802.1X Security Overview

HJ Franzen writes "Ars Technica have what they call a wireless security blackpaper posted that's well worth a read. I wish this was available when I was spec'ing wireless VPN solutions for my campus. The article is pretty detailed and discusses the many ways in which companies are trying to address the fatal flaws in WEP."

No signal going through the air is secure...

[Anonymous Coward]

... unless it's encrypted. Even then, your signal will be able to be recored and broken 10 years later when computers are faster.

SSID Security

[jamesbernsen]

From the article:

The SSID should be created with the same rules as any strong password (long, non-meaningful strings of characters including letters, numbers and symbols).

By default the Access Point broadcasts the SSID every few seconds in what are known as 'Beacon Frames'. While this makes it easy for authorized users to find the correct network, it also makes it easy for unauthorized users to find the network name.

Can someone then explain to me what is the reason for choosing a secure SSID?

Re:wep is a stupid idea

[Oculus Habent]

You want wireless you're gonnna have to accept the freeloaders on your service.

I haven't played with any wireless base stations other than my AirPort, but I can limit MAC Addresses, as well. Sure, this doesn't work in an environment where many friends/clients will be accessing your network unexpectedly, but in a home/school where the number of new users is extremely limited or well-controlled, this can improve security quite substantially.

Sure, they can still sniff packets, and they can still break encryption, but it will be a sight harder for them to access your wired network/Internet connection.

Re:wep is a stupid idea

[WolfWithoutAClause]

whats the difference between an encrypted ack packet and a non enc'd one from a sniffing point of view not a one..

any key you could possible be using will get exposed through these very well documented and standardized packets.

short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet.

Nope. The best encryption techniques are proof against a 'known plaintext attack'; which is what you are talking about here. The code is not resolvable from the plaintext or the encrypted text or both together. Well, theoretically it is resolvable, but the amount of processing necessary to do it is completely beyond computational reach.

At best you might be able to guess from the context that it was an ack packet, but that's about it.

Re:Watch the terminology

[flatulus]

You are correct that 802.1X is the "Port Based Network Access Control" standard. That standard has hooks to permit it to be used in 802.11 networks as well as in switches.

802.1X is becoming widely adopted as a security adjunct to 802.11 WLAN infrastructures. In fact, the 802.11 Task Group "i" is developing its enhanced security additions to 802.11 on the basis of 802.1X. With "i", 802.11 and 802.1X become joined at the hip.

While your criticism is somewhat accurate, the use of 802.1X in the title is actually quite relevant to the discussion of evolving 802.11 security.