Secured Wifi Networks

It is vital that corporate data is kept secure. In the past Wifi networks have had much negative publicity surrounding potential security risks and Cedar Bay will help you ensure you don’t open your network to the world. Many of our corporate clients already have policies in place for secure wifi networking solutions and in which case we use this as part of the design input into our wireless network planning process. If not we can provide recommendations based on the environment and the sensitivity of the data within the network.

There are many factors to consider in the design of secure wifi networks. At Cedar Bay we see this as just one step in the whole process for wireless network planning, the next few sections describe the options to achieve a secure wifi networking solution.

Secured wifi networks - background information

Wireless security is a vital component to any Wifi deployment due to the nature of radio waves in the fact that they don’t respect boundaries. An access point antenna will potentially transmit radio energy for relatively large distances. This opens up the prospect of potential connectivity to the Wifi beyond the boundary of a customers’ site thus emphasizing the importance of adequate wireless security.

Early WLANs had limited security options and were often ‘open’ due to a lack of knowledge at the time of the potential threat of ‘would be’ attackers. It was also considered advisable to change the ESS-ID (network name) from the widely known ‘factory default’ value and to configure the access points (where possible) to ‘hide’ this ESS-ID. These two measures are no longer effective on the basis that wireless clients are more sophisticated and can easily derive the ESS-ID regardless of whether or not it is changed or indeed ‘hidden’. The only real means to secure the data at the time was to use a data encryption technique called WEP (wired equivalent privacy). WEP encryption is now considered to be flawed in that it is possible for Wifi hackers to decipher to WEP encryption key and hence gain access to any WEP encrypted network.

Current Security Techniques for secured wifi networks

Cedar Bay’s wifi security services provides the expertise and tools to assess, architect, implement and manage the security needs and demands of any business expanding into the wireless network world. Various security options that we recommend are detailed below:

WPA & WPA2

The WPA and WPA2 standards were created by the Wifi Alliance industry group that promotes interoperability and security for the wireless LAN industry. The Wi-Fi Alliance WPA and WPA2 standards closely mirrors the official IEEE 802.11i wireless LAN security standards group but incorporates additional EAP (Extensible Authentication Protocol) standards that the Wi-Fi Alliance considers secure.

Cedar bay recommend using WPA or WPA 2 as a minimum security requirement. The simpler adoption of WPA is called PSK (Pre Shared Key) and enables a WPA Passphrase to be configured on the access points and wireless clients. WPA and WPA2 can also be used in conjunction with an 802.1x authentication server.

802.1X

802.1x is a security protocol that provides port-based authentication, involving communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop. The authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database. The authenticator acts like a security guard to a secured wifi network. The supplicant (client device) is not allowed access through the authenticator to the protected side of the network until the supplicants’ identity is authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal.

This form of security is very confusing in that there are an increasing number of variations now in existence. Cedar Bay is able to offer guidance on which variation is most appropriate as it will only be possible to connect a wireless client device if it supports the method of EAP deployed.

ACL

Cedar Bay considers this form of secure wifi networking solution to be a ‘belt and braces’ approach. This can be used in addition to the other forms of security already supplied. It works by configuring each access point with the unique Radio MAC address identity of any wireless client devices you wish to allow access to the network. It has the added benefit of enabling the access point to log any attempts by ‘none allowed’ clients to an audit log file.

Cisco Wireless Control System (WCS)

Cedar Bay recommends the WCS for customers who need to pro-actively manage their WLAN. The WCS is a powerful graphical tool that includes a key feature to monitor the WLAN for unwanted intruders such as ‘rogue’ access points and clients.