network Design Guide is available at amazon.com
0 ความคิดเห็น:
Post a Comment