WLAN its convenient installation, use, high-speed access rate, mobile access has won numerous companies, governments, individuals and carriers of all ages. But in the WLAN, since the data is transmitted using radio waves in the air spread radiation, radio waves can penetrate ceilings, floors and walls, transmitted data may reach beyond the expected, installed on different floors, even where the transmitter receiving device outside the building, data security has become the most important issue.
One problem: easily invade
Wireless LAN is very easy to be found, in order to enable users to discover the presence of wireless networks, the network must send specific parameters of the beacon frame, which gives the attacker provides the necessary network information. Invaders from the side of the road, buildings and anywhere else on the network attack by high sensitivity antenna without the need for any invasive physical way.
Solution: to strengthen the network access control
Easily accessible does not mean vulnerable. By means of an extreme electromagnetic shielding housing to prevent leakage of electromagnetic waves, of course, through a strong network access control can reduce the risk of the wireless network configuration. If placed in the AP outside the firewall such as network security devices, is preferable to consider connected to the backbone network through VPN technology, a better approach is based IEEE802.1x new wireless networking products. IEEE802.1x defines a new frame type user-level authentication, enterprise network by means of existing user database, the front-end wireless network based IEEE802.1X authentication to back-end conversion based RASIUS certified cable network.
Second problem: Illegal AP
Wireless LAN configuration is simple and easy to access features enable network administrators and security officials a headache. Because anyone's computer via AP can buy their own, without authorization connected to the network. Not many departments through the company's IT center authorized to self-built wireless LAN network users to bring great security risk through illegal access to AP.
Solution: regular review of the site
Like many other networks, wireless network security management also has corresponding requirements. Before using the network to find the intruder through the receiving antenna unauthorized network, by monitoring physical sites should frequently as possible, frequent monitoring may increase the probability of illegal configuration found the site, but it will take a lot of time and movement poor. The compromise is to choose small hand-held detection equipment. Administrator at any time to any location on the network can be detected by a hand-held scanning device.
Question three: authorized to use the service
More than half of the users use the AP only be few changes in its default configuration basis. Almost all of the AP are in accordance with the default configuration to open or use the default WEP key to encrypt the original offer. As wireless LAN open access, unauthorized use of network resources will not only increase bandwidth costs, it is more likely to lead to legal disputes. And unauthorized users do not have to comply with the terms of the proposed service provider service interruption may cause the ISP service. Solution: To enhance security certification The best defense is to prevent unauthenticated users access to the network, since the access privileges based on user identity, so by way of encrypted authentication process is encrypted is a prerequisite for certification, by VPN technology can effectively protect network traffic by radio transmission.
Once the network is successfully configured, strict authentication type and strategy will be crucial. You also need to regularly test the wireless network to ensure network equipment uses a secure authentication mechanism, and to ensure a normal configuration of network devices.
Question 4: service and performance limitations
Wireless LAN transmission bandwidth is limited due to the overhead of the physical layer, so that the actual maximum effective throughput of the wireless LAN is only half of the standard, and this bandwidth is shared by all users of the AP.
Wireless bandwidth can be swallowed in several ways: from the wired network is much more than a wireless network traffic network bandwidth, if an attacker from sending a large number of Ping Fast Ethernet traffic, will be easily swallowed AP limited bandwidth; If you send broadcast traffic, will simultaneously blocking a plurality of AP; attacker can send signals over the wireless network with the same radio channel, so the network will be attacked by the CSMA / CA mechanism for automatic adaptation also affects the transmission of the wireless network; in addition, the more transmission large data files or complex client / server system will generate a lot of network traffic.
Solution: Network Detection
Positioning performance monitoring and fault find the problem should start from that many AP via SNMP statistics report, but the information is very limited and does not reflect the practical problems of users. The wireless network tester is able to accurately reflect the quality of the health network and the current position signal. Tester can effectively identify network rate, frame type, to help locate the fault.
Question 5: address spoofing and session hijacking
Because 802.11 wireless LAN data frame without authentication operation, an attacker can redirect go through deception frame data stream and make the ARP table clutter, by a very simple method, an attacker can easily obtain the MAC address of the network in a site, address can be used when malicious use.
In addition to the attacker spoofing attack through the frame, the attacker can also frame found AP in the presence of defects by intercepting the authentication session, the broadcast frame sent by monitoring AP discovery AP existence. However, since 802.11 does not require AP must prove that he is really an AP, the attacker can easily dress up as AP into the network through this AP, the attacker can obtain further information in order to authenticate the identity of the network. In the absence of the use of 802.11i for each frame 802.11 MAC authentication technologies implemented by session hijacking network intrusion can not be avoided.
Solution: The same critical network isolation
Before being formally approved 802.11i, MAC address spoofing threats to wireless networks still exist. The network administrator must be a wireless network from the core network with vulnerable open.
Question six: traffic analysis and traffic listener
802.11 unable to prevent attackers from using passive monitor network traffic, and any wireless network analyzer can be used without any hindrance intercept unencrypted network traffic. Currently, there are WEP vulnerabilities could be exploited by attackers, it can only protect the initial user data and network communications, and management and control frames can not be WEP encryption and authentication, thus giving the attacker to spoof network traffic provides frame abortion opportunity. Early, WEP is very easily Airsnort, WEPcrack a tool like decryption, but then many manufacturers release firmware avoid these known attacks. As an extension of the protection, the latest wireless LAN products protection goes a step further, using the key management protocol WEP key is changed once every 15 minutes. Even the busiest network does not occur in such a short period of time sufficient data to confirm the attacker cracked keys.
Solution: use a reliable protocol to encrypt
If the user's wireless network for the transmission of sensitive data, only WEP encryption is not enough, the need for further use as SSH, SSL, IPSec encryption and other technologies to enhance data security.
Question seven: Advanced Intrusion
Once the attacker into the wireless network, it will become the starting point for further invasion of other systems. Many networks have been set carefully set the security device as a network shell, in order to prevent illegal attacks, but in the interior of the housing to protect the network is indeed very fragile vulnerable. Wireless networks can can quickly access the network backbone via a simple configuration, but this would expose the network in front of the attacker. Even if there is a certain border security equipment network, the network will also be exposed in order to attack.
Solution: isolate the wireless network and core network
Because the wireless network is vulnerable, it is considered an unreliable network. Many companies put wireless network arrangement in public areas such as lounges, training classrooms, etc., as a way to provide access to the guests. Network should be arranged outside the protective shell of the core network, such as outside the firewall, access the core network using VPN access mode.