What Is Wireless Security (O'ReillyNet)

Posted Mar 31, 2006 20:11 UTC (Fri) by rvfh (subscriber, #31018) [Link]

Well, 802.11g maybe 54 Mbit/s link, but it would be more instructive to talk about payload rate, which will only reach 25 Mbit/s if you are very lucky, 20 Mbit/s being quite honorable already.

802.11b was about 6 Mbit/s with a good card, so we're closer to a 4 times ratio in reality.

The other thing that striked me was the absence of the words WPA and Radius. The best security seems to be achieved using WPA and a Radius server such as FreeRADIUS, WPA-PSK being the less difficult (no Radius server) version of it

Did I miss the point?

Posted Apr 1, 2006 4:46 UTC (Sat) by shemminger (subscriber, #5739) [Link]

This article covers all the weak security stuff that is useless. Hidden SSid,
authenticated sessions. Wep attacks are not covered and WPA isn't even mentioned. Where was the editor?

Posted Apr 1, 2006 5:50 UTC (Sat) by jd (guest, #26381) [Link]

As others have noted the 802.1x blunder, I won't point that out. (Oops! Too late! :) However, there are many other forms of security which deserve a mention. IPSec, for example, or SK/IP. (Yes, Sun dropped that protocol, but it was designed for unreliable networks and wireless definitely counts as one.)

The article also assumes mobile workstations operating around a single basestation. This is fairly common but far from universal - any large corporation with physical warehousing is likely to have multiple basestations within the warehouse. Depending on setup, this may mean they are using Mobile IP.

That, of course, is only one case. As city-wide wireless networks are becoming increasingly common, there will be a greater demand for Mobile IP support for common, everyday wireless devices. Mobile IP is a major headache for security, as you have to be able to migrate entire active connections (and back-propagate routing changes) whenever a device moves from one access point to another. You have to have extremely sophisticated authentication to be able to do that fast enough to avoid breaking any of the active connections.

So far, I know of no actual mobile network (NEMO) installation - although it seems reasonable that if/when aircraft support wireless connections, they would use something along those lines. There may be other scenarios where they are useful. Regardless, you still have to keep them secure and the needs are INFINITELY greater when you start talking about upstream (therefore probably high-speed) routers, with router traffic in addition to regular user data streams, migrating between wireless access points.

NONE of this is covered in the article. The last part (NEMO) I can forgive. It's too rare. Mobile IP is less forgivable, as it is an area too few people understand how to secure, but where the right level of security is vital. The error with 802.1x and the lack of IPSec are totally unforgivable, as those are the only standards regarded as trustable.

Posted Apr 2, 2006 7:38 UTC (Sun) by neilbrown (subscriber, #359) [Link]

After reading all those comments, I haven't even bothered looking at the article, but I do wonder: is there a *good* article on wireless security somewhere?

If not, it seems that LWN's readership has the expertise to write one. Could someone volunteer? Or maybe there needs to be a wiki.lwn.net so that informed readers can colaborate on a really good article, under the editorial oversight of our friend Mr Corbet.....

Just a random idea.

Posted Apr 2, 2006 19:37 UTC (Sun) by cthulhu (guest, #4776) [Link]

Yep, article is totally lame. 802.11g is not a "new" standard, it was ratified almost 3 years ago. Nowadays, everybody's talking about the "Pre-N" stuff and MIMO.

Also, the security you want now is WPA2, definitely not WEP. WPA isn't bad, but WPA2 is better. WPA uses TKIP, which is a way of using all those WEP RC4 engines built in to the chipsets at the time. WPA2 uses AES, but also supports TKIP for backward compatibility.

Then you have the "Enterprise" and "Personal" versions of each of these. Personal simply means the equipment supports pre-shared keys (ie, you type them in yourself), while Enterprise means that, plus support for RADIUS and 802.1x stuff - obviously very important for large deployments.

Best place to find info about Wi-Fi security is here: http://www.wi-fi.org/knowledge_center/security/

Full disclosure: my company's a member of Wi-Fi and I go to all the meetings. Also, I'm not a security expert, except by comparison with the information in the article!