Page 207 - StudyBook.pdf
P. 207

Communication Security: Wireless • Chapter 4  191


                   So what Exactly are 802.1x and 802.11x?
                   Wireless provides convenience and mobility, but also poses massive secu-
               Head of the Class…  three distinct components:
                   rity challenges for network administrators, engineers, and security
                   administrators. Security for 802.11 networks can be broken down into


                         ■ The authentication mechanism
                         ■ The authentication algorithm
                         ■ Data frame encryption

                   Current authentication in the IEEE 802.11 standard is focused more on
                   wireless LAN connectivity than on verifying user or station identity. Since
                   wireless can potentially scale very high in the sheer number of possible
                   users, it is important to consider a centralized way to have user authen-
                   tication. This is where the IEEE 802.1x standard comes into play.

                 User Identification and Strong Authentication

                 With the addition of the 802.1x standard, clients are identified by username, not by
                 the MAC addresses of the devices.This design not only enhances security, but also
                 streamlines the process of authentication, authorization, and accountability (AAA)
                 for the network. 802.1x was designed to support extended forms of authentication
                 using password methods (such as one-time passwords, or GSS_API mechanisms like
                 Kerberos) and non-password methods (such as biometrics, Internet Key Exchange
                 [IKE], and Smart Cards).

                 Dynamic Key Derivation
                 The IEEE 802.1x standard allows for the creation of per-user session keys.WEP
                 keys do not have to be kept at the client device or at the AP when using 802.1x.
                 These WEP keys are dynamically created at the client for every session, thus
                 making it more secure.The Global key, like a broadcast WEP key, can be encrypted
                 using a Unicast session key, and then sent from the AP to the client in a much
                 more secure manner.

                 Mutual Authentication

                 802.1x and EAP provide for a mutual authentication capability.This makes the
                 clients and the authentication servers mutually authenticating end points, and assists
                 in the mitigation of attacks from man-in-the-middle (MITM) types of devices.Any
                 of the following EAP methods provide for mutual authentication:





                                                                              www.syngress.com
   202   203   204   205   206   207   208   209   210   211   212