Information Technology Reference
In-Depth Information
Considering WLAN as an alternative access methodology, remember that the services
these WLAN users access are often the same as those accessed by the wired users.
WLANs potentially open many new attack vectors for hackers, and you should consider
the risks before deployment.
To e n h a n c e s e c u r i t y, y o u c a n i m p l e m e n t W L A N s w i t h I P s e c V P N s o f t w a r e , u s e t h e I E E E
802.1X-2001 port-based access control protocol, and use WPA.
IEEE 802.1X-2001 Port-Based Authentication
IEEE 802.1X-2001 is a port-based authentication standard for LANs. It authenticates a
user before allowing access to the network. You can use it on Ethernet, Fast Ethernet, and
WLAN networks.
With IEEE 802.1X-2001, client workstations run client software to request access to serv-
ices. Clients use EAP to communicate with the LAN switch. The LAN switch verifies
client information with the authentication server and relays the response to the client.
LAN switches use a Remote Authentication Dial-In User Service (RADIUS) client to com-
municate with the server. The RADIUS authentication server validates the client's identity
and authorizes the client. But note that it does not provide encryption privacy. The server
uses RADIUS with EAP extensions to make the authorization.
Dynamic WEP Keys and LEAP
Cisco also offers dynamic per-user, per-session WEP keys to provide additional security
over statically configured WEP keys, which are not unique per user. For centralized user-
based authentication, Cisco developed LEAP. LEAP uses mutual authentication between
the client and the network server and uses IEEE 802.1X for 802.11 authentication mes-
saging. LEAP can be used with the Te m p o r a l Key Integrity Protocol (TKIP) rather than
WEP to overcome the weaknesses of WEP. LEAP uses a RADIUS server to manage user
information.
LEAP is a combination of 802.1X and EAP. It combines the capability to authenticate to
various servers such as RADIUS with forcing the WLAN user to log on to an access point
that compares the logon information to RADIUS. This solution is more scalable than
MAC address filtering.
Because the WLAN access depends on receiving an address, using Dynamic Host
Configuration Protocol (DHCP), and the authentication of the user using RADIUS,
the WLAN needs constant access to these back-end servers. In addition, LEAP does
not support one-time passwords (OTP), so you must use good password-security
practices. The password issue and maintenance practice are a basic component of
corporate security policy.
Controlling WLAN Access to Servers
In the same way you place Domain Name System (DNS) servers accessible via the Internet
on a demilitarized zone (DMZ) segment, you should apply a similar strategy to the RA-
DIUS and DHCP servers accessible to the WLAN. These servers should be secondary
 
Search WWH ::




Custom Search