Security is a very important issue and particularly a major concern for businesses. Moreover, security is also the reason companies hesitate to set up wireless local area networks (WLAN). They are worried about security in WEP (Wired Equivalent Privacy) and are interested in newer, safer security solutions.
IEEE and the Wi-Fi Alliance have developed a more secure solution: Wi-Fi Protected Access (WPA) and IEEE 802.11i (also known as “WPA2 Certified” according to the Wi-Fi Alliance), along with another solution called VPN Fix, which also helps enhance wireless network security.
According to Webtorial, WPA and 802.11i are used at rates of 29% and 22%, respectively. On the other hand, 42% is utilized for other “temporary solutions“, such as securing Virtual Private Network (VPN) systems over wireless local area networks.
So, which security solution should we choose for wireless networks?
WEP: Inadequate Security
WEP (Wired Equivalent Privacy) means wireless security equivalent to wired. In fact, WEP combines user authentication and data safety in a single insecure method. WEP uses a static encryption key of either 64 bits or 128 bits (subtracting 24 bits used for the initialization vector, leaving effective key lengths of 40 bits or 104 bits) to authenticate devices allowed to access the network and to encrypt data transmission.
These encryption keys are easily “cracked” through brute-force algorithms and trial-and-error attacks. Free software like Airsnort or WEPCrack allows hackers to break encryption keys if they collect enough packets—typically between 5 to 10 million—on a wireless network. Keys of 128 bits are not much better since 24 bits are again used for initialization, leaving 104 bits for encryption, which is similarly vulnerable to attacks. Additionally, weaknesses in the initialization vectors allow hackers to find passwords more quickly with significantly fewer packets.
If encryption key flaws are not addressed, WEP could be improved by using an authentication protocol that provides a new encryption key for each session. The encryption key would change for each session, making it more difficult for hackers to gather enough data packets needed to break the security key.
Temporary Solution: VPN Fix
Recognizing the weaknesses in WEP, enterprise users have discovered an effective way to protect their WLANs, called VPN Fix. The basic idea of this approach is to treat WLAN users like remote access service users.
In this configuration, all WLAN access points and computers connected to these access points are defined within a virtual LAN (VLAN). In this security infrastructure, these devices are treated as “untrusted”. Before any WLAN device connects, it must be authorized by the LAN’s security component. Data and connections from these devices must pass through an authentication server like RADIUS. Then, the connection will be established through a secure, encrypted tunnel using a security protocol such as IPSec, similar to remote access services over the Internet.
However, this solution is not perfect. VPN Fix requires greater VPN traffic for firewalls and necessitates creating initialization procedures for each user. Furthermore, IPSec does not support multifunction devices such as handhelds and barcode scanners. Finally, from a network architecture perspective, the VPN configuration is merely a temporary solution rather than an integration with WLAN.
Security Solution via Authentication
Once the security flaws in wireless LANs were discovered, the industry invested significant effort into resolving this issue. One key point to remember is that we must address two issues: authentication and information security. Authentication ensures that legitimate users can access the network, while security keeps data transmissions safe from interception.
One advantage of authentication is IEEE 802.1x, which uses the Extensible Authentication Protocol (EAP). EAP serves as a solid foundation for authentication and can be used with various other authentication protocols, including MD5, Transport Layer Security (TLS), Tunneled TLS (TTLS), Protected EAP (PEAP), and Cisco’s Lightweight EAP (LEAP).
Fortunately, the choice of authentication protocol requires only a few basic factors. Firstly, a mechanism should provide one or two methods of authentication, known as mutual authentication, meaning that the network authenticates the user and the user also authenticates the network. This is critical for WLANs, as hackers could insert unauthorized access points between network devices and legitimate access points (a man-in-the-middle attack) to intercept and alter data packets. Encryption methods like MD5 do not provide mutual authentication and are therefore discouraged for WLAN use.
802.11i Standard or WPA2
A long-term solution is to adopt 802.11i, equivalent to WPA2, which is certified by the Wi-Fi Alliance. This standard uses a strong encryption algorithm known as the Advanced Encryption Standard (AES). AES employs a symmetric block encryption algorithm called Rijndael, using block sizes of 128 bits, and can also utilize 192-bit or 256-bit keys.
To evaluate this encryption standard, the U.S. National Institute of Standards and Technology (NIST) has approved this symmetric algorithm. This encryption standard is used by U.S. government agencies to protect sensitive information. For more details on how the Rijndael algorithm works, you can visit http://en.wikipedia.org/wiki/Rijndael.
AES is considered significantly more secure than WEP’s 128-bit or 168-bit DES (Digital Encryption Standard). For performance assurance, encryption must be executed in hardware, such as being integrated into chips. However, very few WLAN network cards or access points currently support hardware-based encryption. Furthermore, most Wi-Fi handheld devices and barcode scanners are not compatible with the 802.11i standard.
WPA (Wi-Fi Protected Access)
Recognizing the challenges of upgrading to 802.11i, the Wi-Fi Alliance introduced another solution called Wi-Fi Protected Access (WPA). One of the most significant improvements of WPA is the use of the Temporal Key Integrity Protocol (TKIP) for key rotation. WPA also utilizes the RC4 algorithm as WEP does, but with full 128-bit encryption. Another distinguishing feature is that WPA changes keys for each packet. Tools that collect packets for key cracking cannot operate effectively with WPA. Because WPA continuously rotates keys, hackers can never collect enough sample data to determine the password. Additionally, WPA includes a Message Integrity Check to ensure that data cannot be altered during transmission.
One of WPA’s most appealing aspects is that it does not require hardware upgrades. Free software upgrades for most network cards and access points using WPA are readily available and easy to implement. However, WPA also does not support handheld devices and barcode scanners. According to the Wi-Fi Alliance, around 200 devices have been certified for WPA compatibility.
WPA offers two options: WPA Personal and WPA Enterprise. Both options use the TKIP protocol, with the only difference being the initial encryption key. WPA Personal is suitable for home and small office networks, where the initialization key is used at access points and workstation devices. In contrast, WPA for enterprises requires an authentication server and 802.1x to provide initialization keys for each session.
While the Wi-Fi Alliance has implemented WPA and considers it to eliminate all vulnerabilities exploited in WEP, users still do not fully trust WPA. There is a vulnerability in WPA that occurs exclusively with WPA Personal. When the TKIP key rotation function is used to generate encryption keys, if a hacker can guess the initialization key or part of the password, they may determine the entire password, thereby decrypting the data. However, this vulnerability can be mitigated by using initialization keys that are difficult to guess (avoid using simple words like “PASSWORD”).
This also means that WPA’s TKIP technique is merely a temporary solution, not providing the highest security method. WPA is suitable for companies that do not transmit “sensitive” commercial data or sensitive information. It is also suitable for everyday activities and technology testing.
Conclusion
Using VPN Fix over WLAN connections may be a good idea and a step in the right direction. However, the inconvenience, cost, and increased network traffic are barriers that need to be overcome. Transitioning to 802.11i and AES encryption provides the highest security. Yet, organizations are still using thousands of WLAN network cards that do not support this standard. Moreover, AES does not support handheld devices, barcode scanners, or other devices, which are limitations when choosing 802.11i.
The transition to WPA remains challenging. Although there are still security vulnerabilities and potentially new vulnerabilities may be discovered, at this moment, WPA is the best option.
Minh Phúc
I’m sorry, but it seems that there is no Vietnamese article provided for translation. Could you please share the text you would like me to translate?
