WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search






Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.1  Remote Access

Previous Topic/Section
2.1  Remote Access
Previous Page
Pages in Current Topic/Section
12
3
Next Page
 2.1.2  VPN
Next Topic/Section

2.1.1  802.1X
(Page 3 of 3)

802.1X and EAP



Optionally, 802.1X can also be used to return encryption keys to users, allowing the network to dynamically vary the encryption used by each connection, rather than requiring that all stations be pre-configured with a fixed key (currently a time-consuming activity). As we’ll see later when we discuss WEP encryption over 802.11 in section 2.6, this improves the privacy level of wireless communications.

802.1X

802.1X provides for an extensible authentication mechanism over physical media such as FDDI or wireless LANs. It can be used to improve the privacy of wireless LAN communication by dynamically varying the keys used to encrypt the wireless traffic.


802.1X is only the framework allowing EAP transactions to be passed on the media. It is not EAP itself. To get authentication functionality, you must choose a particular flavor of EAP, and install it on your authentication server. Here’s a listing of the choices:

  • Transport Layer Security (EAP-TLS)

  • EAP Tunneled Transport Layer Security (EAP-TTLS) Built into XP, Win CE 4.0

  • RADIUS (FRC 2138,2139)

  • LEAP138, by Cisco (which has its own challenges139)

You can change the flavor of EAP that you use at any time, without needing to replace 802.1X-compliant access points, because the exact mechanics of EAP are transparent to the access points. RSA has a two factor variation called PEAP (Protected Extensible Authentication Protocol), a security add-on to the 802.1x WLAN standard140.

[spacer]802.1X Authentication

Currently, 802.1 X authentication methods are outside the scope of 802.11-based wireless LANs. However, it is not expected to remain so. The 802.11i committee is specifying the use of 802.1X in combination with 802.11. Many vendors have already included support for 802.1X in their products, including enterprise application products and Microsoft Windows XP.


802.1X is not without its issues, though. For example, while great care is taken to authenticate the client, access points themselves aren’t subject to such scrutiny. So, theoretically, someone could pose as an access point and stage a man-in-the-middle type of attack. Additionally, while it can be used to improve the security of WEP by permitting more frequent key changes, it doesn’t provide any additional layers of encryption. Additionally, EAPOL itself has proven to be susceptible to Denial of Service attacks, because attackers can spoof EAPOL logoff frames, logging a legitimate user off an access point, and then deluge the access point with EAPOL start frames so that no one else can access it.

[spacer]WPA

Wireless Protected Access141 (WPA) support has been supported by a number of manufactures and is designed to replace WEP on existing equipment with software and firmware updates. Mandatory in equipment sold after July 2003. WPA uses mutual authentication and is forward compatible to the upcoming 802.11i security standard expected to be ratified in September 2003.


[spacer]A or B or G or...

The tradeoff of B/G 2.4 Gtz verses the A range of 5.1 Gtz is really simple to understand. B/G is more crowded (cordless phones, microwave ovens some ZigBee 142 and Bluetooth) and has fewer available channels. The range is farther because the frequency is lower.

So, pick B/G for coverage, go with A for performance (abet at a higher cost due to more expensive equipment and shorter range).


Figure 16: Currently, a rogue access point is very dangerous because it can be behind the firewall and go unnoticed.

 

 __________________

138. http://www.cisco.com/global/AT/veranstaltungen_seminare/downloads/files/03_wlan_security.pdf

139. http://www.informationweek.com/story/showArticle.jhtml?articleID=18901468

140. http://www.eweek.com/article2/0,3959,768019,00.asp

141. http://www.wirelessnewsfactor.com/perl/printer/19852/

142. http://www.zigbee.org/documents/ZigBeeOverview4.pdf

Previous Topic/Section
2.1  Remote Access
Previous Page
Pages in Current Topic/Section
12
3
Next Page
 2.1.2  VPN
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.