Content provided in partnership with

Technology Industry

Wireless security choices

Communications News, June, 2004 by Bill Nelson

Currently available wireless networking technologies provide many benefits for enterprises--chief of which is increased productivity from the anytime and anywhere access to information. Security risks, however, go hand in hand with the ubiquitous access to information.

To properly secure the wireless network, a multilayer approach should be taken. This approach should encompass all areas of network security vulnerability, including: architectural security, device security, link-level security and network-layer security.

Most Popular Articles in Technology: An overview of continuous data protection; Why all those current ratings?; Many countries now have a mobile penetration rate above 100%, report says; The Tata Group's big telecom gamble: VSNL's recent acquisition of Tyco ...; MEASURING BANK BRANCH EFFICIENCY USING DATA ENVELOPMENT ANALYSIS: MANAGERIAL ...; More »

The network administrator will generally want to impose more-restrictive access policies on wireless duo to the open nature of wireless LANS (WLAN). The WLAN mast be treated as a network with a lower level of trust than the wired LAN, Wireless access points (WAP) should be concentrated to a firewall or other network access-control point

Device security addresses the specific vulnerebilities of the access devices, and includes password security, data security and device identity. Secure access to wireless devices must be ensured, as they can be located anywhere and move with the user. Basic access to the device must be protected by password, with passwords stored on the device encrypted.

Effective device security must ensure that the device itself is authenticated and authorized to access the network. Definitive device identification is essential. The use of X.509 PKI certificates suits this purpose well. PKI certificates provide unique identification for the device, allowing it to he authenticated via a centralized authentication, authorization and accounting (AAA) mechanism. Some systems allow sophisticated access-control policies that allow restriction-such as time of day, domain accessed, destination, and application to be accessed--to be written and enforced. PKI certificates can be revoked if a device is lost or stolen.

Link-level security provides communications privacy and access protection at Layer 2. Several standards exist and are in use today. Wired equivalent privacy is the oldest and 802.11i is one of the newer standards to enter the scene. Both are supported by commercially available wireless access point (WAP) equipment. Both standards provide a level of protection from on welcome devices attempting to access the network and privacy from those who would attempt to eavesdrop on network traffic.

Layer 2 security can be augmented by IPSec, which provides access control and privacy at Layer 3. IPSec requires a unique key for access from each end station. Sophisticated encryption algorithms can be utilized. Connections are point to point and cannot be eavesdropped on by other members of the wireless network.

Ensure also that the operator of the device is authenticated and authorized per defined access policies. Among the many methods commonly in use today to accomplish this task are Microsoft Active Directory, LDAP, RADIUS and TACACS+. Employment of each of these methods requires the end-user requesting access to the wireless network to respond to an identity challenge requesting username and password. This combination is then validated and authorized for access. User identification and authorization can be further enhanced with the use of identity tokens or one-time passwords, such as RSA's SecurID.

An alternate solution is an SSL VPN. The SSL VPN eliminates the need to deploy, configure and maintain many of the pieces of the traditional layer approach.

An SSL VPN can segregate WLAN users into their own isolated sub-net, simplifying the work required to secure access from the wireless network. This architecture effectively puts would-be wireless access users on an island that can be assigned class-of-access policies and policed. The physical network design for this can be implemented by ensuring all corporate WAPs access through a single point of entry. The uplink from an Ethernet switch connects to the control point, which provides security and enforces policy.

Moving access security to the application layer effectively eliminates the need for link-layer and network-layer security. Any mobile user can utilize his existing SSL-enabled Web browser to access services across the WLAN. Security is maintained through AAA policy enforcement by the access control. Credentials provided can be verified against ACE, RADIUS, LDAP, Active Directory, Windows Domain or TACACS+ credential directories.

For more information from Permeo Technologies: www.rsleads.com/406cn-258

This article was provided by Bill Nelson, director of product management at Permeo Technologies, Irving, Texas.

Technology Industry

Wireless security choices

Communications News, June, 2004 by Bill Nelson

Find Research Guides for:

Find Featured Titles for: Technology

Most Popular Articles in Technology

Most Popular Publications in Technology