Guidelines For Designing Security For 802.11! (wpa) Networks

By Author: iris
Total Articles: 286
Comment this article

The IEEE 802. Hi proposed standard (ratification due at the end of 2003) includes MCTS: Windows Vista security improvements to the 802.11 standard. An interim standard, WiFi Protected Access (WPA), has been implemented in some -wireless devices. This standard improves security by using several techniques and the capabilities of existing wireless devices. An upgrade that provides Windows XP Professional WPA capabilities can be downloaded from the Microsoft Web site.
WPA security includes WPA authentication. If a RADIUS server is available, WPA sup?ports EAP. If a RADIUS server is not available, a preshared key can be used. Encryption is required. Rekeying of unicast and global encryption keys is required by the standard. The Temporal Key Integrity Protocol (TKIP) changes the key for every frame. Key changes are synchronized between the client and the AP. The global encryption key is advertised to connected wireless clients by the AP. A technique called Michael provides integrity. Its 8-byte message integrity code (MIC) is encrypted with the Vista cert ...
... data and the integrity check value of 802.11. The use of the Advanced Encryption Standard (AES) is optional, as some existing equipment might not be able to support the addition of the AES protocol.
Filter MAC addresses. 802.lib wireless networks can provide some security if you specify the MAC addresses of authorized clients. This might not be practical on a large or dynamic network because the access points must be manually configured.
It also is not foolproof security. The MAC address is transmitted in the clear and therefore can be sniffed. With proper tools, an intruder can configure her wireless computer to spoof an approved MAC address.
Search for rogue wireless access points and remove them. Access points can be searched for by searching for SNMP agents. Web and telnet interfaces also might
have banner strings that can identify an access point. Matching this information to authorized access point information helps to identify rogue APs. APs might also have a unique TCP/IP fingerprint that can be used to identify them. A wireless sniffer can also identify the presence of an AP by sniffing for 802.11 packets in the air. Checking the IP address of the packets can help you determine a+ certification what networks they are on.