Ads 468x60px

WiNG How-To Guide 802.11i - Overview

Saturday, February 15, 2014 7:46 PM
The IEEE 802.11i standard ratified in 2004 provides enhanced security for WLANs and supersedes the initial 802.11 security specification Wired Equivalent Privacy (WEP) which was shown to have severe security weaknesses. The 802.11i standard improves WLAN security by implementing Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES) for encryption and data integrity. In addition the 802.11i amends the original 802.11 standard by mandating authentication ether using 802.1X authentication or pre-shared keys.
The Wi-Fi Alliance that is an organization that created the “Wi-Fi” brand. The Wi-Fi Alliance promotes and certifies inter-operability WLAN products and promotes them as the global WLAN standard across all market segments. The Wi-Fi Alliance has instituted a test suite that defines how member products are tested to certify that they are interoperable with other Wi-Fi Certified products.
During the 802.11i standard ratification the Wi-Fi alliance introduced Wi-Fi Protected Access (WPA) as an intermediate solution to address WEP vulnerabilities. WPA uses TKIP for encryption and dynamic encryption key generation. WPA was also designed to be supported on existing WLAN infrastructure without requiring hardware upgrades.
Wi-Fi Protected Access 2 (WPA2) is the next generation of Wi-Fi security based on the final 802.11i standard supporting AES. The new AES encryption mechanism introduced in 802.11i generally requires a hardware upgrade from earlier versions of WLAN clients and APs, however all current shipping MotorolaRF Switches and Access Ports / Access Points support WPA2.

Applications:
802.11i with AES should be considered for all new WLAN applications as it represents the strongest encryption scheme available today for data privacy. 802.11i with AES encryption is supported by all new WLAN client devices including workstations, handhelds and voice handsets.For legacy deployments which include devices that cannot support AES, it is recommended that TKIP with 802.1x or pre-shared-keys be utilized. TKIP is supported by most (but not all) legacy devices via a software update provided by the device manufacturer.For legacy devices cannot support AES or TKIP, dynamic WEP or VPN should be considered. Static WEP should only be considered when no other encryption options are available and should be augmented with firewalls to reduce the attack footprint.

Restrictions:
WPA/802.11i provides support for pre-shared-keys as an alternative to 802.1x. A pre-shared-key is typically entered as an 8 - 63 character passphrase on the WLAN infrastructure which the client must know before being permitted access to the WLAN.WPA and 802.11i pre-shared-key implementations are potentially susceptible to dictionary attacks when short or weak passphrases are utilized. This vulnerability is not the fault of WPA/802.11i and can be thwarted by implementing strong passphrases utilizing 20 or more random alphanumerical and special characters. Random passphrase generators are available on the World Wide Web which can generate strong random passphrases of varying complexity.
Attacks can also be thwarted by implementing Mobile Unit Intrusion Detection on the RF Switch which can alert administrators of excessive authentication failures and provide automatic mitigation against attacking devices.
Finally as a general best practice it is also recommended to frequently refresh passphrases. The frequency of the refresh will depend on each specific environment as the passphrases will also need to be updated on the client devices.


Nhãn: ,

0 nhận xét:

Post a Comment

Subscribe to: Post Comments (Atom)