Standard Interoperable Security
|
Security in Wireless NetworksWireless networks are more vulnerable than wired networks because, among other things their physical boundary can’t be easily controlled and they also can also can act as a means to access the wired network. Hence, understanding and implementing the right level of security is paramount to protecting sensitive information. Although the emphasis here is on wireless LANs, the concepts discussed are applicable to any wireless network in general. Since wireless networks provide open access, access control is a key component of wireless security. In the early years of WLAN deployment a security algorithm called Wired Equivalent Privacy (WEP) was defined. WEP emphasized on data encryption with either no authentication or authentication based on a pre-shared key. WEP proved to be vulnerable to intrusion and is no longer a recommended security mechanism. Enhancements to WEP led to Wi-Fi Protected Access (WPA) security that improves the authentication and encryption mechanisms. The first version of WPA used TKIP (Temporal Key Integrity Protocol). Although it addressed some of the weaknesses of WEP through such features as message integrity check, per-packet key hashing, broadcast key rotation, a sequence counter, and the key mixing function that prevents key recovery, it still had vulnerabilities because it used the same underlying encryption algorithm as WEP (RC4 stream cipher). A more robust encryption algorithm based on AES (Advanced Encryption Standard) encryption (AES-CCMP) led to WPA2. WPA2 may be used in combination with a pre-shared key or the more robust EAP (Extensible Authentication Protocol) for authentication and key agreement. EAP-TLS (Transport Layer Security) makes use of digital certificates, and offers the highest protection as compared to other methods of EAP. Levels of Security
Wireless networks implement security to prevent unauthorized access to information and provide one level of protection against intrusion. Wired networks also have evolved with various security solutions applied at various levels of the seven layer OSI model. Wireless security discussed so far (WPA2) operates at layer 2 of the OSI model. A very popular security protocol used at layer 3 (for IP protocols) is IPsec (Internet Protocol Security). IPsec is a rich protocol suite that provides authentication, data confidentiality and data integrity for IP traffic. The combination of integrity and authentication provides non-repudiation. IPsec authenticates endpoints as well as each IP packet and also prevents replay attacks. End-to-end encryption mechanisms that operate at layer 7 (Application) of the OSI model provide further protection against man-in-the-middle intrusion attacks. Some commonly used protocols at this layer are SSH and TLS/SSL. HTTPS uses HTTP over TLS/SSL. Security InfrastructureA complete security solution requires certain key infrastructure components for issuing, maintaining certificates and authentication. Public Key Infrastructure (PKI) enables the use of public networks, including the Internet to securely and privately exchange information through the use of digital certificates. PKI defines a set of policies, procedures, hardware/software machines and organization for the purpose of issuing, using, storing, and revoking digital certificates. A digital certificate uses an electronic signature to bind a public key with an identity (name, address, organization, and other identity parameters.) and serves as a verification of an end user’s identity. Certificates are issued by a Certificate Authority (CA) which confirms the certificate’s authenticity. Wireless LAN clients, such as laptop computers and mobile devices, must request and install certificates on their device and use the certificates when requesting access to the WLAN. AAA servers authenticate an end user (Supplicant) when a request for access to a network is received by the Authenticator. If the user is allowed access, then the AAA server (Authentication server) authorizes the appropriate level of access (that is, allowed IP address, priority, VLAN parameters, and so on) and resumes the accounting function to measure and record the activity of the user. RADIUS (Remote Authentication Dial In User Service) is a type of networking protocol that is used to provide a centralized AAA service. Security Standards
The IPsec suite is standardized and maintained by the IETF (Internet Engineering Task Force). The IPsec standard suite is defined by a set of RFCs (Request for Comments) that specify the architecture, the ESP (Encapsulating Security Payload) protocol, the AH (Authentication Header) protocol, the encryption algorithm, the authentication algorithm and the key management mechanisms. There are several other standards for security, but these two are the most relevant for WLAN networks. What Is ImportantWhen evaluating a product or a solution that successfully meets the security needs of a wireless network, there are several factors that are important to consider. Performance is one of the key aspects for availability of information. Wireless networking technologies strive hard to meet the high bandwidth needs desired. It is therefore important that the security implementations do not become a bottleneck to meet the high bandwidth needs. Most software based security solutions are feature rich but fail to meet the required performance standards, especially under high traffic conditions. Hardware cryptographic implementations not only provide superior and consistent performance, they also offer a higher grade of security through features such as True Random Number Generation (TRNG) and tamper proof algorithms. 
Wireless security solutions need to comply with security standards and be accredited by organizations, such as, the National Institute of Standards and Technology or NIST (FIPS 140 accreditation), NSA and WiFi Alliance. Compliance to standards not only provides the required level of assurance but also ensures the products are interoperable with other standard products. Interoperability among network elements and with security infrastructure equipment is vital to ensure that the goals for security are met through diversity and the ability to procure commercial off-the-shelf systems. Interoperability among network elements must be verified at all levels of the OSI layer that are supported on the network elements. For example, for layer 2 WLAN security it is important to check the 802.11i and 802.1X implementation, for layer 3 it is necessary to verify the IPsec interoperability and for layer 7 it is necessary to verify the TLS/SSL/SSH protocols. Ability to work with various Certificate Authorities, RADIUS server implementations, secure clients, internet browsers and third party management software is also an essential aspect to consider. Advanced encryption algorithms that are approved and meet the goals of cryptographic interoperability strategy specified by the National Security Agency (NSA) are essential for certain key applications. The NSA approves the use of Suite-B cryptography to protect classified information up to SECRET level. Fortress's SecurityFortress products support one of the most advanced security implementations in the industry. All Fortress products support the following security features:
|
With the ever increasing reliance on information systems, information security has become one of the key requirements regardless of the application. The classic definition for information security includes confidentiality, integrity and availability (CIA). Confidentiality ensures authorized access to information, integrity provides protection against data modification, and availability guarantees the data is available when and where needed. Besides CIA, a system administrator authentication, user access, data storage, and encryption are other aspects that must be addressed to provide a comprehensive solution to network security.
Security standards are maintained by standards bodies based on their technology affiliations. The WLAN suite of standards is primarily defined by the IEEE (Institute of Electrical and Electronics Engineers) as the 802.11 suite. The 802.11 standard specifies 802.11i extension for data confidentiality. The 802.11i extension details the encryption algorithms for WLAN use, and mandates the use of WPA2. For authentication, 802.11 calls for use of the 802.1X standard that outlines the roles of the authentication process, which are, the supplicant, authenticator, and authentication server. In this model an authenticator acts as an agent that authenticates a supplicant’s access request with an authentication server prior to providing (or denying) access.
Hardware crypto implementation using a Fortress designed FPGA
WiFi Alliance accreditation