Practical Wi-Fi security : finding the right security model

How to buy

   Call 0508 HP INVENT

As organizations or users consider what combination of security technologies to use on their wireless networks, they'd be best advised to choose their options through a combination of supporting security approaches already in use elsewhere in their infrastructure (such as RADIUS versus Kerberos, for example) and by analysis of the nature of the information that's in transit between wireless users and access points. In general, the lower the level of sensitivity of information in motion, the lower the level of security required; the higher the sensitivity level, the higher the level of security.

In a situation where e-mail is the only vehicle for moving sensitive data between users and access points, additional security mechanisms outside the e-mail application aren't needed. Thus, if XYZ Corp needs only to secure e-mail communications, it can do so by enabling certificate-based encryption services in common e-mail applications such as Eudora or Outlook, or by purchasing secure e-mail software such as the PGP Mail product included in PGP Desktop or PGP Enterprise. By observing that security concerns apply to a specific application (or in fact, to some collection of applications), an appropriate security model can be established by making those applications secure and ignoring other communications. Likewise, Web-based applications or services can apply security at the session level, using protocols such as TLS or SSL (Secure Sockets Layer) upon which TLS is based.

Once the number of applications that must be secured grows beyond a handful, when entire connections between users and access points must be secured, or when secure end-to-end connections are required, heightened security needs dictate a combination of security technologies be applied. In this case, the following common security concerns, when combined with best-fit approaches (or approaches already in use elsewhere in the organization), will apply:

• Authentication: This provides reasonable proof of user or sender identity so that a packet received may be attributed to a single, verifiable sender. Where RADIUS or Kerberos are already in use, these systems work well with wireless to add secure authentication mechanisms (and other capabilities in this list). Where not already in use, platform selections or software cost will help guide appropriate choices. (Kerberos is part of the Windows 2000 Server and later Windows Server environments, for example, and works well with appropriate Windows clients.)
• Confidentiality: This provides sufficiently strong encryption to protect ongoing communications from interception and inspection. A combination of key exchange, certificate management, and encryption services often applies here and mandates use of IPSec or VPN technology, augmented by authentication and access controls.
• Access control: This assures that unauthorized users are not permitted to access resources, sensitive or otherwise. This generally applies at higher layers than those customary for wireless communications, but mechanisms such as MAC address filtering, protocol filtering, and authentication all come into play in this area:
• Integrity: This provides data checks so that data sent may be easily compared to data received, and changes noted (and changed data rejected). This is not only an essential component in network communications of any kind, but is also essential to securing such communications.

If a company needs secure end-to-end communications for staff attorneys to use wireless links on Windows 2000 and Windows XP laptops for e-mail, to write and file briefs, and to access confidential records from various secured servers, they'd be well-advised to implement a solution that combines authentication through Kerberos, IPSec security associations to permit only authorized individuals to establish specific server and service links, and IPSec protocols to meet necessary integrity and confidentiality requirements. All of these desiderata can easily be layered on wireless laptops using standard Windows 2000 and Windows XP client capabilities, in tandem with Windows 2000 or Windows 2003 Server machines.

The key lies in establishing the levels of access control, authentication, integrity, and confidentiality that are required. When security must apply end to end or when it's more expeditious to apply security approaches at the connection level (rather than for individual applications), multiple security approaches must usually be combined to meet such requirements. When in doubt, HP Services can help establish security requirements, and design appropriate, workable security solutions.

Wireless

Mobility

Products for mobility