One way to secure access to a wireless network is to instruct access points to pass only those packets originating from a list of known addresses. Of course, Media Access Control (MAC) addresses can be easily spoofed, but an attacker would have to learn the address of an authorized user’s Ethernet card before spoofing would be successful. Unfortunately, many wireless cards have the MAC address printed right on the face. Even if you can secure the card address, you still have to compile, maintain, and distribute a list of valid MAC addresses to each access point.
This method of security is not feasible in many public wireless LAN networks, such as those found in airports, hotels, and conferences, because you do not know your user community in advance (Finneran, 2004). Additionally, each brand of access point has a limit on the number of addresses allowed. Some access points do not even allow MAC address filtering. SSID Another setting on the access point that can be used to restrict access is the network name, also known as the Service Set ID (SSID).
You can configure an access point to enable any client to connect to it or to require that a client specifically request the access point by name. Even though this process was not intended primarily to be a security feature, setting the access point to require the SSID can let the ID act as a shared group password. As with any password scheme, however, the more people who know the password, the higher the probability that an unauthorized user will misuse it. The SSID can be changed periodically, but each user must be notified of the new ID and must reconfigure his or her wireless NIC.
Additionally, most access points are set by default to broadcast the SSID in the clear, even when Wired Equivalent Privacy (WEP) is enabled. This makes the wireless network easy to find. Your access points should be set not to broadcast (Mier et al. , 2004). Authenticating Authenticating wireless LAN users is a major problem for many organizations. Some vendors offer proprietary solutions to the authentication and scalability problem. The wireless client requests authorization from the access point, which forwards the request to a Remote Authentication Dial-in User Server (RADIUS).
Upon authorization, the server sends a unique encryption key for the current session to the access point, which transmits it to the client. Although this standard offers a solution to the shared key problem, it currently requires you to buy all your equipment from one vendor. Other vendors use public-key cryptography to generate persession keys (Passmore, 2003). This authentication solution resembles pre-standard implementations of the pending IEEE 802. 1x standard, which will eventually solve this problem in a vendor-interoperable manner.
The 802. 1x standard is being developed as a general-purpose, access-control mechanism for the entire range of 802 technologies. The authentication mechanism is based on the Extensible Authentication Protocol (EAP) in RADIUS. EAP lets a client negotiate authentication protocols with the authentication server. Additionally, the 802. 1x standard allows encryption keys for the connection to be exchanged (Vance, 2003). Another solutions Several products are available to help you secure your wireless LANs.
For example, NetMotion Mobility requires a user login that is authenticated through a Microsoft Windows domain. It uses better encryption (3DES and Twofish) than WEP and offers management features such as the ability to remotely disable a wireless network card’s connection (http://www. netmotionwireless. com). The main problems with this solution are that the server currently must run on Windows NT and that client support is provided only for Windows-based devices.