Overview of Wireless LAN Technologies

advertisement
Minimum specification for
the Secure Deployment of
Wireless Local Area
Networks (WLANs) on the
dawn2 Network
Version:
Draft Version Q3.7
Status:
Final – Awaiting approval by NADB
Lead Author: C. Lloyd-Jones
Date:
10th January 2007
Page 1 of 17
Reviewers:
This document has been reviewed by the following.
Name
Date
WLAN Security Standards Group
Heads of IM&T Group
Approvers:
This document has been approved by the following:
Name
Date
National Architecture Design Board
Forecast changes:
Anticipated Change
Date
Annual Review
January 2008
Page 2 of 17
Contents
1
Introduction .................................................................................................................... 4
1.1
Assumed reader knowledge................................................................................... 4
1.2
Background............................................................................................................ 4
1.3
Disclaimer .............................................................................................................. 4
2
Overview of Wireless LAN Technologies ........................................................................ 5
3
General Security Principles for Wireless LANs ............................................................... 6
4
3.1
Physical considerations ......................................................................................... 6
3.2
Technological considerations ................................................................................. 6
3.2.1
Wireless encryption ............................................................................................ 6
3.2.2
Wireless network authentication ......................................................................... 7
3.2.3
Identifying authorised devices ............................................................................ 8
Practical Steps for Securing Wireless LANs ................................................................... 9
4.1
Encryption .............................................................................................................. 9
4.2
Authentication ........................................................................................................ 9
4.2.1
5
EAP protocols .................................................................................................... 9
4.3
Device authentication........................................................................................... 12
4.4
Access control lists / Firewalls ............................................................................. 12
4.5
Intrusion detection................................................................................................ 12
4.6
Virtual Private Networks ....................................................................................... 12
4.7
Auditing................................................................................................................ 13
4.8
Penetration testing ............................................................................................... 13
General Deployment Guidelines ................................................................................... 14
5.1
Site surveys ......................................................................................................... 14
5.2
High availability .................................................................................................... 14
5.3
Access Point security ........................................................................................... 14
5.4
Hardware ............................................................................................................. 15
5.5
Policies ................................................................................................................ 15
Glossary .............................................................................................................................. 16
Page 3 of 17
1 Introduction
This document describes security measures that must be followed when deploying Wireless
LANs within sites connected to dawn2 (NHS Wales’ Network). It does not cover public
access wireless networks, or site to site (including building to building) wireless links. You
will find guidance on:

The minimum standards for Wireless Local Area Networks (WLANs) deployed within
dawn2 connected networks.

The procedures and mechanisms for the control of Wireless Local Area Networks in
an NHS Wales environment.
This document is based on the following two documents:

Connecting for Health’s “Wireless Local Area Network (WLAN) Technologies: Good
Practice Guidelines”,

Informing HealthCare’s “Guidance for the Secure Implementation of Wireless
Networking”
1.1 Assumed reader knowledge
A general familiarity with the possibilities of wireless LAN technologies and I.T. security
principles is assumed.
1.2 Background
dawn2 is a private Network. Connection is therefore strictly limited to authorised endpoints.
All organisations wishing to make a new connection to dawn2 are responsible for ensuring
that their connection to dawn2 does not compromise the security measures already in place.
Trust Chief Executives have signed up to a “Code of Connection” agreement which is
designed to ensure the on-going integrity of dawn2. Information is often unencrypted when
transmitted over the network therefore confidentiality of sensitive information within dawn2
cannot automatically be assumed. It is therefore imperative that Wireless LANs are deployed
in such a manner that does not comprise the integrity and availability of dawn2.
1.3 Disclaimer
Reference to any specific commercial product, process or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation,
or favouring by Informing HealthCare. The views and opinions of authors expressed within
this document shall not be used for advertising or product endorsement purposes. Informing
HealthCare shall also accept no responsibility for any errors or omissions contained within
this document. In particular, Informing HealthCare shall not be liable for any loss or damage
whatsoever, arising from the usage of information contained in this document.
Page 4 of 17
2 Overview of Wireless LAN Technologies
IEEE 802.11 or Wireless Fidelity (Wi-Fi) denotes a set of Wireless LAN (WLAN) standards,
covering six over-the-air modulation techniques, plus a series of enhancements The most
popular and widespread standards are those defined by the (a), (b), and (g) amendments.
IEEE 802.11b and 802.11g utilise the unlicensed 2.4GHz band, originally reserved for
industrial, scientific and medical (ISM) use. As such, the 2.4GHz band is slightly more
susceptible to interference than the 802.11a standard which uses the 5GHz band.
The 802.11(a), (b) or (g) set of standards offer various levels of network performance and
coverage. The following table details the currently available standards. The typical indoor
range is based on using omni-directional aerials. Coverage can be extended by using
alternative aerials from the various WLAN hardware manufacturers.
IEEE
Standard
Operating
Frequency
Available Data
Rates (Mbps)
802.11a
5 GHz
(OFDM) 54, 48, 36,
24, 18, 12, 9, 6
802.11b
2.4 GHz
(DSSS) 11, 5.5, 2,1
802.11g
2.4 GHz
(OFDM) 54, 48, 36,
24, 18, 12, 9, 6
(DSSS) 11, 5.5, 2,1
Number of
channels in
UK
12 (8 for indoor
and 4 point-topoint)
13
Number of nonoverlapping
channels
12
(8 for indoor)
Typical
Indoor
Range1
21m at
54 Mbps
3
13
3
30m at
11 Mbps
27m at
54 Mbps
802.11i is an amendment to the 802.11 standard and specifies security mechanisms for
Wireless Networks. WPA and WPA2 are trademarks of the Wi-Fi Alliance. All products that
are Wi-Fi CERTIFIED™ for WPA2 are based on the IEEE 802.11i standard. WPA is based
on a sub-set of an 802.11i draft amendment.
802.11n is a proposed standard and is currently estimated to be approved in July 2007. This
uses Multiple-Input Multiple-Output (MIMO) technology for increasing data throughput and
range.
1
Figures from www.cisco.com. These are typical operating distances. Eavesdropping can be achieved from much further
away.
Page 5 of 17
3 General Security Principles for Wireless LANs
3.1 Physical considerations
It is important to deploy wireless networks with the same care and diligence as would be
given to setting up a wired network infrastructure. Although precise implementation details
vary between manufacturers, the following provide some common steps, that when taken
assist in the proper installation and operation of wireless equipment:

Consider signal dispersion issues when choosing access points. Seek advice from
equipment vendors on suitable positioning, suitable antennae and signal
configuration parameters.

Reduce the radiation of signals outside the building perimeter by using a higher
number of access points at moderate power levels. This is preferable to configuring
access points with high power to obtain maximum coverage from fewer devices.

Ensure that the connection of wireless access points to the wired network
infrastructure is via individual switched Ethernet network ports - not by connection to
an Ethernet hub. This will help to prevent the propagation of unnecessary data onto
the wireless network from the wired network.

Consider the physical security of the WLAN access points and clients. Steps should
be taken to ensure that they are not easily stolen or damaged.
3.2 Technological considerations
Wireless LAN technologies, while offering significant benefits, present unique security
challenges compared to their wired counterparts. Organisations should be aware that
operating and maintaining a secure wireless network is an ongoing process which potentially
requires greater effort than that required for other networks and systems. When deploying
wireless technologies, it is important that organisations assess risks more frequently as well
as testing and evaluating system security controls.
All wireless networks should utilise both encryption and authentication in order to
mitigate the risks of unauthorised access and network eavesdropping. Wireless LAN
standards incorporate support for security functionality which needs configuring
when deploying wireless devices.
A number of factors determine the level of support for each method of encryption or
authentication: hardware vendor, firmware or software level, operating system vendor and
operating system version. However, such issues are outside the scope of this guide; please
refer to your selected hardware and software support organisations for further information.
3.2.1 Wireless encryption
By nature of design, wireless networks broadcast messages using radio technology. This
makes them more susceptible to eavesdropping than wired networks. It is important to use
network-level encryption to secure all traffic sent across radio-based network mediums such
as Wireless LANs. Several encryption standards are available as enhancements to the
802.11 standards. The most popular are Wired Equivalent Privacy (WEP), Wi-Fi Protected
Access (WPA) and WPA2
Page 6 of 17
The WEP encryption method has a number of well publicised vulnerabilities. As such
its use is prohibited as it does not provide a sufficient level of wireless LAN
Encryption. Any existing devices using WEP should be disconnected from the
network, or upgraded to WPA or WPA2.
WPA addresses many of the weaknesses found in WEP, while also adding further features
to enhance security across wireless networks. WPA offers support for strong encryption and
various authentication mechanisms, offering protection from unauthorised access. WPA
uses the Temporal Key Integrity Protocol (TKIP) for encryption and employs IEEE 802.1X
authentication with one of the standard Extensible Authentication Protocol (EAP) types
currently available.
The newer Wi-Fi Protected Access 2 (WPA2) standard offers the same authentication and
message integrity features as WPA. It also adds a new encryption scheme using the
Advanced Encryption Standard (AES). Enterprises running the existing WPA encryption
will be able to upgrade to WPA2 in a secure and gradual manner, using the WPA2 mixedmode functionality available within the protocol.
IT Managers should ensure that WPA2 is available for all new purchases of wireless
equipment. Please seek assistance from hardware vendors regarding existing installations
as many manufacturers offer updated firmware to add WPA and WPA2 support to existing
equipment.
3.2.2 Wireless network authentication
The use of EAP with 802.1X creates a mutual-authentication framework in which clients are
challenged to authenticate against an authentication server, and vice-versa. This ensures
that only authorised users can access the network, and clients do not inadvertently connect
to a ‘rogue access point’. 2
Below is a basic description of the process that occurs before a WLAN client is allowed to
communicate with the wired network:

The WLAN client (known in 802.1x terms as the Supplicant), associates with the
access-point (the Authenticator)

The access-point challenges the WLAN client for authentication credentials.

The access point passes the credentials to an Authentication Server. This is
usually a RADIUS server.

The client authenticates the Authentication Server using a similar process.

If both sides accept the credentials, a key is created and passed to the access-point
and client.

Data sent between the access-point and the client is encrypted using the key. The
key is automatically changed periodically.
This process helps to ensure the confidentiality, integrity and availability of the wireless
network.
A ‘rogue’ access point is one that has been installed by an employee without approval from the I.T.
department, or one that has been installed with malicious intent (e.g. by a hacker)
2
Page 7 of 17
Essentially, a WLAN connection can be regarded as a ‘dial-up’ connection to dawn2.
Normally, this type of connection requires two-factor authentication, such as a PIN in
conjunction with a One Time Password (OTP) generator, e.g. a SecurID token. This control
has been considered for WLANs, but the challenge is to make it slick enough to be used in
those areas where a single WLAN connected device is in constant use by several members
of staff.
The NHS in Wales has agreed to the principle of two-factor authentication for access to
medical/clinical information systems. Implementation models for this are currently being
worked on by IHC. When implemented, it is intended that this two-factor authentication
service will also be used to authenticate users to the WLAN.
In the meantime, existing user credentials within user accounts database (e.g. active
directory) should be used to authenticate devices onto the network infrastructure. It is
therefore important to maintain good username and password policies which include factors
such as strong passwords and time-based password aging.
The confidentiality and integrity of a wireless network is only as strong as the access
credentials used to authenticate.
3.2.3 Identifying authorised devices
It is important to ensure that only devices which have been authorised by the I.T. department
are allowed to connect to the Wireless LAN. This can be achieved in one of two ways:

By using the Media Access Control (MAC) address. Every wireless network device
will have a unique MAC address. As such, filters can be applied which will only allow
approved MAC addresses to connect to the WLAN. The MAC address is sent in
clear text over the Wireless Network and therefore approved MAC addresses can be
obtained by a potential hacker. Additionally, it is possible to ‘spoof’ a MAC address,
and therefore a hacker could use this technique to overcome MAC address security.
As such, while MAC address security provides an additional layer of protection, it
should only be used in conjunction with an additional authentication method as
described in Section 3.2.2.

By using an authentication method that relies on having a certificate (or equivalent)
stored on the Wireless LAN client device, e.g. using EAP-TLS as described in
Section 4.2.1.1.
Page 8 of 17
4 Practical Steps for Securing Wireless LANs
Wireless LANs can offer extensive benefits, particularly where members of staff need
constant access to information from a number of locations within a campus area. Wireless
networking offers a great deal of flexibility to the user. However, this flexibility requires
balancing against strong security which protects the infrastructure. The steps detailed below
describe practical measures that should be used when deploying Wireless LANs within sites
connected to dawn2.
4.1 Encryption
WPA2/802.11i should be used for encryption as it uses AES as the encryption algorithm. If
this is not practical, WPA can be used. A vendor’s proprietary equivalent of WPA may also
be used while migration to WPA2 is undertaken.
WEP must not be used, due to extensive security issues within the protocol. Most enterprise
grade network equipment vendors should offer upgraded firmware or software to allow the
use of WPA/WPA2 in replacement of the insecure WEP protocol.
Key management should be done using 802.1X and EAP.
4.2 Authentication
Implementing WPA/WPA2 will need a deployment of an 802.1X based authentication
infrastructure. A suitable installation will include the following:

The selection of an EAP from the list of recommended types below.

The selection and deployment of a suitable authentication server, typically a RADIUS
server.
Smaller environments, such as GP surgeries, may lack both the budget and qualified IT staff
to support and administer a RADIUS based authentication platform. In these cases, a
central/regional organisation (e.g. the LHBs/BSCs or HSW) may wish to host a WLAN
authentication service which can be shared by a number of smaller organisations. The use
of WPA/WPA2 Pre Shared Keys (PSK) is not permitted due to the risk of inappropriate
access to the WLAN from devices that have been lost or stolen.
Typically, an existing directory service (e.g. Microsoft Active Directory or Novell e-Directory)
will be used to store the authentication details. In order to reduce the risk of unauthorised
access to the WLAN, access should only be given to users that need the WLAN
functionality. Measures should be taken to ensure that strong passwords are forced onto
those users’ accounts.
4.2.1 EAP protocols
Below is a list of various EAP protocols that can be used:
4.2.1.1 EAP - Transport Layer Security (EAP-TLS)
The EAP-TLS authentication standard is widely supported among wireless vendors. It offers
a particularly strong method of authentication. The use of EAP-TLS requires the deployment
of a PKI infrastructure, which although offering increased security may persuade
organisations against its deployment. However if a PKI infrastructure exists, the level of
Page 9 of 17
security and integrity provided is considered one of the most secure authentication
mechanisms available and offers universal support across wireless systems.
The use of EAP-TLS relies not only on server-side certificates, but also on the presence of
a client-side certificate which is how the standard gains particular strength over other
mechanisms. A compromised password is not enough to access a properly secured
infrastructure using EAP-TLS for authentication. For instance, if the client certificate was
stored on a smartcard it could only be stolen if the card itself was stolen, thus allowing
administrators to quickly revoke individual access rights in response to a theft or other
security issue. This process is clearly much more problematic if the employment of other
less robust authentication systems (such as those based on single passwords or network
keys) is standard.
The security offered by EAP-TLS is high. However, PKI deployment and management can
be unduly complex for some organisations. For those with a PKI already in place, this is the
currently the most secure mechanism available.
4.2.1.2 Protected EAP (PEAP)
PEAP is a joint proposal by Cisco Systems, Microsoft and RSA Security as an open
standard. There are two versions of PEAP.
PEAPv0 (EAP-MSCHAPv2)
PEAPv0 is the most common version of PEAP. It is supported on the Client and Server side
by various vendors, including Microsoft and Cisco. PEAP creates an encrypted SSL/TLS
channel between the client and the authentication server, and the channel then protects the
subsequent user authentication exchange.
To create the secure channel between client and authentication server, the PEAP client first
authenticates the PEAP authentication server using digital certificate authentication. This
technique is widely used to protect Web transactions (using SSL) and requires only the
server to own a digital certificate.
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is used to
perform user authentication. This information is sent through the secure channel.
PEAPv1 (EAP-GTC)
PEAPv1/EAP-GTC was created by Cisco as an alternative to PEAPv0. It allows the use of
an inner authentication protocol other than Microsoft’s MSCHAPv2. Even though Microsoft
co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general,
which means PEAPv1/EAP-GTC has no native Windows OS support.
4.2.1.3 EAP Tunneled Transport Layer Security (EAP-TTLS)
EAP-TTLS was developed by Funk Software and Certicom and combines network-based
certificates with other authentication such as tokens or passwords. It is similar to PEAP in
the fact that a secure TLS channel is first created between the client and the authentication
server. During the second phase of authentication, TTLS uses the TLS channel to exchange
attribute-value pairs, much like RADIUS. Current implementations of TTLS offer support for
all defined EAP methods, plus older methods such as Challenge Handshake Authentication
Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol Version 1 and 2
(MS-CHAPv1 and v2).
Page 10 of 17
By defining new attributes to support them it is easy to extend TTLS to work with new
protocols. EAP-TTLS offers support across multiple vendors, and has a good foothold in the
marketplace with interoperability across different platforms.
4.2.1.4 EAP Fast Authentication via Secure Tunnelling (EAP-FAST)
Cisco Systems created the EAP-FAST authentication protocol to help bridge the gap
between security and usability. The protocol aims to utilise the same secure encrypted
channel (which, as with PEAP, protects user credentials during the authentication session)
without the need for any PKI on either the client or server side of the connection.
The EAP-FAST protocol follows some of the characteristics of the PEAP authentication
protocol and in common with PEAP has two phases. Phase one creates a secure encrypted
channel, while the second phase creates an MS-CHAPv2 session to verify the client with the
authentication server. MSCHAPv2 has well known weaknesses, particularly against
dictionary-based attacks (See Section 4.2.1.5 - LEAP), therefore the encrypted channels
created in phase one create a safer environment for the MS-CHAPv2 authentication
process.
Instead of using digital certificates (as is done by PEAP and EAP-TTLS), a Protected
Access Credentials (PAC) file is utilised by EAP-FAST as the shared secret for phase one of
the process. Each PAC file is a unique entity; therefore the creation and provision of a PAC
file is required for each user. Two deployment alternatives are available to distribute the
individual PAC files, automatic and manual:

Achieving automatic provisioning using ‘Anonymous Phase 0’ authentication is
possible. However, this exposes authentication information in the clear during early
stages of communication and thus creates a security risk.

The manual provisioning of PAC files onto devices can be utilised to mitigate this
risk, so this process should be followed for deployment onto devices which require
access via EAP-FAST. This process will inevitably incur an extra administrative
overhead for larger networks.
The EAP-FAST protocol has proven useful in certain environments for Voice over Internet
Protocol (VoIP) phones and other latency sensitive devices which require roaming ability and
thus low latency authentication. When using a Cisco WLAN infrastructure, the EAP-FAST
protocol should help to ensure that devices re-authenticate in the fastest possible manner
whilst roaming between wireless access points within a campus.
When considering the manual PAC file provisioning process, in addition to the fact that EAPFAST is proprietary, it is recommended that EAP-FAST be used only for devices which
require the specific benefits of the protocol and seek alternatives for deployment on other
systems.
4.2.1.5 Lightweight EAP (LEAP)
LEAP is an older Cisco Proprietary EAP protocol, which was popular in early deployments of
Cisco WLAN infrastructures. This protocol has significant security weakness, including:

Username is sent ‘in the clear’ over the WLAN.

A hash of the password is sent over the WLAN and this hash can be ‘sniffed’. In
some cases, the passwords can be recovered by performing off-line brute force
attacks (e.g. dictionary attack).
Page 11 of 17
As such, LEAP should only be used when supporting legacy hardware (e.g. VoIP WLAN
phones) and should be deployed as follows:

A dedicated logical network segment is used on the wired LAN (e.g. a VLAN). Traffic
from users authenticated using LEAP must be restricted to this dedicated network
and this network must be segmented from the rest of hospital network using an EAL4
certified firewall.

A dedicated authentication server is used. Usernames and passwords should be
different to those used for any other applications, including general WLAN access.

Strong passwords are used (containing uppercase, lowercase, numbers and
symbols).
Due to the significant security weaknesses within the protocol the use of LEAP to
connect any devices onto data networks is extremely unsafe and not recommended.
4.3 Device authentication
In order to prevent unauthorised devices connecting to the wireless LAN, device
authentication must be implemented. One of the easiest ways of achieving this is with MAC
address authentication. This list of approved MAC addresses should be held on a central
authentication server, and not on any individual access points. Lost or stolen devices can
then easily be disabled. An alternative approach is to use certificates stored on the
wireless LAN client device.
4.4 Access control lists / Firewalls
For all WLAN deployments, access to devices on the wired LAN should be restricted to
those services that need to be accessed from mobile devices. This can be achieved by
applying Access Control Lists on routers or firewalls that sit between the WLAN and the
wired network.
4.5 Intrusion detection
Intrusion Detection should be deployed on the WLAN traffic so that any breaches to the
WLAN security can be detected as early as possible. Automatic notification of detected
attacks should be deployed in conjunction with regular checking of the IDS logs.
4.6 Virtual Private Networks
An alternative to using WPA/WPA2 for authentication and encryption is to use IP-SEC
Virtual Private Networks (VPN). This technology is typically used for allowing secure access
to corporate networks over the internet. If this option is to be used, the following steps must
be adopted:

The WLAN access point can be configured to accept Open Authentication, but MAC
address authentication should still be used to control which devices can access the
WLAN.

The WLAN access points must be configured such that WLAN devices cannot
communicate with other WLAN devices prior to the VPN tunnel being established.

A dedicated logical network segment must be used on the wired LAN (e.g. a VLAN).
When the VPN is not established, all traffic from the WLAN users must be restricted
Page 12 of 17
to this dedicated network and this network must be segmented from the rest of
hospital network using an EAL4 certified firewall.

Access-lists will need to be applied on the EAL4 firewall to ensure that traffic from the
devices on the WLAN can only communicate with a VPN device such as a VPN
concentrator or Firewall.

VPN client software will need to be installed and configured on all client devices.

The VPN device will need to be configured to perform Extended Authentication
(XAUTH). This will challenge the users for authentication credentials when
establishing the VPN tunnel.

AES must be used as the encryption protocol

VPN clients must be configured so that all traffic is sent down the VPN tunnel. I.e.
split tunnelling must be disabled.

Access-lists must be applied to the traffic emerging from the VPN device, as
described in Section 4.4.
Main Hospital Network
Dedicated Network Segement
Client
Access Point
EAL4 Firewall
VPN
Device
Firewall/Router
IP-SEC VPN Tunnel created from Client to VPN Device
Figure 1 - VPN Option
4.7 Auditing

A log of access to the WLAN infrastructure must be kept, and this should also
include access attempts. These logs should be checked regularly to see if any
unauthorised access is being attempted. Logs need to be kept for a minimum period
of 2 years.

Where possible, WLAN access points should be configured to report any unknown
access points. This will increase the probability of a ‘rogue’ access point being
detected.

In addition to the above, regular manual WLAN ‘sweeps’ of all sites should be
undertaken to highlight any ‘rogue’ access points
4.8 Penetration testing
It is advisable to perform penetration testing on the WLAN deployment, to ensure that it is
secure. Feedback from the test should be acted upon without delay. This should be
repeated on a regular basis (e.g. 3 months) and additionally when any changes to the
security model are made.
Page 13 of 17
5 General Deployment Guidelines
This sections highlights some ‘best practice’ guidelines which should be considered when
deploying a WLAN infrastructure.
5.1 Site surveys
Thorough site surveys should be undertaken to ensure the following:

A strong signal is maintained in the areas that need to be covered.

Minimising the spread of the signals outside of the required areas.

Appropriate channels and power ratings are selected to reduce the risk of
interference with other radio sources.
5.2 High availability
In areas where the WLAN is necessary to support clinical care, the following should be
considered:

Signals from access points are ‘overlapped’ ‘to ensure that service is maintained in
the event of a failure of a single access point.

Access points should be connected to different switches to ensure that some WLAN
coverage is maintained, even in the event of a switch failure.

Access points should be powered from managed Ethernet Switches.

Network switches that support the WLAN should be connected to Un-interruptible
Power Sources.

All underlying systems that support the WLAN (e.g. DHCP servers, authentication
and authorisation servers, etc) should be installed in a resilient manner. Failure of
any single component should not result in a total outage of the WLAN.
5.3 Access Point security

Where possible, access points and aerials should be installed where they cannot be
seen (e.g. above false ceilings). This is to reduce the chances of them being stolen.

Access Points should be secured so that they cannot easily be removed (e.g. using
padlocks).

Access points should be set-up to load their configuration over the network. This will
ensure that no ‘sensitive’ information (e.g. IP addressing schemes, secret keys, etc)
will be divulged if access-points are lost or stolen. Several modern WLAN solutions
are based around ‘thin’ access-points which are controlled from a central controller.
With most of these systems, no configuration data is stored on the access-point.

Usernames and passwords (including those used to manage the access points)
should not be stored on the device itself, but rather on a secured
authentication/authorisation server. Typically, a ‘fallback’ username/password
combination will be stored on the access point such that it can still be managed if the
authentication server fails. This should not be the same as any
usernames/passwords stored on the authentication/authorisation servers.
Page 14 of 17
5.4 Hardware
Any equipment that is purchased should support multiple SSIDs (with different EAP methods
for each SSID). This will allow for a future National WLAN Authentication method to be used
in parallel with existing local implementations.
5.5 Policies
A WLAN security policy is required in each organisation covering who may install the
technology, the standards for user access control, encryption and other security controls. It
should also include the responsibilities of both the IM&T department and the users of this
technology. See the “Guidance for the Secure Implementation of Wireless Networking”
document for further information.
Page 15 of 17
Glossary
802.1x
IEEE 802.1X is an IEEE standard for port-based Network Access Control.
It is used for both wired and wireless LAN networks.
802.11
A set of standards defined by IEEE for Wireless LANs. The original 802.11
standard supported speeds of 1 and 2 Mbps and operated in the 2.4 GHz
frequency range.
802.11a
Amendment to the 802.11 standard that defines a wireless LAN that
operates in the 5 GHz frequency range and supports transmission speeds
up to 54 Mbps.
802.11b
Amendment to the 802.11 standard that defines a wireless LAN that
operates in the 2.4 GHz frequency range and supports transmission
speeds up to 11 Mbps.
802.11g
Amendment to the 802.11 standard that defines a wireless LAN that
operates in the 2.4 GHz frequency range and supports transmission
speeds up to 54 Mbps. 802.11g is backwards compatible with 802.11b.
802.11i
Amendment to the 802.11 standard specifying security mechanisms for
wireless LANs. Also known as WPA2.
802.11n
Currently a draft amendment to the 802.11 standard supporting higher
speeds and greater transmission distances than available with
802.11a/b/g. Uses MIMO technology, where multiple transmitters and
receivers are used.
AES
Advanced Encryption Standard. An encryption standard used with
802.11i/WPA2.
Authentication
Server
A server that holds user credentials and is used for authenticating users as
part of 802.1x.
Authenticator
In 802.1x terms, the authenticator is the network device that challenges
the supplicant for authentication. With wireless LANs, this is typically the
wireless access-point.
Certificate
An electronic document that verifies the owner of a public key, issued by a
certificate authority.
dawn2
Digital All Wales Network. The private network that connects NHS Wales’
organisations.
DSSS
Direct Sequence Spread Spectrum is a type of spread-spectrum radio
transmission that spreads its signal continuously over a wide frequency
band.
EAP
Extensible Authentication Protocol (EAP) is a general authentication
protocol that supports multiple authentication methods and is used in
wireless LANs.
IEEE
Institute of Electrical and Electronics Engineers.
MAC address
MAC (Media Access Control) addresses are unique addresses assigned to
network cards.
MIMO
Multiple-Inputs-Multiple-Outputs. See 802.11n
Page 16 of 17
OFDM
Orthogonal Frequency Division Multiplexing is used for carrier modulation
in digital transmissions. A spread spectrum technique, it combines good
noise resistance, immunity to reflections and efficient use of the spectrum.
OTP
One-Time Password. A password that is valid for one use only. Typically a
OTP is generated using a hardware token or key card.
The comprehensive system required to provide public-key encryption and
digital signature services is known as a Public-Key Infrastructure (PKI).
PKI
The purpose of a public-key infrastructure is to manage keys and
certificates. By managing keys and certificates through a PKI, an
organization establishes and maintains a trustworthy networking
environment. A PKI enables the use of encryption and digital signature
services across a wide variety of applications.
(Taken from http://www.entrust.com)
RADIUS
Remote Authentication Dial In User Service (RADIUS) is an
authentication, authorisation and accounting protocol used with the
802.1x.
Rogue Access Point
A ‘rogue’ access point is one that has been installed by an employee
without approval from the I.T. department, or one that has been installed
with malicious intent (e.g. by a hacker)
SSL
A predecessor to SSL.
Supplicant
In 802.1x terms this is the client device (i.e. the device attempting to
authenticate to a wireless network).
TKIP
The Temporal Key Integrity Protocol, (TKIP) is part of the 802.11i
encryption standard for wireless LANs. TKIP provides per-packet key
mixing, a Message Integrity Check (MIC) and a re-keying mechanism, to
overcome the weaknesses of WEP.
TLS
The TLS protocols allow client/server applications to communicate in a
way designed to prevent eavesdropping, tampering, and message forgery.
WEP
Wired Equivalency Privacy (WEP) is a security protocol used on wireless
LANs. WEP has several known vulnerabilities and is not suitable for use
on dawn2.
Wi-Fi
Wi-Fi is a brand name originally licensed by the Wi-Fi Alliance to describe
the underlying technology of wireless LANs based on the 802.11
specifications.
Wi-Fi Alliance
The Wi-Fi Alliance® is a trade group that owns the trademark to Wi-Fi
WLAN
Wireless Local Area Network.
WPA
Wi-Fi Protected Access (WPA) is a set of security mechanisms, created by
the Wi-Fi Alliance, for protecting wireless LANs. It is based on a subset of
the 802.11i standard.
WPA2
WPA2 is the Wi-Fi Alliance’s term for the full implementation of the
802.11i standard.
Page 17 of 17
Download