Wi-Fi is a Passion


Overview - Security

Security nowadays is a hot topic. Ransomware is in the news, and even commercials on the Dutch radios are talking about protecting your company against ransomware. Your network is as strong as the weakest link. If you use WEP as your wireless protection, you might as well remove all your security in your company. You need to design the wireless network with security in your mind. Also keep in mind, for what are you making this design? For example, for military purposes, there needs to be higher security features than for example a hotel. For hotels you need to keep in mind what kind of devices are connecting—legacy devices or not? Do all the devices support WPA2?

Four organizations that work with security within the wireless networking are International Organization for Standardizations (ISO), Institute of Electrical and Electronics Engineers (IEEE), Internet Engineering Task Force (IETF) and the last one is the Wi-Fi Alliance. ISO created the OSI model. IEEE creates and maintains 802.11 standards, also the security standards that are used in Wi-Fi (802.11i and 802.1X). IETF creates and maintains Request for Comments (RFCs). Extensible Authentication Protocol (EAP) is defined in RFC 3748 and all the different EAP types, which will be discussed in other blogs. The last organization is the Wi-Fi Alliance. The Wi-Fi Alliance creates certifications for products that are tested by the organization, but also defined by the WPA and WPA2 standards.

WPA and WPA2 standards were not created by IEEE, the organization that normally creates the standards. WEP was the first security algorithm that was defined in the original 802.11 standard. This algorithm was not really secure and easy to crack. The Wi-Fi Alliance created WPA, since it took too long for a better security standard by the IEEE. IEEE came later with the security amendment 802.11i. The Wi-Fi Alliance introduced WPA2 and IEEE revised the 802.11i amendment in 2007, 2012, and 2016.

Other Wi-Fi Alliance certified also:
Wi-Fi Multimedia (WMM) based on 802.11e (QoS)
WMM-PowerSave (WMM-PS) is for battery power converse that is helpful for wireless devices like Wi-Fi phones.
WMM Admission Control allows Wi-Fi networks to manage traffic based on conditions from the channel, the load of the traffic, and the type of the traffic.
Wi-Fi Protected Setup (WPS) that is used to simplify the configuration for WPA and WPA2 in SOHO environments. It uses a PIN or a button for security protection.
Wi-Fi Direct is for devices that can connect to Wi-Fi without an access point. This is easy, for example printing, sharing and synchronizing with mobile devices. Miracast, also certified by the Wi-Fi Alliance, uses 802.11n performance with WPA2 through Wi-Fi Direct.
Passpoint is a new design for connecting to Wi-Fi hotspots. It allows SIM and non-SIM devices to connect automatically with a Wi-Fi network.
Wi-Fi Aware is a discovery mechanism that discovers real-time other Wi-Fi devices in range. This mechanism is energy efficient.

Security Basics

There are five components that help with securing a wireless network. Those five components are listed below:

Data Privacy
Wireless is transmitting in the open air and without encryption all the data is plain text and able to be read by everybody with the right tools. There are some terminologies that are used for data encryption that need to be explained.
Cipher: This is an algorithm that is used for encryption.
Encryption: The process to convert plain text into cipher text.
Decryption: The process to convert cipher text into plain text.
Cipher text: The text that is encrypted.
Plain text: The text that is not encrypted.
Code: Representing information in another way.
Cryptology: This is a technique that is needed to encrypt and decrypt the information.
Cryptography: This is the science of concealing the plain text and revealing the cipher text.
Cryptanalysis: This is the science of decrypting without knowing the cipher that is used.

Morse code is for example not encrypted data but is rather information written in a different way.

Authentication, Authorization, and Accounting (AAA)
AAA is used for protecting the resources.
Authentication: Is the user who he said he is?
Authorization: Is the user allowed to access those resources?
Accounting: Tracking what the user is doing on the network.

In a school students don’t have the same rights on the network as teachers. The network needs to be segmented for those two groups. Data segmentation is possible in different ways. You can use firewalls and VLANs for segmentation within the network.

To keep the network secure for intruders, monitoring is important. There are two ways of monitoring: detection or prevention. Detection detects malicious activity on the wireless network and prevention prevents any malicious activity on the wireless network. The tools are named Wireless Intrusion Detection System (WIDS) and Wireless Intrusion Prevention System (WIPS).

It is important to have a security policy. In the policy are the security requirements defined. For example, how do you deal with rogue access points?