AccessControl is a big issue for wireless networks. Because the physical layer is broadcast over the air you don't have the normal methods of control that you do in conventional ethernet of eye balling where the cables go, and knowing that someone has to get into your house/office to plug into your network. All of a sudden anyone with a US$50 PCMCIA card can get access from 100 feet away (or more) from your house.

It is important to be aware of this and know what your options are to secure your network. Most commercial AccessPoints come with a couple options, each has their strengths and weaknesses.

ESSID (Extended Service Set ID)

This is the most basic method that comes with 802.11. When you create a network in InfrastructureMode you must give it a name. In order for a client to connect to your network they must know the name of the network.

Pros:

Cons:

MAC (or Ethernet) Address Filtering

This is a method that lets you control who can connect to your wireless network by the MacAddress of their wireless network card. Every wireless card (just like an ethernet card) has a unique address. By limiting access only to the MAC's that you specify you can control who has the ability to use your access point.

Pros:

Cons:

WEP (Wired Equivalent Privacy)

This is a security method built into the 802.11 protocol. It uses a shared key system, this means that you configure a key (basically a password) into your access point. In order for a wireless client to connect to your network they must know the key and type it into their software.

Pros:

Cons:

Note: WEP+ and WPA are basically the same as WEP only with work arounds for the encryption problems. Basically what they do is force rekeying to occur faster then the minimum amount of time required to gather sufficent entropy to break the key. In short it's an ugly but fairly effection solution.

Captive (or Forced) Portal

While WEP and MAC filtering will probably deter all but the dedicated hacker they still have significant issues when it comes to usability. Neither will scale very well, neither allow for self provisioning via a web page (or any other method) and both have known, and usable, ways around them.

One possible answer to these problems is a CaptivePortal solution. Captive portals (also referred to as forced portals) have been used for a while by vendors like Nortel and Cisco for controlling DSL customers access to the Internet. Basically how they work is by providing connectivity to the client without any authentication (no password or anything), however the client is firewalled at a point so they can't get to anything interesting or useful. As soon as the client trys to connect to a web site they are forced (or captured) to a web site. At the web site they can log in with their username and password, if this authentication is successful then portal connects to the firewall and grants access to the clients IP address.

Pros:

Cons:

802.1x

This is a new option that I don't yet know very much about. Basically 802.1x provides a way of using client side certificates to provide end to end security and authentication for wireless networks. By using LDAP/Radius as authentication backends it's possible to quite secure networks.

Unfortunately the algorithms currently in use have flaws as well and so 802.1x isn't a huge improvement at this point. It will be fixed but it hasn't happened yet.

-- AdamShand


[CategoryDocumentation]

AccessControl (last edited 2007-11-23 18:04:12 by localhost)