888-ALLORA8

Security of WiFi networks

Details

Created on Wednesday, 27 June 2012 03:44

Security of Wi-Fi networks is based almost solely on the encryption of data traffic. Here are the most common types:

WEP

This encryption protocol uses a fairly solid RC4 algorithm with conjunction of non-static keys. There are 64 -, 128 -, 256 - and 512-bit WEP encryption strengths. The more bits  - the better the security. A part of the WEP key is static (for instance 40-bit of 64-bit encryption), and the other part (24 bits) - dynamic which varies in time. The main vulnerability of the WEP protocol is that the initialization vector is repeated after a period of time, and an intruder only needs to collect and evaluate these repetitions to learn the static part of the key. In order to increase the level of network security one could add encryption using 802.1x or VPN protocols.

WPA

It is certainly a stronger encryption protocol than wep although it uses the same algorithm RC4. Increased level of security is achieved through the use of protocols TKIP and MIC.

- TKIP (Temporal Key Integrity Protocol).  Dynamic keys last only minutes. Each device has a dedicated key that is also changing.

- MIC (Message Integrity Check). This integrity protocol protects against packet sniffing.

Just like in case with WEP it is also feasible to use 802.1x or VPN.

There are two sub-types of WPA:

- WPA-PSK (Pre-shared key). This is quite suitable for a WiFi network at home or small office. Each wireless device encrypts the network traffic with a 256 bit key which can be entered as a key-phrase in ASCII characters

- WPA-802.1x. Logging on to the WiFi network via an authentication server. It is geared towards usage in a corporate environment.

WPA2

Naturally it is an upgraded WPA protocol. Unlike the WPA it uses a strong encryption algorithm AES. As in case with its predecessor WPA2 is also divided into two types: WPA2-PSK and WPA2-802.1x.

802.1X

It is a golden standard for WiFi Network Security which includes several protocols:

- EAP (Extensible Authentication Protocol) used in conjunction with a RADIUS server in large networks.

- TLS (Transport Layer Security). This protocol ensures the integrity and encryption of data transferred between a server and a client, and their mutual authentication preventing interception and spoofing messages.

- RADIUS (Remote Authentication Dial-In User Server ). Server authentication using logins and passwords.

VPN

VPN (Virtual Private Network) - Virtual Private Network. This protocol was designed to securely connect remote clients to a local network via a public network, such as the Internet. The purpose of VPN is creating a "tunnel" from a user to the site or a server. Although VPN was developed long before the Wi-Fi networks, it can be used with any type of a network. The encryption of VPN is commonly performed by IPSec as it provides a high level of security. Currently there are no known case of breaking in through IPSec / VPN. It's a natural choice for corporate networks.

Additional methods of protection

MAC address filtering.

MAC address - the unique device identifier (NIC), "wired" into a network device by a manufacturer. It's possible to restrict access to WiFi networks based on pre-defined MAC addresses. This creates an additional barrier for an attacker although not very serious - MAC addresses can be forged.

Hiding the SSID.

SSID - an identifier for your wireless network. Most wireless access points allow hiding it. So that a laptop scanning for wi-fi networks won't detect it. Yet again, it's not a serious obstacle if an attacker uses a more advanced scanner than a standard utility for Windows.

It is always a good idea to deny access to the settings of a wireless access point through its wireless network. By activating this function, one prevents access to the settings but does not protect from eavesdropping or using the network.

Now it's time to summarize how strong these layers of network security are and what's the best way to protect a WiFi network: