Here’s some useful wireless and security terms that you may have come across and a brief definition.
- IEEE 802.11: The Institute of Electrical and Electronics Engineers (IEEE) family of standards for wireless LANs, which was first introduced in 1997. 802.11b is a standard that is endorsed and branded as Wi-Fi* by the Wi-Fi Alliance.
- IEEE 802.1X: A security standard featuring a port-based authentication framework and dynamic distribution of session keys for WEP encryption. A RADIUS server is required.
- IEEE 802.11i: An upcoming security standard currently being developed by the IEEE that features 802.1X authentication protections, and adds advance encryption standard (AES) for encryption protection along with other enhancements.
- NAT: Network address translation a type of firewall hiding internal IP addresses from the internet, the software keeps track of your data packets and adds a port number to the NAT’S IP address.
- WPA: Wi-Fi Protected Access* is an Wi-Fi Alliance security standard that solves the encryption issues of WEP by utilizing TKIP, which wraps around WEP and closes the security holes of WEP. WPA also includes the authentication benefits of 802.1X.
- EAP: Extensible authentication protocol (EAP) is a point-to-point protocol that supports multiple authentication methods. The support for EAP types depends on the OS being supported.
- TKIP: Temporal key integrity protocol is utilized by the 802.1X and WPA standards for authentication. Designed by top cryptographers it provides a wrap around WEP, which closes the security holes of WEP.
- WEP: Wired equivalent privacy is the original 802.11 security protocol for wireless networks.
- VPN: Virtual private network technology offers additional WLAN protection, which is important for critical data. This protects a WLAN by creating a tunnel that shields the data from the outside world.
- RADIUS: Remote authentication dial-in user service is a backend server performing the authentication using EAP. This is required by the IEEE 802.1X security standard.
Security Conclusion
Just as the safest computer is locked in a keyless safe and not plugged in, the safest wireless network is the one that isn’t turned on. Next to that, combining several of the steps documented in this site should lead to a very secure network. Using WPA with EAP-TTLS probably provides the best authentication possible at this time, but it may not be practical for a number of reasons.
Many of the measures proposed here are totally insufficient by themselves to secure a wireless network, but combining them together according to the particular environment where the wireless network is deployed may begin to provide a secure access.
It’s important to not differentiate between traffic when you’re considering security implications on your wireless network. For example imagine you’d availed yourself of a free trial of BBC iPlayer to stream abroad. You might consider that there’s no point in encrypting this traffic as it’s only video however it can be difficult to protect individual settings and if you do it’s likely mistakes will be made. It’s often the case with people using VPNs who turn them off to watch something like the BBC above, in order to reduce the encryption overhead. Yet they then forget to re-enable them after the stream has completed and make their connection vulnerable.
If neither WEP nor WPA is available, the wireless network should at a minimum operate in its own subnet with a tightly configured firewall separating it from the wired network and the use of a VPN tunnel should be encouraged. SSID broadcast and MAC address filtering should respectively be disabled and enabled on the access point, while all clients should be configured with their own static IP address in order to eliminate the need for a DHCP server on the wireless network.
Most of these steps are easily bypassed by a determined hacker, but it is hoped their accumulation will frustrate most would-be attackers in looking for an easier target to compromise, like your home wireless network
Despite their weaknesses, WEP or WPA with LEAP should still be used if they are available, but their presence should be complemented by other measures such as, again, a tightly configured firewall or a security device from BlueSocket or Vernier Networks.
Irrespective of any other measure used, the location and configuration of all antennas should be carefully calculated to maximize coverage where it is necessary and minimize it where it is not wanted.
If an wireless home network can contain its wireless signal as much as possible within its physical borders, it makes it that less likely that an attacker will be sitting in a car in the parking lot attempting to defeat or bypass whatever security measure is in place.
Additional: How to Create Videos Quickly