Your SlideShare is downloading. ×
Effective Practices in Wireless Security for Higher Ed
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Effective Practices in Wireless Security for Higher Ed

748
views

Published on


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
748
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • WAP – Wireless Application Protocol Bluetooth, HomeRF and IEEE 802.11 all compete for the same band and will interfere with each other. Security problem. Bluetooth and HomeRF are PANs. Bluetooth – will be 802.15 - 30 foot range, 1 megabit/sec, orig repl for wires 7 connections simultaneously partial security, no roaming buggy interoperability - to be fixed in v1.1 RF interference with IEEE 802.11b - 2.4GHz band IEEE 802.15 being finalized for PANs (pico net) Lacks security features in 802.11* (not a LAN) 802.11b - AKA "Wi-Fi" or wireless Ethernet -- 11 megabits/sec. HiperLan2 and 802.11a both reach 54 megabits/sec and use 5Ghz HiperLan1 23.5 Mbps - no h/w. Shares GSM radio tech. HomeRF based on original 802.11 FHSS. Cheap. Jini – Sun Java middleware to run on piconet/PAN
  • Transcript

    • 1. Effective Practices in Wireless Security for Higher Ed H. Morrow Long, CISSP, CISM Director - Information Security Yale University EDUCAUSE 2004 Annual Conference Wednesday Oct 20, 2004, 2:15p-3:05p - Track 3 Session Meeting Room 605 - Denver Colorado Convention Center Effective Practices Working Group
    • 2. Copyright Notice
      • Copyright H. Morrow Long 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
    • 3. The Problem?
    • 4. Yahoo Map! Of Yale
    • 5. Yale Central & Science Campus Wireless Map
    • 6. http://www.wifimaps.com/
    • 7. Yale Medical Campus Wireless Map
    • 8. http://www.intel.com/ca/personal/do_more/wireless/stories/bondar.htm With more than 50 speaking engagements a year throughout North America and a career as a photographer that takes her around the world, Bondar, who was chosen to participate in the prestigious Women of Influence speakers series, carries her notebook PC, equipped with Intel® Centrino™ mobile technology+, everywhere she goes. On a recent visit to Yale University in Connecticut, Bondar says, " I used it on hospital rounds with neurosurgery residents ." This is not your father's notebook, distinguished solely by portability. The built-in wireless technology allows unprecedented freedom.+ Among its attributes are mobility, of course, enhanced by a thin profile and lightweight components, longer battery life and uncompromised performance. A user within range of a wireless local area network (WLAN), or hotspot, has immediate high-speed access to the Internet and e-mail and can download or send text, data and graphics with ease. "Even five years ago," says Bondar, "wireless technology would have made a huge difference to my life."
    • 9. WLAN Network Security Terminology Definitions
      • VPN
      • Supranet
      • Internet
      • internet
      • intranet
      • extranet
      • ISP
      • Firewall
      • WEP
      • SSL / TLS
      • Access Point
      • NAT Router
      • Bridge
      • Encryption
      • Authentication
      • PKI
      • LDAP
      • “ Certificate”
    • 10. Wireless Data – Terminology Definition
      • IEEE 802.11a
      • IEEE 802.11b
      • IEEE 802.1x
      • IEEE 802.11e
      • IEEE 802.11g
      • IEEE 802.11i
      • Bluetooth
      • HomeRF
      • Jini
      • EAP
      • LEAP
      • PEAP
      • EAP over TLS
      • TTLS
      • WiFi
      • WPA
    • 11. 802.11 Wireless Standards
      • 802.11 – 1 to 2 megabits/second.
      • 802.11b – From 1 up to 11 megabits/second.
      • Conflicts with frequency band used by Bluetooth.
      • 802.11a supports data rates of 6 Mbps, 12 Mbps and 24 Mbps, 36 Mbps, 48 Mbps and 54 Mbps.
      • 802.11e – multimedia & QoS improvements, security?
      • 802.11g – 22Mbps and up to 54Mbps
      • 802.1x - Auth. & port access ctl for all 802 LANs
      • WPA – 802.1X + EAP + TKIP + MIC
      • 802.11i – WPA plus AES (Advanced Enc. Std)
    • 12. 802.11 Generic MAC layer - IBSS
      • IBSS (Independent Basic Service Set) - AKA “Ad-hoc” network.
      • Stations associate directly with each other without an AP.
      • No relaying, only direct (peer to peer).
    • 13. 802.11 Generic MAC layer - BSS
      • BSS (Basic Service Set) - AP plus stations AKA “Infrastructure” network.
      • Stations need AP to communicate w/each other and/or to relay packets out to internet.
      • SSID may be broadcast via beacon frames.
      • “ Association” Request sent by client station to AP. Handshake to set up association may involve authentication.
      • “ Disassociate” Request may be sent at end of session (or may not be sent at all if station shuts down or moves out of range).
    • 14. 802.11 Generic MAC layer - ESS
      • ESS (Extended Service Set) - Multiple APs (each with multiple stations) connected (via wireless or wired LAN). AKA Extended “Infrastructure” network.
      • ESS == Set of BSSs connected via a distribution system (DS). Shared SSID.
      • Aps communicate among themselves.
      • Entire WLAN is a single MAC layer 2 net.
      • Station mobility within ESS. AP handoff.
    • 15. 802.11 PHY Specs OFDM 5Ghz 54Mb/s 802.11a OFDM 2.4Ghz 108Mb/s Super-G OFDM 2.4Ghz 22-54Mb/s 802.11g DSSS 2.4Ghz 11Mb/s 802.11b FHSS/DSSS 2.4Ghz &IR 2Mb/s 802.11 Modulation Frequency Max Data Rate 802.11 PHY
    • 16. 802.11b (WECA -> WiFi)
      • Most popular wireless LAN (WLAN).
      • 11 Separate Channels in 2.4Ghz -- overlapping bands of frequencies.
      • Channels 1, 6 and 11 are commonly used as this allows three non-overlapping channels.
    • 17. 802.11b (WECA -> WiFi) & g
      • Most popular wireless LAN (WLAN).
      • 11 Separate Channels in 2.4Ghz -- overlapping bands of frequencies.
      • Channels 1, 6 and 11 are commonly used as this allows three non-overlapping channels.
    • 18. 802.11a
      • Less popular wireless LAN (WLAN).
      • 8 Non-overlapping Channels in the 5Ghz frequency range.
      • Was the only 54Mb/s WLAN until 802.11g -- which using compatible h/w, APs and frequency range.
    • 19. Wireless Data Risks and Threats – What are we worried about?
      • Controlling Access to our Network
        • Preventing intruders and disallowing anonymous access.
        • Identifying and authenticating “trusted” users and devices.
        • Authorization and network access control
      • Confidentiality
        • Preventing eavesdropping and decryption to ensure privacy.
      • Integrity
        • Preventing tampering and session hijacking.
      • Availability
        • Ensuring quality of service, preventing denial of service.
    • 20. Wireless Security Problems
      • Default Passwords
      • Open Broadcast of SSIDs
      • No or weak encryption.
      • Lack of authentication.
      • Accidental & Malicious association w/rogue APs (M-I-T-M tampering possible).
      • Sniffing
      • Spoofing
      • Denial of Service (DoS) Attacks
      • Attacks from outside: Spammers & Worms
    • 21. Default SSID (Service Set Identifier)
      • Cisco ‘tsunami’
      • Linksys Aps ‘linksys’
      • Sent in beacon frames
    • 22. Wireless Security Problems
      • Network Attacks (Spoofing and Denial of Service (DoS) Attacks) -- Layers 1 thru 3.
      • Layer 1: Malicious AP overpowering a valid AP
      • Layer 2: Spanning Tree packet (802.1D) attacks. Broadcasts causing loops in redundant LANs.
      • Layer 2: Attacks on EAP endpoints (spoofed start/logoff commands, bogus connect/failure msgs)
      • Layer 3: ARP Cache Poisoning. Sending spoofed unsolicited ARP replies to computers to have them divert packets.
    • 23. SSID Security Guidelines
      • Change the SSID from the vendor default.
      • Do not set the SSID to a secret (e.g. a password in use elsewhere) nor to anything which provides information to outsiders (e.g. company name).
      • Configure AP settings to not broadcast the SSID in beacon frames.
    • 24. WLAN Security Guidelines
      • Use WEP to deter casual eavesdropping & trespassing.
      • Use a VLAN & private IP subnet range outside of the corporate intranet.
      • Firewall the WLAN from the corporate intranet.
      • Require and use VPNs from stations to enter the corporate intranet.
    • 25. 802.11b Wireless Security Flaws
      • Confidentiality - Interception / drive-by snooping
        • WEP – Wired Equiv Privacy
        • VPNs and App Level Crypto (SSL/TLS, SSH)
      • Integrity - Impersonation
        • ARP cache poisoning (spoofing wired/wireless)
        • Session Hijacking
      • Availability - Denial of service (DoS)
        • Easy to jam with broad spectrum interference
        • Some protection against electric appliances
    • 26. 802.11b Wireless Security Flaws
      • A uthentication
        • MAC/Hardware Address Control
        • DHCP using registered MAC/HW addresses
        • Firewall plus VPN approach
        • Proprietary
          • Cisco Aironet 350, Cisco driver and RADIUS
          • Web-based authentication
      • A uthorization - Appropriate Access Control
        • Access Point filters, NAT routers and Firewalls
      • A ccounting - Public 802.11b ISPs! Credit Cards.
    • 27. 802.11b Wireless Security Flaws 802.11b has been criticized by UC Berkeley ISAAC group researchers as flawed: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html At least one public domain program now is available on the Internet which will sniff WEP traffic and brute force reverse engineer the static key which is being used for encryption. Therefore WEP by itself is no longer considered secure to protect 802.11b traffic.
    • 28. 802.11b Wireless Security Flaws
      • 802.11b Access Points and networks were demonstrated as vulnerable to ARP cache poisoning by Cigital, Inc. in September 2001.
      • Wireless PCs can be impersonated/traffic redirected.
      • SSH and SSL sessions can be hijacked.
      • Wired hosts can be impersonated and have their traffic redirected if the access point is attached to a wired LAN.
      • Other wireless LANs attached to the same wired LAN are also susceptible to ARP cache poisoning.
    • 29. 802.11b Wireless Security Flaws Denial of Service 802.11b bandwidth degrades as single strength decreases (from 11mb to 1mb in increments). 802.11b frequency band conflicts with Bluetooth, wireless microphones, microwave ovens, etc. 802.11b supports multiple channels – can be used for noise/conflict avoidance, but not really useful for security (by obscurity). Signal can be boosted at PC end by adding an antenna. Amplifying signal reception at the AP increases noise.
    • 30. 802.11b Wireless Security Flaws Denial of Service Yesterday’s CCA flaw/vulnerability in 802.11b. See the CERT announcement and http://www.computerworld.com/securitytopics/security/story/0,10801,93221p4,00.htm
    • 31. 802.11b + 801.X Wireless Security Flaws
      • University of Maryland researchers:
      • Arbaugh and Misra
      • Possible weaknesses:
      • Session hijacking
      • Man in the Middle (MitM) attacks
    • 32. 802.11b Confidentiality Solutions
      • WEP - To secure 802.11b using WEP (Wireless Equivalent Privacy) you need to (most sites don’t do these):
      • Lock down MAC (physical Ethernet) addresses
      • Set a network name (non-blank & non-guessable).
      • Configure a static shared secret (or set of secrets).
        • Change frequently.
      • Purchase 64 or 128 bit cards & base units.
      • Non-WEP – Use appl. Level cryptography (SSL, etc.)
        • Use and/or require VPNs
    • 33. 802.11b Integrity Solutions: Best Practices
      • Network Access Control
      • (Protect against ARP cache poisoning)
      • Don’t connect Wireless Access Points to the wired network
      • Put Wireless Access Points outside corporate firewall
      • Firewalling/filtering/blocking WLANs
      • Use NAT Router / Firewall Wireless Access Points
      • Use VLANs between wired and wireless networks
      • Use of Wireless VLANs to segregate
    • 34. 802.11b Availability Solutions
      • Note that wireless networks are susceptible to DoS attacks and have very limited shared bandwidth -- THEREFORE THEY ARE NOT SUITABLE REPLACEMENTS FOR A WIRED NETWORK when you need high reliability (e.g. Patient or animal subject RT monitoring).
      • That said, they can be a useful part of a BCP, Disaster Recovery strategy (Sept. 11, 2001 WTC cases) in the event of a wired network failure, for Internet access.
      • Suitable shielding may protect internal 802.11b nets.
      • Intentional jamming may prevent 802.11b use…put outside external shielding.
      • Don’t use omni-directional antennas to decrease the spread of signal, area of reception – particularly on P2P links.
    • 35. 802.11b Authentication / Authorization / Accounting Solutions
      • Use of VPNs over Wireless LANs
        • Virtual Private Networks – PPTP, L2TP, IPSEC
        • Username / Password, Hardware tokens, X.509 certificates.
      • Proprietary
        • Secure Authentication Enhancements
          • Cisco Aironet 350 enhances WEP with RADIUS user authentication vs MAC address. Adds infinite number of WEP keys (vs. one –Apple-- or four -- Lucent).
        • Secure Web based authentication approaches
    • 36. 802.1X “Provides”
        • Authentication (various methods)
        • Port based access control
        • NOT confidentiality (uses WEP)
        • Can provide dynamic WEP key mgt
        • (CISCO uses EAP to provide this)
    • 37. 802.11b + 802.1X “Fixes”
        • Add MAC (Message Auth Check) to EAP and 802.11b mgt msgs
        • Time sync communications between PC and Aps
    • 38. WPA (WiFi Protected Access)
      • Forward compatible with IEEE 802.11i draft standard (except 802.11i adds AES encryption).
      • EAP (Extensible Access Protocol)
      • TKIP (Temporal Key Integrity Protocol)
      • MIC (Message Integrity Check)
      • 802.1X (for auth and dynamic key exchange
    • 39. WPA Operation
      • WPA will provide a TKIP encryption key to both PC and AP to provide secure session.
      • In absence of an authentication server (e.g. a home or small office network) WPA will use PREShared key mode (manual fixed password/key)
      • Legacy operation (old gear).
    • 40. Requirements for WPA
      • WPA AP w/TKIP & 802.1X
      • WPA Client w/TKIP, 802.1X & EAP “supplicant” supporting auth method/server
      • Authentication server on network (e.g. RADIUS) w/strong EAP:
          • TLS
          • TTLS
          • PEAP/LEAP
    • 41. Comparison of WEP & WPA
      • WEP
        • 40 bit static keys manually distributed
        • Flawed or no authentication
      • WPA
        • 128 bit dynamic keys automatically distributed w/ per user/session/packet keys
        • 802.1X and EAP authentication
      • WPA2
        • WPA2 is WPA plus AES (Advanced Encryption Standard). It is 802.11i compliant.
    • 42. Proprietary Wireless Security
      • Lucent (Orinoco) - Created first features:
      • 1. “closed network” - Don’t broadcast SSID
      • (e.g. turn of AP broadcast ‘beacon frames’).
      • 2. 128 bit WEP (WEP Plus - 40bits -> 104bits)
      • WEB key crack from days to 20 weeks
      • (but other WEP flaws bring time to 0)
    • 43. Proprietary Wireless Security
      • CISCO (340/350/…) - features:
      • Dynamically Generated Short-lived (Broadcast) WEP keys
      • (in an early firmware release)
    • 44. Non-Proprietary Wireless Security
      • MAC Address Filtering
      • Description:
      • Register Physical Addresses of authorized devices
      • Flaws:
      • 1. Must be registered in list in AP or in a server (e.g. special RADIUS server).
      • 2. Physical Addresses can easily be spoofed.
    • 45. Non-Proprietary Wireless Security
      • VPN (with or without filtering/blocking of non-VPN traffic)
      • Description:
      • Tunnel all wireless traffic through VPN sessions. Require VPN connection to a specific VPN server. Provides CIA (Confidentiality, Integrity & Auth).
      • VPN (PPTP, L2TP, IPSEC) choice.
      • Potential Flaws:
      • 1. Redundant encryption (if also using WEP).
      • 2. Bandwidth hog / latency problem.
    • 46. Non-Proprietary Wireless Security
      • 802.1X -- Extensible Authentication Protocol
      • Designed for wired AND wireless LANs.
      • Can filter or enable ports and/or MAC addresses on switches and APs.
      • Not a cipher.
      • Not a single authentication method:
        • EAP-MD5
        • EAP-Cisco Wireless (aka LEAP)
        • EAP-TLS (Microsoft, RFC2716)
        • EAP-TTLS
        • PEAP (Microsoft and Cisco)
        • EAP-SIM proposal (use GSM SIM cards)
    • 47. Non-Proprietary Wireless Security
      • 802.1X -- EAP Authentication “bucket”
      • EAP-MD5
      • Description:
      • MD5 Hashing of user/pass creds -- pass to RADIUS
      • Flaws:
      • No key mgt
      • -- uses static WEP keys.
    • 48. Non-Proprietary Wireless Security
      • 802.1X -- EAP Authentication “bucket”
      • EAP-CISCO WIRELESS (LEAP)
      • Description:
      • Username/ password credentials -- passed to RADIUS
      • Benefits
      • generates one-time WEP keys for each session
      • can use RADIUS timeout features to nullify current WEP attacks,
      • prevents rogue AP association attacks(by mutual auth requirement)
      • Flaws or Drawbacks:
      • Needs special 802.11b driver to support LEAP
    • 49. Non-Proprietary Wireless Security
      • 802.1X -- EAP Authentication “bucket”
      • EAP-TLS (Microsoft, RFC2716)
      • Description:
      • uses X.509 certs for auth,
      • uses SSL/TLS to pass the PKI info
      • Benefits
      • generates one-time WEP keys for each session ala LEAP.
      • Flaws or Drawbacks:
      • Needs special 802.11b driver (clients).
        • special clients are available for some Linux distros and all non-CE Windows).
      • Drawback -- requires a PKI & certs.
        • Microsoft Certificate Server and AD LDAP server can be used in an Active Directory Environment.
    • 50. Non-Proprietary Wireless Security
      • 802.1X -- EAP Authentication “bucket”
      • PEAP (Microsoft and Cisco)
      • Description:
      • Similar to EAP-TLS but uses username/password rather than certs.
      • uses SSL/TLS to pass the credentials
      • Benefits
      • generates one-time WEP keys for each session ala LEAP.
      • PKI and user certificate is not required.
      • Flaws or Drawbacks:
      • Needs special 802.11b driver (clients).
        • special clients are available -- particularly for Windows XP SP1.
    • 51. Proprietary Wireless Security Systems
      • Aruba
      • BlueSocket
      • Ecutel
      • ReefEdge
      • Vernier
    • 52. Survey
      • Which WLAN security modes are you using (check all that apply):
      • None
      • MAC Address Filtering
      • Application Level (SSL)
      • VPN
      • Proprietary
      • WEP
      • WPA
      • 802.1x
      • 802.11i
      • EAP
      • EAP Modes:
      • EAP-MD5
      • LEAP (Cisco)
      • EAP-TLS (Microsoft, RFC2716 )
      • PEAP (Microsoft, Cisco)
      • Other EAP (EAP-SIM, TTLS)
    • 53. # of Respondents with WiFi Access?
    • 54. Publish Campus WiFi Information on Web?
    • 55. Campus WLAN Mode
    • 56. # WiFi WLAN Standards implemented
    • 57. WiFi Encryption / Authentication Modes
    • 58. 801.X Authentication Protocols Implemented
    • 59. Commercial Secure WiFi Vendor Implementations
    • 60. WLAN / Campus Network Topology Independence
    • 61. Net Sec Access Control --Firewall between WLAN &
    • 62. VPN Session Required from WLAN to connect to:
    • 63. WLAN Data Link Layer Security Protections
    • 64. WLAN Security Counter-Measures
    • 65. WLAN Authentication 1
    • 66. WLAN Authentication 2
    • 67. WEP/WPA Encryption
    • 68. Encryption Requirement by WLAN Protocol Layer
    • 69. WLAN Policies 1
    • 70. WLAN Policies 2 - Allow WLANs outside IT?
    • 71. Interesting or Unique Practices and Findings
      • Not all devices support > 64 bit WEP so 40 bit must often be used.
      • A few campuses are moving from Cisco LEAP to PEAP or EAP-TLS.
      • Rutgers is using BlueSocket: http://ruwireless.rutgers.edu/
      • Dartmouth has widespread WiFi and VoIP over WiFi.
      • Several campuses use NoCat for both wired and wireless authentication (and thereby enable access).
    • 72. More Interesting/Unique Practices and Findings
      • Companies are marketing for-pay public WiFi access points which you can hang off of any high speed Internet connection. These boxes allow users passing by to associate and pay for access by credit card. Look for students to try to make $$$?
    • 73. Other Interesting/Unique Practices and Findings?
    • 74. Yale University - Unwritten Wireless Policy
      • Do no harm: Private Wireless Access Points which cause network disruption at Yale will be removed from the network (this includes causing interference by overlapping RF channels, etc). Use of WEP or WPA is encouraged.
      • Private Access Points should not use the Yale SSID.
      • WiFi users are encouraged to use the VPN to access critical apps or sensitive information.
      • Yale Administrative users should not use WiFi to replace wired LAN connections.
      • The above admin apps should already however be using application level security on wired networks.
    • 75. Yale School of Medicine Wireless Policy Points
      • All private WAPS need to be registered. The default SSID must be changed to something other than Yale’s and the default passwords must be changed.
      • The WAP must only allow WEP and should implement MAC address filtering.
      • It should be turned off if/when not used.
    • 76. Yale School of Medicine Wireless Policy Points
      • Official YSM WiFi Security :
      • ePHI should not be transferred unencrypted.
      • YSM ITS WLANs are changing from VPN (either PPTP or IPSEC) recommended to required. DHCP will vend a RFC1918 private IIP to the YSM WLAN. Users must authenticate to the VPN and use it to connect to any resources outside of the WLAN.
      • Clients w/o registered MAC addresses or valid VPN sessions attempting HTTP connections to
      • Addresses outside the WLAN VLAN are redirected to a web portal where documentation and software are available (but little else).
    • 77. Wireless Data Risks and Threats – What are we worried about?
      • Controlling Access to our Network
        • Preventing intruders and disallowing anonymous access.
        • Identifying and authenticating “trusted” users and devices.
        • Authorization and network access control
      • Confidentiality
        • Preventing eavesdropping and decryption to ensure privacy.
      • Integrity
        • Preventing tampering and session hijacking.
      • Availability
        • Ensuring quality of service, preventing denial of service.
    • 78. Wireless Security Problems
      • Default Passwords
      • Open Broadcast of SSIDs
      • No or weak encryption.
      • Lack of authentication.
      • Accidental & Malicious association w/rogue APs (M-I-T-M tampering possible).
      • Sniffing
      • Spoofing
      • Denial of Service (DoS) Attacks (Dis-association, Jamming)
      • Attacks from outside: Spammers & Worms
    • 79. Wireless Security Problems
      • Network Attacks (Spoofing and Denial of Service (DoS) Attacks) -- Layers 1 thru 3.
      • Layer 1: Malicious AP overpowering a valid AP
      • Layer 2: Spanning Tree packet (802.1D) attacks. Broadcasts causing loops in redundant LANs.
      • Layer 2: Attacks on EAP endpoints (spoofed start/logoff commands, bogus connect/failure msgs)
      • Layer 3: ARP Cache Poisoning. Sending spoofed unsolicited ARP replies to computers to have them divert packets.
    • 80. WiFi Security Pre-WPA/802.11i Guidelines for Enterprise IT
      • Disable SSID broadcasts & use non-obvious SSID
      • Use WEP.
      • Use a separate VLAN & private IP net for WLAN.
      • Firewall WLAN off from the corporate intranet.
      • Require of use VPN to enter the corporate intranet.
      • Use MAC Address filtering -- block nonregistered
      • Force client association -- to known SSID
      • Monitor airspace -- war-walk/chalk/drive/run AND look into WiFi perimeter protection products and systems.
      • Use 802.1X Layer 2 Authentication with EAP & RADIUS
    • 81. WPA (WiFi Protected Access)
      • Forward compatible with IEEE 802.11i draft standard (except 802.11i adds AES encryption).
      • EAP (Extensible Access Protocol)
      • TKIP (Temporal Key Integrity Protocol)
      • MIC (Message Integrity Check)
      • 802.1X (for auth and dynamic key exchange
    • 82. What WPA and 802.11i Provide:
      • Strong integrity.
      • Strong encryption
        • Particularly AES vs. WEP encryption implementation
        • Dynamic Key Generation/Re-generation
      • Strong authentication capability (w/802.1X/EAP).
      • Increased DoS (Denial of Service) protection - particularly against Dis-association attacks
    • 83. What is WPA2?
      • WPA2 == 802.11i
      • WPA2 & 802.11i include AES
      • WPA2 is basically (WPA + AES).
      • WPA does not and it uses TKIP. WPA IS secure.
      • AES meets FIPS 140-2 (req’d by some Gov’t agencies).
      • AES can require new hardware or hardware upgrades as it can require a new dedicated crypto chip.
      • Several WiFi vendors are now ‘WPA2” compliant:
    • 84. Conclusions
      • Few using WEP, some are now starting to evaluate WPA (and wait for 802.11i).
      • Some use of commercial solutions (Vernier, Aruba, some ReefEdge and BlueSocket)?
      • Some interest is beginning in ‘network admissions’ (require both authentication and a network scan ala UCONN NetReg mods) programs for both wired and wireless LANs:Cisco, Perfigo, StillSecure and Bradford Campus Manager.
    • 85. Questions