Wireless Network Security
Wireless network security is a critical step in designing an RF system for your facility. While a wireless system offers convenience and increased efficiency, it must be secured to prevent theft, disclosure of proprietary information or other intrusion onto your digital networks. Proper wireless network security can also ensure that your transmissions are not intercepted, subjected to insider abuse, or disrupted by third-party conflicts.
The System ID Tech Team can help you plan for a secure network from the earliest stages of your project. We can help you develop a security protocol that fits your needs and keeps your network running smoothly.
Why should I be concerned about Wireless Security?
Unsecured wireless networks are vulnerable to many types of problems, including:
- Theft or disclosure of proprietary information
- Corruption or modification of digital assets
- Interception of communications and/or transactions
- Fraud or insider abuse of network resources/assets
- Disruption or loss of service availability (DOS)
Setting up a secure wireless network mean implementing a framework of authentication protocols, encryption protocols and key management protocols. Authentication is a process of verifying that a device that is attempting to log in to your network should be allowed on the network. Encryption and Key Management are processes that are used to scramble data so that an unauthorized device that receives the data cannot understand it.
Making choices about your wireless security can be daunting. System ID offers expert advice at all stages of your wireless network setup. We will ensure you have the most stable, secure, efficient and cost-effective solution available.
System ID can help you develop your wireless network security using the following encryption, authentication and key management protocols:
- WEP (Wired Equivalency Protocol): WEP data encryption is defined by the 802.11 standard to prevent access to the network by "intruders" using similar wireless LAN equipment and to capture of wireless LAN traffic through eavesdropping. This is used in addition to the security provided by SSID.
- TKIP (Temporal Key Integrity Protocol): TKIP is a security protocol defined in IEEE 802.11i specifications for WiFi networks to replace WEP. TKIP was designed to replace WEP without replacing legacy hardware. This was necessary because the breaking of WEP left WiFi networks without viable link-layer security. The solution to this problem could not wait on the replacement of deployed hardware. For this reason, TKIP (pronounced "tee-kip"), like WEP, uses a key scheme based on RC4, but unlike WEP it encrypts every data packet sent with its own unique encryption key.
- AES (Advanced Encryption Standard): AES also known as Rijndael, is a block cipher adopted as an encryption standard by the US government, and is expected to be used worldwide and analyzed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). It was adopted by National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November 2001 after a 5-year standardization process.
- RADIUS (Remote Authentication Dial In User Service): RADIUS is an Authentication, Authorization and Accounting (AAA) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations.
- EAP (Extensible Authentication Protocol): An IETF standard that establishes an authentication protocol for network access. Many authentication methods, including passwords, certificates, and smart cards, work within this framework.
- EAP-TLS (Transport Layer Security): A type of authentication method using EAP and a security protocol called the Transport Layer Security (TLS). EAP-TLS uses certificates which use passwords. EAP-TLS authentication supports dynamic WEP key management.
- EAP-TTLS (Tunneled Transport Layer Security): A type of authentication method using EAP and Tunneled Transport Layer Security (TTLS). EAP-TTLS uses a combination of certificates and another method, such as passwords. It is more secure than MD5 authentication, which uses passwords, and less secure than EAP-TLS authentication, which exclusively uses certificates. EAP-TTLS authentication supports dynamic WEP key management.
- EAP-PEAP (Protected Extensible Authentication Protocol): Developed by Microsoft, RSA and Cisco PEAP is a method to securely transmit authentication information, including passwords, over wireless networks. It is an IETF open standard. PEAP uses only server-side public key certificates to authenticate clients by creating an encrypted SSL/TLS tunnel between the client and the authentication server, which protects the ensuing exchange of authentication information from casual inspection.
- EAP-FAST (Flexible Authentication via Secure Tunneling): EAP-FAST, like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is that EAP-FAST does not use certificates to authenticate.
Key Management Protocols:
- IKE (Internet Key Exchange): IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived. Public key techniques or, alternatively, a pre-shared key (aka pre-shared secret), is used to mutually authenticate the communicating parties.
- DH (Diffie-Hellman key exchange): DH is a cryptographic protocol which allows two parties to agree on a secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
- TLS (Transport Layer Security): TLS provides endpoint authentication and communications privacy over a network using cryptography. In typical use, only the server is authenticated (i.e. its identity is ensured) while the client remains unauthenticated; mutual authentication requires PKI deployment to clients. The protocols allow client/server applications to communicate in a way designed to prevent eavesdropping, tampering, and message forgery.
- TTLS (Tunneled Transport Layer Security): TTLS uses the TLS channel to exchange "attribute-value pairs" (AVPs). The general encoding of information allows a TTLS server to validate AVPs against any type of authentication mechanism. TTLS implementations today support all methods defined by EAP, additionally TTLS can be easily extended to work with new protocols by defining new attributes to support new protocols.