Minimum specification for the Secure Deployment of Wireless Local Area Networks (WLANs) on the dawn2 Network Version: Draft Version Q3.7 Status: Final – Awaiting approval by NADB Lead Author: C. Lloyd-Jones Date: 10th January 2007 Page 1 of 17 Reviewers: This document has been reviewed by the following. Name Date WLAN Security Standards Group Heads of IM&T Group Approvers: This document has been approved by the following: Name Date National Architecture Design Board Forecast changes: Anticipated Change Date Annual Review January 2008 Page 2 of 17 Contents 1 Introduction .................................................................................................................... 4 1.1 Assumed reader knowledge................................................................................... 4 1.2 Background............................................................................................................ 4 1.3 Disclaimer .............................................................................................................. 4 2 Overview of Wireless LAN Technologies ........................................................................ 5 3 General Security Principles for Wireless LANs ............................................................... 6 4 3.1 Physical considerations ......................................................................................... 6 3.2 Technological considerations ................................................................................. 6 3.2.1 Wireless encryption ............................................................................................ 6 3.2.2 Wireless network authentication ......................................................................... 7 3.2.3 Identifying authorised devices ............................................................................ 8 Practical Steps for Securing Wireless LANs ................................................................... 9 4.1 Encryption .............................................................................................................. 9 4.2 Authentication ........................................................................................................ 9 4.2.1 5 EAP protocols .................................................................................................... 9 4.3 Device authentication........................................................................................... 12 4.4 Access control lists / Firewalls ............................................................................. 12 4.5 Intrusion detection................................................................................................ 12 4.6 Virtual Private Networks ....................................................................................... 12 4.7 Auditing................................................................................................................ 13 4.8 Penetration testing ............................................................................................... 13 General Deployment Guidelines ................................................................................... 14 5.1 Site surveys ......................................................................................................... 14 5.2 High availability .................................................................................................... 14 5.3 Access Point security ........................................................................................... 14 5.4 Hardware ............................................................................................................. 15 5.5 Policies ................................................................................................................ 15 Glossary .............................................................................................................................. 16 Page 3 of 17 1 Introduction This document describes security measures that must be followed when deploying Wireless LANs within sites connected to dawn2 (NHS Wales’ Network). It does not cover public access wireless networks, or site to site (including building to building) wireless links. You will find guidance on: The minimum standards for Wireless Local Area Networks (WLANs) deployed within dawn2 connected networks. The procedures and mechanisms for the control of Wireless Local Area Networks in an NHS Wales environment. This document is based on the following two documents: Connecting for Health’s “Wireless Local Area Network (WLAN) Technologies: Good Practice Guidelines”, Informing HealthCare’s “Guidance for the Secure Implementation of Wireless Networking” 1.1 Assumed reader knowledge A general familiarity with the possibilities of wireless LAN technologies and I.T. security principles is assumed. 1.2 Background dawn2 is a private Network. Connection is therefore strictly limited to authorised endpoints. All organisations wishing to make a new connection to dawn2 are responsible for ensuring that their connection to dawn2 does not compromise the security measures already in place. Trust Chief Executives have signed up to a “Code of Connection” agreement which is designed to ensure the on-going integrity of dawn2. Information is often unencrypted when transmitted over the network therefore confidentiality of sensitive information within dawn2 cannot automatically be assumed. It is therefore imperative that Wireless LANs are deployed in such a manner that does not comprise the integrity and availability of dawn2. 1.3 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by Informing HealthCare. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Informing HealthCare shall also accept no responsibility for any errors or omissions contained within this document. In particular, Informing HealthCare shall not be liable for any loss or damage whatsoever, arising from the usage of information contained in this document. Page 4 of 17 2 Overview of Wireless LAN Technologies IEEE 802.11 or Wireless Fidelity (Wi-Fi) denotes a set of Wireless LAN (WLAN) standards, covering six over-the-air modulation techniques, plus a series of enhancements The most popular and widespread standards are those defined by the (a), (b), and (g) amendments. IEEE 802.11b and 802.11g utilise the unlicensed 2.4GHz band, originally reserved for industrial, scientific and medical (ISM) use. As such, the 2.4GHz band is slightly more susceptible to interference than the 802.11a standard which uses the 5GHz band. The 802.11(a), (b) or (g) set of standards offer various levels of network performance and coverage. The following table details the currently available standards. The typical indoor range is based on using omni-directional aerials. Coverage can be extended by using alternative aerials from the various WLAN hardware manufacturers. IEEE Standard Operating Frequency Available Data Rates (Mbps) 802.11a 5 GHz (OFDM) 54, 48, 36, 24, 18, 12, 9, 6 802.11b 2.4 GHz (DSSS) 11, 5.5, 2,1 802.11g 2.4 GHz (OFDM) 54, 48, 36, 24, 18, 12, 9, 6 (DSSS) 11, 5.5, 2,1 Number of channels in UK 12 (8 for indoor and 4 point-topoint) 13 Number of nonoverlapping channels 12 (8 for indoor) Typical Indoor Range1 21m at 54 Mbps 3 13 3 30m at 11 Mbps 27m at 54 Mbps 802.11i is an amendment to the 802.11 standard and specifies security mechanisms for Wireless Networks. WPA and WPA2 are trademarks of the Wi-Fi Alliance. All products that are Wi-Fi CERTIFIED™ for WPA2 are based on the IEEE 802.11i standard. WPA is based on a sub-set of an 802.11i draft amendment. 802.11n is a proposed standard and is currently estimated to be approved in July 2007. This uses Multiple-Input Multiple-Output (MIMO) technology for increasing data throughput and range. 1 Figures from www.cisco.com. These are typical operating distances. Eavesdropping can be achieved from much further away. Page 5 of 17 3 General Security Principles for Wireless LANs 3.1 Physical considerations It is important to deploy wireless networks with the same care and diligence as would be given to setting up a wired network infrastructure. Although precise implementation details vary between manufacturers, the following provide some common steps, that when taken assist in the proper installation and operation of wireless equipment: Consider signal dispersion issues when choosing access points. Seek advice from equipment vendors on suitable positioning, suitable antennae and signal configuration parameters. Reduce the radiation of signals outside the building perimeter by using a higher number of access points at moderate power levels. This is preferable to configuring access points with high power to obtain maximum coverage from fewer devices. Ensure that the connection of wireless access points to the wired network infrastructure is via individual switched Ethernet network ports - not by connection to an Ethernet hub. This will help to prevent the propagation of unnecessary data onto the wireless network from the wired network. Consider the physical security of the WLAN access points and clients. Steps should be taken to ensure that they are not easily stolen or damaged. 3.2 Technological considerations Wireless LAN technologies, while offering significant benefits, present unique security challenges compared to their wired counterparts. Organisations should be aware that operating and maintaining a secure wireless network is an ongoing process which potentially requires greater effort than that required for other networks and systems. When deploying wireless technologies, it is important that organisations assess risks more frequently as well as testing and evaluating system security controls. All wireless networks should utilise both encryption and authentication in order to mitigate the risks of unauthorised access and network eavesdropping. Wireless LAN standards incorporate support for security functionality which needs configuring when deploying wireless devices. A number of factors determine the level of support for each method of encryption or authentication: hardware vendor, firmware or software level, operating system vendor and operating system version. However, such issues are outside the scope of this guide; please refer to your selected hardware and software support organisations for further information. 3.2.1 Wireless encryption By nature of design, wireless networks broadcast messages using radio technology. This makes them more susceptible to eavesdropping than wired networks. It is important to use network-level encryption to secure all traffic sent across radio-based network mediums such as Wireless LANs. Several encryption standards are available as enhancements to the 802.11 standards. The most popular are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and WPA2 Page 6 of 17 The WEP encryption method has a number of well publicised vulnerabilities. As such its use is prohibited as it does not provide a sufficient level of wireless LAN Encryption. Any existing devices using WEP should be disconnected from the network, or upgraded to WPA or WPA2. WPA addresses many of the weaknesses found in WEP, while also adding further features to enhance security across wireless networks. WPA offers support for strong encryption and various authentication mechanisms, offering protection from unauthorised access. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption and employs IEEE 802.1X authentication with one of the standard Extensible Authentication Protocol (EAP) types currently available. The newer Wi-Fi Protected Access 2 (WPA2) standard offers the same authentication and message integrity features as WPA. It also adds a new encryption scheme using the Advanced Encryption Standard (AES). Enterprises running the existing WPA encryption will be able to upgrade to WPA2 in a secure and gradual manner, using the WPA2 mixedmode functionality available within the protocol. IT Managers should ensure that WPA2 is available for all new purchases of wireless equipment. Please seek assistance from hardware vendors regarding existing installations as many manufacturers offer updated firmware to add WPA and WPA2 support to existing equipment. 3.2.2 Wireless network authentication The use of EAP with 802.1X creates a mutual-authentication framework in which clients are challenged to authenticate against an authentication server, and vice-versa. This ensures that only authorised users can access the network, and clients do not inadvertently connect to a ‘rogue access point’. 2 Below is a basic description of the process that occurs before a WLAN client is allowed to communicate with the wired network: The WLAN client (known in 802.1x terms as the Supplicant), associates with the access-point (the Authenticator) The access-point challenges the WLAN client for authentication credentials. The access point passes the credentials to an Authentication Server. This is usually a RADIUS server. The client authenticates the Authentication Server using a similar process. If both sides accept the credentials, a key is created and passed to the access-point and client. Data sent between the access-point and the client is encrypted using the key. The key is automatically changed periodically. This process helps to ensure the confidentiality, integrity and availability of the wireless network. A ‘rogue’ access point is one that has been installed by an employee without approval from the I.T. department, or one that has been installed with malicious intent (e.g. by a hacker) 2 Page 7 of 17 Essentially, a WLAN connection can be regarded as a ‘dial-up’ connection to dawn2. Normally, this type of connection requires two-factor authentication, such as a PIN in conjunction with a One Time Password (OTP) generator, e.g. a SecurID token. This control has been considered for WLANs, but the challenge is to make it slick enough to be used in those areas where a single WLAN connected device is in constant use by several members of staff. The NHS in Wales has agreed to the principle of two-factor authentication for access to medical/clinical information systems. Implementation models for this are currently being worked on by IHC. When implemented, it is intended that this two-factor authentication service will also be used to authenticate users to the WLAN. In the meantime, existing user credentials within user accounts database (e.g. active directory) should be used to authenticate devices onto the network infrastructure. It is therefore important to maintain good username and password policies which include factors such as strong passwords and time-based password aging. The confidentiality and integrity of a wireless network is only as strong as the access credentials used to authenticate. 3.2.3 Identifying authorised devices It is important to ensure that only devices which have been authorised by the I.T. department are allowed to connect to the Wireless LAN. This can be achieved in one of two ways: By using the Media Access Control (MAC) address. Every wireless network device will have a unique MAC address. As such, filters can be applied which will only allow approved MAC addresses to connect to the WLAN. The MAC address is sent in clear text over the Wireless Network and therefore approved MAC addresses can be obtained by a potential hacker. Additionally, it is possible to ‘spoof’ a MAC address, and therefore a hacker could use this technique to overcome MAC address security. As such, while MAC address security provides an additional layer of protection, it should only be used in conjunction with an additional authentication method as described in Section 3.2.2. By using an authentication method that relies on having a certificate (or equivalent) stored on the Wireless LAN client device, e.g. using EAP-TLS as described in Section 4.2.1.1. Page 8 of 17 4 Practical Steps for Securing Wireless LANs Wireless LANs can offer extensive benefits, particularly where members of staff need constant access to information from a number of locations within a campus area. Wireless networking offers a great deal of flexibility to the user. However, this flexibility requires balancing against strong security which protects the infrastructure. The steps detailed below describe practical measures that should be used when deploying Wireless LANs within sites connected to dawn2. 4.1 Encryption WPA2/802.11i should be used for encryption as it uses AES as the encryption algorithm. If this is not practical, WPA can be used. A vendor’s proprietary equivalent of WPA may also be used while migration to WPA2 is undertaken. WEP must not be used, due to extensive security issues within the protocol. Most enterprise grade network equipment vendors should offer upgraded firmware or software to allow the use of WPA/WPA2 in replacement of the insecure WEP protocol. Key management should be done using 802.1X and EAP. 4.2 Authentication Implementing WPA/WPA2 will need a deployment of an 802.1X based authentication infrastructure. A suitable installation will include the following: The selection of an EAP from the list of recommended types below. The selection and deployment of a suitable authentication server, typically a RADIUS server. Smaller environments, such as GP surgeries, may lack both the budget and qualified IT staff to support and administer a RADIUS based authentication platform. In these cases, a central/regional organisation (e.g. the LHBs/BSCs or HSW) may wish to host a WLAN authentication service which can be shared by a number of smaller organisations. The use of WPA/WPA2 Pre Shared Keys (PSK) is not permitted due to the risk of inappropriate access to the WLAN from devices that have been lost or stolen. Typically, an existing directory service (e.g. Microsoft Active Directory or Novell e-Directory) will be used to store the authentication details. In order to reduce the risk of unauthorised access to the WLAN, access should only be given to users that need the WLAN functionality. Measures should be taken to ensure that strong passwords are forced onto those users’ accounts. 4.2.1 EAP protocols Below is a list of various EAP protocols that can be used: 4.2.1.1 EAP - Transport Layer Security (EAP-TLS) The EAP-TLS authentication standard is widely supported among wireless vendors. It offers a particularly strong method of authentication. The use of EAP-TLS requires the deployment of a PKI infrastructure, which although offering increased security may persuade organisations against its deployment. However if a PKI infrastructure exists, the level of Page 9 of 17 security and integrity provided is considered one of the most secure authentication mechanisms available and offers universal support across wireless systems. The use of EAP-TLS relies not only on server-side certificates, but also on the presence of a client-side certificate which is how the standard gains particular strength over other mechanisms. A compromised password is not enough to access a properly secured infrastructure using EAP-TLS for authentication. For instance, if the client certificate was stored on a smartcard it could only be stolen if the card itself was stolen, thus allowing administrators to quickly revoke individual access rights in response to a theft or other security issue. This process is clearly much more problematic if the employment of other less robust authentication systems (such as those based on single passwords or network keys) is standard. The security offered by EAP-TLS is high. However, PKI deployment and management can be unduly complex for some organisations. For those with a PKI already in place, this is the currently the most secure mechanism available. 4.2.1.2 Protected EAP (PEAP) PEAP is a joint proposal by Cisco Systems, Microsoft and RSA Security as an open standard. There are two versions of PEAP. PEAPv0 (EAP-MSCHAPv2) PEAPv0 is the most common version of PEAP. It is supported on the Client and Server side by various vendors, including Microsoft and Cisco. PEAP creates an encrypted SSL/TLS channel between the client and the authentication server, and the channel then protects the subsequent user authentication exchange. To create the secure channel between client and authentication server, the PEAP client first authenticates the PEAP authentication server using digital certificate authentication. This technique is widely used to protect Web transactions (using SSL) and requires only the server to own a digital certificate. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is used to perform user authentication. This information is sent through the secure channel. PEAPv1 (EAP-GTC) PEAPv1/EAP-GTC was created by Cisco as an alternative to PEAPv0. It allows the use of an inner authentication protocol other than Microsoft’s MSCHAPv2. Even though Microsoft co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP-GTC has no native Windows OS support. 4.2.1.3 EAP Tunneled Transport Layer Security (EAP-TTLS) EAP-TTLS was developed by Funk Software and Certicom and combines network-based certificates with other authentication such as tokens or passwords. It is similar to PEAP in the fact that a secure TLS channel is first created between the client and the authentication server. During the second phase of authentication, TTLS uses the TLS channel to exchange attribute-value pairs, much like RADIUS. Current implementations of TTLS offer support for all defined EAP methods, plus older methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol Version 1 and 2 (MS-CHAPv1 and v2). Page 10 of 17 By defining new attributes to support them it is easy to extend TTLS to work with new protocols. EAP-TTLS offers support across multiple vendors, and has a good foothold in the marketplace with interoperability across different platforms. 4.2.1.4 EAP Fast Authentication via Secure Tunnelling (EAP-FAST) Cisco Systems created the EAP-FAST authentication protocol to help bridge the gap between security and usability. The protocol aims to utilise the same secure encrypted channel (which, as with PEAP, protects user credentials during the authentication session) without the need for any PKI on either the client or server side of the connection. The EAP-FAST protocol follows some of the characteristics of the PEAP authentication protocol and in common with PEAP has two phases. Phase one creates a secure encrypted channel, while the second phase creates an MS-CHAPv2 session to verify the client with the authentication server. MSCHAPv2 has well known weaknesses, particularly against dictionary-based attacks (See Section 4.2.1.5 - LEAP), therefore the encrypted channels created in phase one create a safer environment for the MS-CHAPv2 authentication process. Instead of using digital certificates (as is done by PEAP and EAP-TTLS), a Protected Access Credentials (PAC) file is utilised by EAP-FAST as the shared secret for phase one of the process. Each PAC file is a unique entity; therefore the creation and provision of a PAC file is required for each user. Two deployment alternatives are available to distribute the individual PAC files, automatic and manual: Achieving automatic provisioning using ‘Anonymous Phase 0’ authentication is possible. However, this exposes authentication information in the clear during early stages of communication and thus creates a security risk. The manual provisioning of PAC files onto devices can be utilised to mitigate this risk, so this process should be followed for deployment onto devices which require access via EAP-FAST. This process will inevitably incur an extra administrative overhead for larger networks. The EAP-FAST protocol has proven useful in certain environments for Voice over Internet Protocol (VoIP) phones and other latency sensitive devices which require roaming ability and thus low latency authentication. When using a Cisco WLAN infrastructure, the EAP-FAST protocol should help to ensure that devices re-authenticate in the fastest possible manner whilst roaming between wireless access points within a campus. When considering the manual PAC file provisioning process, in addition to the fact that EAPFAST is proprietary, it is recommended that EAP-FAST be used only for devices which require the specific benefits of the protocol and seek alternatives for deployment on other systems. 4.2.1.5 Lightweight EAP (LEAP) LEAP is an older Cisco Proprietary EAP protocol, which was popular in early deployments of Cisco WLAN infrastructures. This protocol has significant security weakness, including: Username is sent ‘in the clear’ over the WLAN. A hash of the password is sent over the WLAN and this hash can be ‘sniffed’. In some cases, the passwords can be recovered by performing off-line brute force attacks (e.g. dictionary attack). Page 11 of 17 As such, LEAP should only be used when supporting legacy hardware (e.g. VoIP WLAN phones) and should be deployed as follows: A dedicated logical network segment is used on the wired LAN (e.g. a VLAN). Traffic from users authenticated using LEAP must be restricted to this dedicated network and this network must be segmented from the rest of hospital network using an EAL4 certified firewall. A dedicated authentication server is used. Usernames and passwords should be different to those used for any other applications, including general WLAN access. Strong passwords are used (containing uppercase, lowercase, numbers and symbols). Due to the significant security weaknesses within the protocol the use of LEAP to connect any devices onto data networks is extremely unsafe and not recommended. 4.3 Device authentication In order to prevent unauthorised devices connecting to the wireless LAN, device authentication must be implemented. One of the easiest ways of achieving this is with MAC address authentication. This list of approved MAC addresses should be held on a central authentication server, and not on any individual access points. Lost or stolen devices can then easily be disabled. An alternative approach is to use certificates stored on the wireless LAN client device. 4.4 Access control lists / Firewalls For all WLAN deployments, access to devices on the wired LAN should be restricted to those services that need to be accessed from mobile devices. This can be achieved by applying Access Control Lists on routers or firewalls that sit between the WLAN and the wired network. 4.5 Intrusion detection Intrusion Detection should be deployed on the WLAN traffic so that any breaches to the WLAN security can be detected as early as possible. Automatic notification of detected attacks should be deployed in conjunction with regular checking of the IDS logs. 4.6 Virtual Private Networks An alternative to using WPA/WPA2 for authentication and encryption is to use IP-SEC Virtual Private Networks (VPN). This technology is typically used for allowing secure access to corporate networks over the internet. If this option is to be used, the following steps must be adopted: The WLAN access point can be configured to accept Open Authentication, but MAC address authentication should still be used to control which devices can access the WLAN. The WLAN access points must be configured such that WLAN devices cannot communicate with other WLAN devices prior to the VPN tunnel being established. A dedicated logical network segment must be used on the wired LAN (e.g. a VLAN). When the VPN is not established, all traffic from the WLAN users must be restricted Page 12 of 17 to this dedicated network and this network must be segmented from the rest of hospital network using an EAL4 certified firewall. Access-lists will need to be applied on the EAL4 firewall to ensure that traffic from the devices on the WLAN can only communicate with a VPN device such as a VPN concentrator or Firewall. VPN client software will need to be installed and configured on all client devices. The VPN device will need to be configured to perform Extended Authentication (XAUTH). This will challenge the users for authentication credentials when establishing the VPN tunnel. AES must be used as the encryption protocol VPN clients must be configured so that all traffic is sent down the VPN tunnel. I.e. split tunnelling must be disabled. Access-lists must be applied to the traffic emerging from the VPN device, as described in Section 4.4. Main Hospital Network Dedicated Network Segement Client Access Point EAL4 Firewall VPN Device Firewall/Router IP-SEC VPN Tunnel created from Client to VPN Device Figure 1 - VPN Option 4.7 Auditing A log of access to the WLAN infrastructure must be kept, and this should also include access attempts. These logs should be checked regularly to see if any unauthorised access is being attempted. Logs need to be kept for a minimum period of 2 years. Where possible, WLAN access points should be configured to report any unknown access points. This will increase the probability of a ‘rogue’ access point being detected. In addition to the above, regular manual WLAN ‘sweeps’ of all sites should be undertaken to highlight any ‘rogue’ access points 4.8 Penetration testing It is advisable to perform penetration testing on the WLAN deployment, to ensure that it is secure. Feedback from the test should be acted upon without delay. This should be repeated on a regular basis (e.g. 3 months) and additionally when any changes to the security model are made. Page 13 of 17 5 General Deployment Guidelines This sections highlights some ‘best practice’ guidelines which should be considered when deploying a WLAN infrastructure. 5.1 Site surveys Thorough site surveys should be undertaken to ensure the following: A strong signal is maintained in the areas that need to be covered. Minimising the spread of the signals outside of the required areas. Appropriate channels and power ratings are selected to reduce the risk of interference with other radio sources. 5.2 High availability In areas where the WLAN is necessary to support clinical care, the following should be considered: Signals from access points are ‘overlapped’ ‘to ensure that service is maintained in the event of a failure of a single access point. Access points should be connected to different switches to ensure that some WLAN coverage is maintained, even in the event of a switch failure. Access points should be powered from managed Ethernet Switches. Network switches that support the WLAN should be connected to Un-interruptible Power Sources. All underlying systems that support the WLAN (e.g. DHCP servers, authentication and authorisation servers, etc) should be installed in a resilient manner. Failure of any single component should not result in a total outage of the WLAN. 5.3 Access Point security Where possible, access points and aerials should be installed where they cannot be seen (e.g. above false ceilings). This is to reduce the chances of them being stolen. Access Points should be secured so that they cannot easily be removed (e.g. using padlocks). Access points should be set-up to load their configuration over the network. This will ensure that no ‘sensitive’ information (e.g. IP addressing schemes, secret keys, etc) will be divulged if access-points are lost or stolen. Several modern WLAN solutions are based around ‘thin’ access-points which are controlled from a central controller. With most of these systems, no configuration data is stored on the access-point. Usernames and passwords (including those used to manage the access points) should not be stored on the device itself, but rather on a secured authentication/authorisation server. Typically, a ‘fallback’ username/password combination will be stored on the access point such that it can still be managed if the authentication server fails. This should not be the same as any usernames/passwords stored on the authentication/authorisation servers. Page 14 of 17 5.4 Hardware Any equipment that is purchased should support multiple SSIDs (with different EAP methods for each SSID). This will allow for a future National WLAN Authentication method to be used in parallel with existing local implementations. 5.5 Policies A WLAN security policy is required in each organisation covering who may install the technology, the standards for user access control, encryption and other security controls. It should also include the responsibilities of both the IM&T department and the users of this technology. See the “Guidance for the Secure Implementation of Wireless Networking” document for further information. Page 15 of 17 Glossary 802.1x IEEE 802.1X is an IEEE standard for port-based Network Access Control. It is used for both wired and wireless LAN networks. 802.11 A set of standards defined by IEEE for Wireless LANs. The original 802.11 standard supported speeds of 1 and 2 Mbps and operated in the 2.4 GHz frequency range. 802.11a Amendment to the 802.11 standard that defines a wireless LAN that operates in the 5 GHz frequency range and supports transmission speeds up to 54 Mbps. 802.11b Amendment to the 802.11 standard that defines a wireless LAN that operates in the 2.4 GHz frequency range and supports transmission speeds up to 11 Mbps. 802.11g Amendment to the 802.11 standard that defines a wireless LAN that operates in the 2.4 GHz frequency range and supports transmission speeds up to 54 Mbps. 802.11g is backwards compatible with 802.11b. 802.11i Amendment to the 802.11 standard specifying security mechanisms for wireless LANs. Also known as WPA2. 802.11n Currently a draft amendment to the 802.11 standard supporting higher speeds and greater transmission distances than available with 802.11a/b/g. Uses MIMO technology, where multiple transmitters and receivers are used. AES Advanced Encryption Standard. An encryption standard used with 802.11i/WPA2. Authentication Server A server that holds user credentials and is used for authenticating users as part of 802.1x. Authenticator In 802.1x terms, the authenticator is the network device that challenges the supplicant for authentication. With wireless LANs, this is typically the wireless access-point. Certificate An electronic document that verifies the owner of a public key, issued by a certificate authority. dawn2 Digital All Wales Network. The private network that connects NHS Wales’ organisations. DSSS Direct Sequence Spread Spectrum is a type of spread-spectrum radio transmission that spreads its signal continuously over a wide frequency band. EAP Extensible Authentication Protocol (EAP) is a general authentication protocol that supports multiple authentication methods and is used in wireless LANs. IEEE Institute of Electrical and Electronics Engineers. MAC address MAC (Media Access Control) addresses are unique addresses assigned to network cards. MIMO Multiple-Inputs-Multiple-Outputs. See 802.11n Page 16 of 17 OFDM Orthogonal Frequency Division Multiplexing is used for carrier modulation in digital transmissions. A spread spectrum technique, it combines good noise resistance, immunity to reflections and efficient use of the spectrum. OTP One-Time Password. A password that is valid for one use only. Typically a OTP is generated using a hardware token or key card. The comprehensive system required to provide public-key encryption and digital signature services is known as a Public-Key Infrastructure (PKI). PKI The purpose of a public-key infrastructure is to manage keys and certificates. By managing keys and certificates through a PKI, an organization establishes and maintains a trustworthy networking environment. A PKI enables the use of encryption and digital signature services across a wide variety of applications. (Taken from http://www.entrust.com) RADIUS Remote Authentication Dial In User Service (RADIUS) is an authentication, authorisation and accounting protocol used with the 802.1x. Rogue Access Point A ‘rogue’ access point is one that has been installed by an employee without approval from the I.T. department, or one that has been installed with malicious intent (e.g. by a hacker) SSL A predecessor to SSL. Supplicant In 802.1x terms this is the client device (i.e. the device attempting to authenticate to a wireless network). TKIP The Temporal Key Integrity Protocol, (TKIP) is part of the 802.11i encryption standard for wireless LANs. TKIP provides per-packet key mixing, a Message Integrity Check (MIC) and a re-keying mechanism, to overcome the weaknesses of WEP. TLS The TLS protocols allow client/server applications to communicate in a way designed to prevent eavesdropping, tampering, and message forgery. WEP Wired Equivalency Privacy (WEP) is a security protocol used on wireless LANs. WEP has several known vulnerabilities and is not suitable for use on dawn2. Wi-Fi Wi-Fi is a brand name originally licensed by the Wi-Fi Alliance to describe the underlying technology of wireless LANs based on the 802.11 specifications. Wi-Fi Alliance The Wi-Fi Alliance® is a trade group that owns the trademark to Wi-Fi WLAN Wireless Local Area Network. WPA Wi-Fi Protected Access (WPA) is a set of security mechanisms, created by the Wi-Fi Alliance, for protecting wireless LANs. It is based on a subset of the 802.11i standard. WPA2 WPA2 is the Wi-Fi Alliance’s term for the full implementation of the 802.11i standard. Page 17 of 17