How to protect the wireless LAN of the hottest ent

  • Detail

How to protect enterprise wireless local area network

recently, the development of wireless local area network has become more and more powerful. It has high access speed and flexible groups. 2. The passive pin can not stop at any position well. It has a unique advantage in transmitting mobile data. However, with the continuous expansion of wireless local area applications, its security issues have attracted more and more attention. In the wired network, you can clearly identify which computer is connected online. Wireless network is different from this. Theoretically, any computer within the radio wave range can monitor and log in to the wireless network. If the security measures of the internal network of the enterprise are not strict enough, it is entirely possible to eavesdrop, browse or even operate e-mail. In order to enable authorized computers to access the network while illegal users cannot intercept the network communication, wireless network security is very important

★ two basic security protection means

how to protect the security of these data in this environment where the Tao is one foot high and the devil is one foot high? Manufacturers and the international Wi Fi alliance committed to the development of wireless local area WLAN have put forward new methods to strengthen wireless local area to make it widely used. On june24,2004, IEEE passed the 802.11i method based on SIM card authentication and AES encryption to provide security for wireless local area network, which makes wireless local area network have a broader application space

security mainly includes access control and encryption. Access control ensures that only authorized users can access sensitive data, and Encryption ensures that only the correct recipients can understand the data. At present, the most widely used IEEE802.11b standard provides two means to ensure the security of WLAN that has important results in effective application of materials, improvement of process, improvement of product quality, reduction of cost, and guarantee of product safety and reliability - SSID "service configuration identifier" and WEP "wireless encryption protocol". SSID provides low-level access control. WEP is an optional encryption scheme. It uses RC4 encryption algorithm to prevent illegal users without correct WEP keys from accessing the network. On the other hand, it only allows users with correct WEP keys to encrypt and decrypt data, including software and hardware means

in addition, the 802.11b standard defines two authentication methods: open and shared keys. In the default open method, users can access the access point even if they do not provide the correct WEP key. In the shared method, users need to provide the correct WEP key to pass authentication

★ three security measures for different users

obviously, basic security means can only provide basic security. For different users, it is necessary to provide them with different levels of security means. Liu Haijian, technical consultant of Avaya, pointed out that Avaya has provided three levels of security measures for its WLAN devices. The first is link layer security, that is, standard WEP encryption. The second is user authentication level security, which typically uses 802.1x. The third grade rib reinforcement is based on 20MnSi steel with microalloyed elements of vanadium or niobium, and the other three are made by VPN. Liuhaijian believes that these three levels of security measures are applicable to users with different requirements, and VPN method is the most secure. However, in practical application, WEP mode is still used most at present

★ WEP defects and solutions

wep encryption has inherent defects. Because its key is fixed and the initial vector is only 24 bits, the strength of the algorithm is not high, so there is a security vulnerability. At & T researchers first released the WEP decryption program, and then people began to question WEP and further study its vulnerabilities. Now, there are special programs to crack WEP encryption in the market, represented by weptrack and airsnort

zhaoweiming, communications division of Intel Corporation, pointed out that the WEP encryption method itself has no problem. The problem lies in the process of key transmission - the key itself is easy to be intercepted. In order to solve this problem, WPA (WI fiprotectedaccess), as a de facto industry standard, has changed the way of key transmission. Ieee802.11tgi task force I has developed a temporary key integrity protocol, TKIP. TKIP is based on RC4 encryption like WEP, but it provides the function of quickly updating keys. WPA uses TKIP protocol to transfer keys. It adopts the public key and private key mode similar to RSA in key management. By using TKIP and various manufacturers' plans to launch TKIP firmware patches, users' investment in WLAN hardware will be protected. For example, Enterasys recently announced support for WPA. Enterasys will support WPA in its roamabout series of indoor and outdoor WLAN products to update the firmware and hardware of existing products

Cisco's specific approach is: the radius server and the client conduct two-way authentication. After the authentication, the accuracy of the weight is 1%. The radius server and the client determine a WEP key (which means that this key is not a static key physically related to the client itself, but a key dynamically generated by authentication). After that, the radius server sends the session key to the AP by wire. The AP encrypts the broadcast key with the session key, sends the encrypted key to the client, and the client decrypts with the session key. Then, the client activates WEP with the AP and communicates with the key. Avaya's method is called WEP plus. Its mechanism is to generate the initial vector in a random way in response to the shortcomings of the initial vector, so that the above weptrack and airsnort programs cannot crack the WEP key

★ five suggestions for comprehensive prevention

1. Many security problems are caused by wireless access points not being in a closed environment. Therefore, we should first pay attention to the reasonable placement of the antenna of the access point. So as to limit the transmission distance of the signal outside the coverage area. Don't put the antenna near the window, because the glass can't block the signal. You'd better put the antenna in the center of the area to be covered to minimize signal leakage outside the wall

II. After the signal antenna problem is solved, add a layer of "protective film", that is, the wireless encryption protocol (WEP) must be used

III. It is recommended to disable DHCP and SNMP settings. It makes sense to disable SHCP for wireless networks

if this measure is taken, hackers will have to decipher your IP address, sub mask and other required tcp/ip parameters (which will undoubtedly increase the difficulty). No matter how a hacker uses your access point, he still needs to figure out the IP address. For SNMP settings, either disable or change the public and private common strings. If this measure is not taken, hackers can use SNMP to obtain important information about your network

4. Use access lists (also known as access control lists). To further protect your wireless network, this feature is recommended, but please note that not all wireless access points support it

because this feature can specifically specify which machines are allowed to connect to the access point. Access points that support this feature sometimes use the common file transfer protocol TFTP. It is very useful to regularly download the updated list

v. comprehensive use of wireless and wired strategies. Wireless network security is not a separate network architecture. It requires the cooperation of various programs and protocols. Developing a strategy that combines wired and wireless network security can maximize the level of security. (end)

Copyright © 2011 JIN SHI