Wireless Access Security - User and Link

The following information just briefly touchs upon access and wireless link security.  The document was written to inform the reader as to several methods of securing the WiFi system access and should not be taken as the final word on the subject.

There are actually several layers or methods of securing a wireless communications link, each has it's strengths and weaknesses - some are just totally useless. I will attempt to describe several of the methods you can use to protect your login and information from the curious (or malicious). We are looking at both the user access to the system and protecting the information passing over the wireless link (if implemented).

Normally there are two kinds of WiFi access - one does not require any authentication to link to the network whereas the other does require some form of authentication by the user. A Free "open" or "public" WiFi system normally would not require any authentication on the part of the user since it freely allows anyone to use the system. On the other hand there may be a valid reason for a user to authenticate themselves on the system before they could use the system. It is the later user we are discussing here.

The second side to wireless access security deals with the actual information passing across the wireless link. One very big reason you might want to protect the information is the fact anyone with a wireless "sniffer" program running on a laptop able to intercept the wireless radio signals can "see" everything your sending across the wireless link. This includes email, web site information you are viewing (unless it is a ssl encrypted website), files you are transfering and so on. Protection of this information requires encrypting the wireless link information between your laptop/pda and the wireless access point you are connecting with.

User Authentication

User name / Password Security:
Most systems in use for WiFi access that require a user to authenticate with the system use some form of a Username:Password scheme for authentication.  The authentiation scheme may require a user name and password combination (most common method) or a 'token' to access the system.  A 'token' based system would use a "key" string, such as a ticket value entered into the login screen displayed to a user through a web page - a 'token' based system usually is found in hotels or resturants and given to patrons of the business to access the WiFi system provided.

  This is fine as long as the information is sent in a secure manner to the server providing the authentication action.  This is usually accomplished by using a web server running SSL so the information passes from the user's browser to the authentication server web server in an encrypted form.

Automatic Laptop/PDA based access:
A second form of authentication involves using some unique feature of the laptop or pda device a person is using to access the WiFi system.  Ether a "token" value sent to the authentication server by the laptop/pda when it is within range of the wireless system or by means of the MAC Address of the wireless adapter contained within the laptop or pda.  The use of the MAC Address seems to be the main method used since it does not require any additional programs to be running on the laptop or pda device in order to authenticate with the authentication server of the wireless system.

Radius Access Security:
Radius is an acronym which stands for 'Remote Authentication Dial-In User Service' and was developed originally for dial-up internet access.  Radius has gone through numerous changes and enhancements over the years to become a very good method of authentication.  This article only touches upon the capabilities of Radius so if you want to learn more about this authentication method I would strongly suggest you "google" the word Radius to learn more!  Radius uses a username:password combination to authenticate a user and the username:password information can be contained in several different storage mediums, LDAP, Active Directory, SQL, regular file and so on.  You can have multiple Radius servers that will communicate with each other to determine if the user has authentication rights to access the wireless network and you can even control the individual download/upload speed and time the user can be on the wireless network if you have the correct wireless access point installed.  One feature of Radius is the capability of creating a wireless network system that can create an encrypted link between the user's laptop and the wireless access point - of course the user will need software running on the laptop to allow this functionality and the wireless access point must be able to handle the encryption for it's end of the link but the capability does exist!

WiFi Radio Link Security

WEP (Wired Equivelency Protection) Security:
WEP was the first security protocol for wireless networks and does have some major problems!  In the design of the protocol the original designers made the mistake of limiting the method used to create the encryption keys for the encrypted communications and also made the error of using an encryption method that was not "random" in it's encryption method - in layman terms you can collect enough information from the encrypted communications which will allow you to "break" the encyption code and see the actual information that was encrypted!  Please do NOT rely on WEP to protect your wireless network - you will not have a secure system, just a false sense of security!

WPA/WPA2 (Wireless Protected Access) Security:
To correct the weakness of WEP WPA (Wireless Protected Access) and WPA version 2 was created.  The difference between WPA and WPA2 has to do with the encryption strength and the establishment of the actual encryption link.  Of the two WPA2 is the 'stronger' version but requires a little more work to implement properly.  WPA does not suffer the problems of WEP and is a much better choice to secure the wireless link between two wireless devices.