We are thinking of installing two aironet AP's for a small group of people here. The management does not want to setup any additional boxes(radius, etc). I have read that WEP alone is akin to swiss cheese in terms of security and that more secure methods require additional hardware(LEAP, etc). How secure can I get with only an AP and OS security features? Are there any AP's that have additional security built in? TIA
- APs on an isolated VLAN using a separate subnet (no DHCP) connected through a Firewall
There's a company called Colubris that has RADIUS built into the AP, but the overall effect would not be any simpler to manager than a separate RADIUS server.
As for the 'Swiss Cheese' perspective, it takes time and deliberate effort to crak a proper 128-bit WEP key. If you were to install four keys on each device and manually rotate them at the AP, (as opposed to LEAP's automatic rotation), you would make a hacker's job four times as hard.
If that level of security is insufficient, your management has no excuse for refusing to install a third party box.
With these fixes to WEP encryption, key management becomes the major problem. Key management is the issue that Ciscos EAP-Cisco (AKA LEAP) implementation tackles.
With static WEP, keys should be rotated periodically, this involves configuring every client NIC and AP in the network with a complex 26digit string. If one laptop/NIC card goes missing, every client and AP in the network needs to be changed. If one person with knowledge of the key leaves, every client and AP in the network needs to be changed.
Cisco-EAP (AKA LEAP) removes the key management burden. A unique, dynamic session WEP key is generated every time a client access the wireless network. In addition, the key can be automatically (and transparently to the user) changed after a set time period.
EAP-Cisco (AKA LEAP) key management does need an external RADIUS server (from Cisco, on one of a few external vendors that support EAP-Cisco/LEAP)
So for your network, if its small enough that you can deal with the key management issues, static WEP **may** be sufficient.
EAP-Cisco LEAP is a much better solution for most deployments.
A few other opinions;
I do not believe the SSID should be treated as part of the security solution (IEEE never intended it to be). The SSID is supposed to be the **name** of your network. A meaningful name will help non-technical clients be assured they are connecting to the correct network (especially when choosing from a list with a windows XP type interface.). Call your SSID whatever you like and rely on security mechanisms (WEP/EAP/VPN) to provide the security.
Dont use MAC filters (if you have the WEP enhancements). MAC filters are insecure (easily spoofed) and needlessly complicate your security deployment.
Put your APs on a separate subnet/VLAN in each wiring closet. This will help keep the broadcast domain small. By putting the APs on a separate subnet you can also identify any traffic to or from wireless clients, this may help with network management. I believe that the EAP-Cisco (LEAP) and the WEP enhancements provide for secure wireless LAN deployments and additional firewalling of the WLAN is unnecessary.
Please check out the WLAN design guides available under related links on the right-hand side of this page for more WLAN design/security guidance
Bruce - while SSID and MAC filters are not a reliable means of securing a WLAN, I think that they are certainly worth paying attention to.
An SSID of 'FinanceINC' or 'MedicalRecords' would be far too tempting to anyone out War Driving, thus the recommendation to use an anonymous SSID (other than ANY, DEFAULT, TSUNAMI, etc.).
A MAC address filter is easily hacked by intentional effort, but helps eliminate unintentional effects - such as users buying their own WLAN card. For some companies this is not a concern, others I think are very nervous about such a liability.
I am always interested in your well informed opinions.
Thanks a ton, Your replies really helped. Our WLAN rollout should be under 30 people, so I believe manual key rotation would work, But I going to recommend using the Cisco Radius. Does any one have a link to some good documentation on Cisco's Radius server? Thanks