With the growth of wireless networking a very common question we hear is “How should I secure my WLAN?”
Well as I said in my last post, “It Depends”
What are you looking to do? Do you have administrative control of the devices that are going to be on the network? Do you have AAA, want to implement one, what about PKI? Oh and my favorite question, is your LAN secure?
Don’t get me wrong, I love a well oiled EAP-TLS environment (PKI is required here folks it is not an option) . But if I can walk in and connect my laptop to the LAN and get access to your network, what’s the point in securing the wireless?
I am by no means saying that you should have a completely open wireless network. Except for guest, that needs to be open and ACL to high heaven to just have internet access. You need to have a secured wireless network, encryption at a minimum.
So notice I said encryption at a minimum.
WEP TKIP and AES-CCMP are encryptions. PSK or even better 802.1X are authentications.
PSK is a shared key. Think of this like the password to your clubhouse as a kid. It could be overheard and anyone could have it.
802.1X uses either credentials (usually domain) or certificates (PKI). Everyone has been trained to not share their domain login.
So decide how much you want to invest in your security, PSK minimal, TLS high. And remember to secure all your layer 1.
I agree, my customers often voice worry about the Security Flaws in Wireless Technologies, but completely ignore the GAPE-ING holes on the wired side.
I agree, I am seeing strong movement toward ISE on wired and wireless. Back in the day it was just too cumbersome to manage mac addresses for 802.1x auth. It is finally starting to become “easier” to manage the wired side in the same fashion as the wireless.
But yes, when the wireless is locked down, I go to a conference room and plug in… Make wireless security useless.
Not to be technical on you, but yiur statement “TKIP and AES are encryptions” not so true. TKIP and CCMP are encryptions. AES is a block cipher..
True George. I was keeping it simple. Most times we talk about WPA2 we simply say AES instead of AES-CCMP. I’ll update the post to say AES-CCMP to keep any confusion down.
Gotta love engineers. Wellll technically!!!
Steve if you’re still in edit mode — its not really 802.1x. The lower case x would suggest its an amendment to a standard. Much like 802.11a, 802.11n, 802.11k or amendments to the 802.11 standard. 802.1X is a standard, not an amendment. Properly, its 802.1X. Capital X. Im done busting your balls .. 🙂
Good post !
802.1X*30… 😉