Introduction

Security on a wireless network is often a network manager’s top priority. With the growing number and type of devices using the district’s wireless network, it is smart to be concerned with how to authenticate those clients and prevent unwanted devices from accessing or attacking the network. Researchers and manufacturers realize that this is a top priority and have developed mechanisms that, if implemented correctly, can ensure that any wireless network is secure.

What you will learn:

  • Wireless security and authentication basics
  • How to handle guest access
  • Affordable security features to consider

Authentication

Wireless authentication can be broken down into three general categories:

  • Pre-shared Key (PSK) - Pre-shared Key can be used to authenticate a client by prompting for a password before allowing the client to access the wireless network. PSK is not recommended for school environments because passwords can easily be shared with friends and family. Instead, per-user/EAP authentication is preferred.

  • Extensible Authentication Protocol (EAP) - Extensible Authentication Protocol is an authentication framework used by 802.1X. It allows the wireless system to authenticate per-user rather than per-device or with a shared password. If a wireless network requires per-user authentication, EAP is typically the mechanism used to authenticate the user via an Authentication Server. There are several varieties of EAP, with varying levels of security and encryption, allowing the user to authenticate using passwords and/or certificates.

  • Captive Portal - When guests try to access the wireless network, it is common for them to be presented with a captive portal, either asking them to pay for access, enter a username/password, or accept the Internet use terms. This captive portal can be a function of the wireless network or other network devices. Typically if the wireless network is providing the captive portal, guests will join a guest SSID and all traffic on that SSID will be funneled through the captive portal. A captive portal is usually not used in conjunction with a PSK or EAP.

Wireless Security/Encryption

  • WEP/RC4 - Wireless Equivalency Privacy uses the RC4 stream cipher as a software encryption mechanism. WEP has many vulnerabilities and is not a secure way to authenticate/encrypt data. WEP uses a PSK for authentication.

  • WPA/TKIP - Wi-Fi Protected Access uses Temporal Key Integrity Protocol is a stop-gap software encryption mechanism between WEP/RC4 and AES (explained below). Once vulnerabilities in WEP were exploited, TKIP was established as a more secure encryption mechanism but did not require clients to have new hardware to perform the AES encryption. Older devices, specifically those manufactured prior to 2005, do not have the hardware required for AES so you must always allow TKIP authentication on the wireless network to ensure backwards compatibility. Many WPA implementations use a PSK, commonly referred to as WPA Personal, while WPA Enterprise uses an authentication server for authentication.

  • WPA2/AES - Wi-Fi Protected Access 2 uses Advanced Encryption Standard as an encryption mechanism used to encrypt data, including data traveling between a client and its AP. AES is the most secure encryption mechanism available at this time. It is also considered the fastest encryption because the encryption happens in hardware rather than software so it does not use up CPU cycles. Like WPA, many WPA2 implementations use a PSK commonly referred to as WPA2 Personal, while WPA2 Enterprise uses an authentication server for authentication.

Guest Access

When guests access the wireless network, there are many best practice security techniques that should be applied to ensure that the rest of the network is safe. The most common of these best practices include:

  • Guest SSID - A dedicated wireless network for guest users separate from internal users
  • Guest VLAN - A dedicated network to keep guest traffic separate from internal traffic
  • Captive Portal to accept Internet Use Terms and Conditions
  • Time limits before re-authentication
  • Access Control Lists (ACL) preventing guest VLAN from accessing internal network (essentially tunnel to the Internet)

In general, it is recommended to implement all of these items on the guest network, however, the captive portal is not always delivered by the wireless system. There are other third party or integrated captive portals that are very effective so captive portals are not always a requirement for a wireless solution.

Off Channel Scanning

Many sources of interference or security threats may be off channel. Off channel interference is interference that is present on a channel outside of a radio’s current operation. For instance, if an AP’s radio is operating on channel 1, any device (like a microwave) creating interference on channel 6 is generating off channel interference.

It can be useful for the AP to occasionally scan off channel to detect and remove these potential threats to the network or to avoid a channel with high interference. Sometimes this scanning can be performed by a dedicated radio, while other times it is done by the client servicing radio slicing off fractions of a second to scan off channel between client transmissions.

WIDS/WIPS

The primary purpose of a Wireless Intrusion Detection System (WIDS) is to monitor the RF spectrum and detect the presence of unauthorized APs or wireless attacks. Wireless Intrusion Protection Systems (WIPS) take WIDS one step further and actually takes countermeasures to prevent unauthorized network access.

  • With overlay- There are many WIDS/WIPS solutions on the market. Some of them require an additional "overlay" AP or radio to be deployed in addition to the APs that are servicing clients. This additional overlay device (sometimes built into an AP as a third radio) usually drives the cost of the network up significantly.
  • Without overlay- A solution that provides WIDS/WIPS without an overlay network allows the APs to dedicate a certain amount of their time and effort into scanning the RF spectrum and analyzing any activity to detect potentially malicious behavior. This approach is much more cost effective than overlay WIPS, but since the AP has to dedicate a certain percentage of its time to scanning rather than servicing clients, AP performance decreases slightly.

Some manufacturers require an additional security appliance to enable this functionality, increasing the overall cost of the solution. If security is a very high priority for your district you may want to ask your manufacturer about this solution, otherwise, rogue detection which is typically included as part of WIDS may be sufficient for your district on a tight budget.

Rogue Detection/Containment

On-network rogue access points (APs that are plugged into the network but not managed by the district) create security and performance threats to the district network. Rogue detection and containment features can be very effective in alleviating rogues. Different manufacturer solutions handle rogue detection and containment differently, some have the functionality built into their client-serving APs, others require an overlay network, while others build rogue detection solutions into the WIDS/WIPS functionality.

  • With overlay - An overlay rogue mitigation system requires that rogue detecting APs are installed in addition to the client-servicing APs (sometimes built into an AP as a third radio). This means that there are two overlapping networks. The rogue detecting APs do not have to be placed as densely as client-servicing APs, but the additional number of APs can be cost prohibitive.
  • Without overlay - A rogue mitigation solution without overlay means that the client-servicing APs occasionally slice fractions of a second to go "off channel" and scan for rogues. While not as effective as an overlay design, this approach is usually satisfactory and much more cost effective. Performance of the AP decreases slightly but is typically not noticeable to the end user.
Manufacturer Technology: Rogue Detection Without Overlay
AerohiveRogue Detection
Aruba (HP)*RAPIDS via AirWave
Cisco*WIDS/WIPS and CleanAir
ExtremeRogue AP Detection
HPRogue Detection/IDS
Cisco MerakiRogue Detection via AirMarshal
Meru (Fortinet)Wireless Intrusion Prevention
Zebra (Motorola)*Rogue Detection via AirDefense (requires overlay)
Ruckus (Brocade)Rogue Detection
UbiquitiRogue AP Detection
XirrusRogue Detection
* Additional hardware, software, or license required

802.11w (Management Frame Protection)

Management Frame Protection, 802.11w, is a security standard that protects Management Frames in a Wi-Fi network. Common wireless attacks take advantage of insecure management frames, 802.11w was created to remove that vulnerability. A wireless network with 802.11w enabled requires 802.11w support on the client side as well as the AP side. Client support for this feature is not yet ubiquitous so be cautious when prioritizing or enabling this feature.


Continue to Management