中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeWireless and Mobile Networking TechnologiesWireless LAN

Wi-Fi Wireless LAN Security Problems and Solutions

While the wireless LAN provides many conveniences in today’s communication world, it also introduces unique security challenges, compare with the traditional wired network.  The early version of the Wi-Fi technology, IEEE 802.11b, tried to overcome the security issue by devising a user authentication and data encryption system known as Wired Equivalent Privacy, or WEP. Unfortunately, some compromises that were made in developing WEP have resulted in it being much less secure than intended. Newer technologies, such as 802.11i, have been developed to address the security problems.

Network and information security is a complicated subject, and the solutions could be very expensive. Depends on the nature of the network and the level of risk tolerance, proper solutions should be deployed. In the following table, the security problems in a wireless LAN, as well as possible solutions, are listed:

Security problems

  • The spread spectrum modulation technique used in 802.11 and 802.11b is not secure because the code is open to the public.
  • Service Set Identifier (SSID) is very easy to break because anyone with a sniffing tool can detect it.
  • DHCP hurts security in a WLAN because it allows anyone to get a legitimate IP address in the network and access to the shared resources.
  • Wired Equivalent Privacy (WEP) is a very weak encryption to break.
  • Man-in-the-middle attacks by using a wireless analyzer.
  • Denial of Service (DoS) attacks: using a wireless client to insert bogus packets into the wireless LAN to cause access point malfunction, or using a high power signal generator to produce RF interference to block other radio NICs from accessing the medium.

Security solutions

  • Use the latest Wi-Fi technologies such as 802.11g and 802.11n that have more advanced modulation methods.
  • Use encryption technologies such as 802.1x, EAP, TLS, RADIUS, to protect SSID and other user identities.
  • Use 802.11i (WPA 2) with AES technologies for strong encryption.
  • Encrypt wireless traffic using a VPN (Virtual Private Network), such as IPSEC or other VPN solutions.
  • Use encryption for all applications over the wireless network, e.g., use SSH and TLS/HTTPS.
  • Use a proxy with access control for outgoing requests (web proxy, and others).
  • Regularly test the security of wireless network.
  • Enable strict logging on all devices, and check  wireless log files regularly to see if security policy is still adequate.

The following are some basic steps that are recommended to be taken to secure a wireless network; in order of importance:

  • Turn on encryption. WPA2 encryption should be used if possible. WPA encryption is the next best alternative, and WEP is better than nothing.

Change the default password needed to access a wireless device — Default passwords are set by the manufacturer and are known by

  1. crackers. By changing the password you can prevent crackers from accessing and changing your network settings.
  2. Change the default SSID, or network name — Crackers know the default names of the different brands of equipment, and use of a default name suggests that the network has not been secured. Change it to something that will make it easier for users to find the correct network. You may wish to use a name that will not be associated with the owner in order to avoid being specifically targeted.
  3. Disable file and print sharing if it is not needed — this can limit a cracker's ability to steal data or commandeer resources in the event that they get past the encryption.
  4. Access points should be arranged to provide radio coverage only to the desired area if possible. Any wireless signal that spills outside of the desired area could provide an opportunity for a cracker to access the network without entering the premises. Directional antennas should be used, if possible, at the perimeter directing their broadcasting inward. Some access points allow the signal strength to be reduced in order to minimise such signal leakage.
  5. Divide the wired and wireless portions of the network into different segments, with a firewall in between. This can prevent a cracker from accessing a wired network by breaking into the wireless network.
  6. Implement an overlay Wireless intrusion prevention system to monitor the wireless spectrum 24x7 against active attacks and unauthorized devices such as Rogue Access Points. These systems can detect and stop the most subtle or brute force methods of wireless attacks, and provide you with deep visibility into the use and performance of the WLAN.

Here are some often-recommended security steps that are not usually of any benefit against experienced crackers (they will however prevent the larger group of inexperienced users from gaining access to your network easily, should they find your password). These are:

Disabling the SSID broadcast option — Theoretically, hiding the SSID will prevent unauthorized users from finding the network. In fact, while it will prevent opportunistic users from finding the network, any serious cracker can simply scan your other network traffic to find the SSID. It will also make it harder for legitimate users to connect to the network, since they must know the SSID in advance and type it in to their equipment. Hiding the SSID will not prevent anyone from readingthe data that is transmitted, only encryption will do that.

Enabling MAC address filtering — MAC address filtering will prevent casual users from connecting to your network by maintaining a list of MAC addresses that are allowed access, (or not) but a serious cracker will simply scan your network traffic to find a MAC address that is allowed access, then change their equipment to use that address. Any new equipment will require another MAC address to be added to the list before it can be connected. Again, enabling MAC address filtering will not prevent anyone from reading the data that is transmitted without encryption.

Related Terms:Wi-Fi, Wireless LAN, WLAN, WLAN Security, Wi-Fi Security

Reference Links:http://www.javvin.com/wlan-wifi-guide.html:WLAN (Wi-Fi) Quick Guide

http://www.javvin.com/wirelessmap.html : Wireless Communication Technology Map

‹ Wi-Fi Wireless LAN Frequency, Bands and ChannelsupWi-Fi: Wireless Fidelity and Wi-Fi Network ›