Security Essentials, Textbook page 449

Copyright Goodheart-Willcox Co., Inc. 449 Chapter 14 Wireless Network Security Wi-Fi Protected Access II (WPA2) Wi-Fi Protected Access II (WPA2) is the second generation of WPA that provides stronger security protections and better control of network access. WPA2 took the existing security implementations of WPA and enhanced them, particularly in the areas of encryption and authentication. The WPA2 cryptographic protocol replaced the RC4 cipher with AES encryption and added Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. Advanced Encryption Standard (AES), also known as Rijndael encryption, is a symmetric block cipher that requires 128-, 192-, or 256-bit keys. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is a wireless encryption standard designed to be used with wireless LANs. The biggest difference between CCMP and traditional Cipher Block Chaining (CBC) is that when CCMP attempts to reach the last block in its chain, the value of that block is appended with a MAC value. Not all devices may be able to support CCMP, however. In those situations, WPA2 with TKIP can be employed as a fallback. WPA2 is currently the most widely used security option for WLANs. WPA2 pro- vides multiple authentication techniques, including the following. 802.1X Businesses often use the IEEE 802.1X standard for authenticating users wirelessly. The IEEE 802.1X standard, also known as enterprise Wi-Fi, is a wireless networking standard that provides more security than other standards by employing port-based security. Specifically, it enables port-based authentication after a user’s identity has been confirmed. It is not always convenient or safe to use the standard connection option of providing users with the passphrase for WLAN access because a pass- phrase can be easily shared with those who should not be accessing the network. Additionally, as employees join and leave the company, the security of the passphrase becomes weaker. With enterprise Wi-Fi, users do not need to be given a passphrase specifically for wireless access. Instead, they are authenticated through their net- work login names and passwords. With the 802.1X standard, EAP is incorporated into data frames and used to provide authentication. In this process, the access point takes the role of a security guard. It passes the credentials and information between the client and authenticat- ing server. In 802.1X, the client is known as the supplicant, and the AP is considered the authenticator. The 802.1X process is depicted in Figure 14-2. 1. The client (supplicant) sends a request packet for access. 2. The authenticator (AP) requests identity information from the client. 3. The authenticator (AP) sends this information to the authentication or RADIUS server. 4. The RADIUS server sends a challenge to the authenticator, which is then sent to the client. 5. The client responds with the challenge. 6. If the RADIUS server approves the challenge, the client will be granted access. Enterprise Wi-Fi, sometimes referred to as WPA2 Enterprise, provides security by implementing port-based authentication by opening ports for network access. It uses an authentication server called a RADIUS server to confirm the user’s identity. A Remote Authentication Dial-In User Service (RADIUS) server is an identity and access authentication server that functions on both wired and wireless networks. 3.4 3.4 3.4, 3.8 3.4, 3.8

Previous Page Next Page

Security Essentials, Textbook Page 449 (463 of 704)

Help