December 12, 2000, 3:49 PM — Wireless LANs often propagate data to areas outside the physical control of an
organization. Radio waves penetrate building walls and can be received in the office
next door, a facility's parking lot, and possibly a couple blocks away. Do you worry
that someone could retrieve your company's sensitive information by lurking nearby with
a PC equipped with the wireless network interface card your organization uses?
Relax -- it's not that easy.
An IEEE 802.11 wireless station will not process data over the wireless network
unless its network ID, also called a Basic Service Set Identification, is the same as
other stations on the network. Sent in every 802.11 data packet, the network ID is a
six-byte code word that distinguishes one wireless LAN from another. Access points
check the network ID when each station initiates a connection to the network. If the ID
doesn't match the one stored in the access point, then the station cannot establish a
connection to the wireless LAN. Thus, an intruder must obtain the network ID necessary
to join the network. This should be difficult, assuming you keep the network ID codes
With the correct network ID, someone could configure a portable computer with an
appropriate radio card and gain access to your wireless LAN. The trespasser shouldn't
get very far, however, if your servers and applications require a username and
password. Always invoke security mechanisms when giving users access to sensitive
applications and data.
You can provide another level of security by using 802.11's Wireless Equivalent
Privacy (WEP) protocol. Most
wireless LAN vendors offer WEP as an option for their
standard radio cards and access points.
One WEP feature, shared key authentication, ensures that only authorized stations
can access the wireless LAN. Shared key authentication operates as follows:
- A station requesting 802.11 service sends an authentication frame to another
- When a station receives an initial authentication frame, the station replies with
an authentication frame containing 128 octets of challenge text.
- The requesting station copies the challenge text into an authentication frame,
encrypts it with a shared key using the WEP service, and sends the frame to the
- The receiving station decrypts the challenge text using the same shared key and
compares it to the challenge text sent earlier. If they match, the receiving station
replies with an authentication acknowledgement. If not, the station sends a negative