8 New Technologies and Future directions he IEEE 802. 1li Task Group is working on enhancements to both encryption and authentication in wireless LANs. 802. 1x will be incorporated into the 802. 11i specifications. Enhancements to WEP include the Temporal Key Integrity protocol (TKIP). TkiP provides three security improvements fast-packet keying(key-hashing per packet), real message integrity checking(to prevent forgery) and dynamic key management (re-keying). The Advanced Encryption Standard(aes)is also in the draft 8011li specifications. AES is a symmetric block cipher operating on blocks of 128 bits using three possible key sizes: 128, 192 and 256 bits. There is anadvanced subset"of 802. 1li, known as WiFi Protected Access (WPA), which is compatible with existing hardware; it includes both 802.1x and tKIp The Internet Engineering Task Force(IETF) has produced an Internet-Draft document defining a new authentication protocol based on EAP called Protected EAP(PEAP). It works by wrapping the EAP protocol within tLs thus protecting the EAP message exchanges. Any EAP authentication method running within peaP is provided with protected key exchange and session resumption(which allows fast re-authentication when a wireless client roams from one ap to another Madge is committed to tracking emerging standards and extending its product family to support these when appropriate. With its extensible field-upgradeable, software architecture madge can incorporate new security technologies as they develop Recommendations Madge recommends deploying robust wireless LAn security solutions ploy an extensible networking and security architecture that can evolve as new standards based wireless LAN technologies emerge(e.g PEAP and 802. 11i) Implement a robust security network that incorporates 802. 1x EAP-TLS using digital certificates and dynamic per-user, per-session WEP keys Where 802.1x EAP-TLS isnt practical consider using IPSec VPNs to secure wireless traffic. When deploying VPNs ensure that the network design accommodates the increased performance requirements of the encryption technology (e.g. 3DES) Centralise security management by using enhanced security products such as the Madge Enterprise Access Server(EAs) Separate a wireless network from a wired network by deploying firewalls Always use WEP encryption, never implement an open system". Use 128-bit WEP keys for maximum security Change WeP keys frequently when not using dynamic keys. Deploy security management products that simplify this process Use device authorisation (e.g. MAC access control) to exclude unwanted wireless clients Change default passwords, network names(e.g. SSIDs) and snMP community strings that are pre-configured in the factory. Change passwords regularly. Use difficult to crack" passwords that are not susceptible to dictionary attacks". Enable "Bios" passwords and screen saver passwords to prevent unauthorised people accessing wireless LAN configuration parameters such as static WEP keys WWP-001 Copyright@ 2002-2003 Madge Limited. All rights reserved 78 New Technologies and Future directions The IEEE 802.11i Task Group is working on enhancements to both encryption and authentication in wireless LANs. 802.1x will be incorporated into the 802.11i specifications. Enhancements to WEP include the Temporal Key Integrity Protocol (TKIP). TKIP provides three security improvements: fast-packet keying (key-hashing per packet), real message integrity checking (to prevent forgery) and dynamic key management (re-keying). The Advanced Encryption Standard (AES) is also in the draft 801.11i specifications. AES is a symmetric block cipher operating on blocks of 128 bits using three possible key sizes: 128, 192 and 256 bits. There is an “advanced subset” of 802.11i, known as WiFi Protected Access (WPA), which is compatible with existing hardware; it includes both 802.1x and TKIP. The Internet Engineering Task Force (IETF) has produced an Internet-Draft document defining a new authentication protocol based on EAP called Protected EAP (PEAP). It works by wrapping the EAP protocol within TLS thus protecting the EAP message exchanges. Any EAP authentication method running within PEAP is provided with protected key exchange and session resumption (which allows fast re-authentication when a wireless client roams from one AP to another). Madge is committed to tracking emerging standards and extending its product family to support these when appropriate. With its extensible, field-upgradeable, software architecture Madge can incorporate new security technologies as they develop. 9 Recommendations Madge recommends deploying robust wireless LAN security solutions: Deploy an extensible networking and security architecture that can evolve as new standards￾based wireless LAN technologies emerge (e.g. PEAP and 802.11i). „ „ „ „ „ „ „ „ „ „ Implement a robust security network that incorporates 802.1x EAP-TLS using digital certificates and dynamic per-user, per-session WEP keys. Where 802.1x EAP-TLS isn’t practical consider using IPSec VPNs to secure wireless traffic. When deploying VPNs ensure that the network design accommodates the increased performance requirements of the encryption technology (e.g. 3DES). Centralise security management by using enhanced security products such as the Madge Enterprise Access Server (EAS). Separate a wireless network from a wired network by deploying firewalls. Always use WEP encryption, never implement an “open system”. Use 128-bit WEP keys for maximum security. Change WEP keys frequently when not using dynamic keys. Deploy security management products that simplify this process. Use device authorisation (e.g. MAC access control) to exclude unwanted wireless clients. Change default passwords, network names (e.g. SSIDs) and SNMP community strings that are pre-configured in the factory. Change passwords regularly. Use “difficult to crack” passwords that are not susceptible to “dictionary attacks”. Enable “BIOS” passwords and screen saver passwords to prevent unauthorised people accessing wireless LAN configuration parameters such as static WEP keys (if used). WWP-001 Copyright © 2002-2003 Madge Limited. All rights reserved. Page 7