Securing 802.11 wireless LANs
Wireless LANs often propagate data to areas outside the physical control of an
organization. Radio waves penetrate building walls and can be received in the office
next door, a facility's parking lot, and possibly a couple blocks away. Do you worry
that someone could retrieve your company's sensitive information by lurking nearby with
a PC equipped with the wireless network interface card your organization uses?
Relax -- it's not that easy.
An IEEE 802.11 wireless station will not process data over the wireless network
unless its network ID, also called a Basic Service Set Identification, is the same as
other stations on the network. Sent in every 802.11 data packet, the network ID is a
six-byte code word that distinguishes one wireless LAN from another. Access points
check the network ID when each station initiates a connection to the network. If the ID
doesn't match the one stored in the access point, then the station cannot establish a
connection to the wireless LAN. Thus, an intruder must obtain the network ID necessary
to join the network. This should be difficult, assuming you keep the network ID codes
confidential.
With the correct network ID, someone could configure a portable computer with an
appropriate radio card and gain access to your wireless LAN. The trespasser shouldn't
get very far, however, if your servers and applications require a username and
password. Always invoke security mechanisms when giving users access to sensitive
applications and data.
You can provide another level of security by using 802.11's Wireless Equivalent
Privacy (WEP) protocol. Most
wireless LAN vendors offer WEP as an option for their
standard radio cards and access points.
One WEP feature, shared key authentication, ensures that only authorized stations
can access the wireless LAN. Shared key authentication operates as follows:
- A station requesting 802.11 service sends an authentication frame to another
station. - When a station receives an initial authentication frame, the station replies with
an authentication frame containing 128 octets of challenge text. - The requesting station copies the challenge text into an authentication frame,
encrypts it with a shared key using the WEP service, and sends the frame to the
responding station. - The receiving station decrypts the challenge text using the same shared key and
compares it to the challenge text sent earlier. If they match, the receiving station
replies with an authentication acknowledgement. If not, the station sends a negative
authentication notice.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
