Wireless Network Security – The Basics of Securing a Wireless LAN

Network Authentication Process

The process of a user connecting and authenticating with the access point has become common. If shared key authentication is chosen by the client’s request, there will be additional packets that confirm the authenticity of keys.

The following article explains EAP security on the network Wireless site survey companies near me.

  1. Client transmits probe for all points of access
  2. Access point transmits information frame that includes data rate and other details
  3. Client chooses the closest access point
  4. Client scans the access point in the sequence from 802.11a, 802.11b then 802.11g
  5. The data rate is determined
  6. Client is associated with the access point using SSID
  7. Through EAP network authentication, the client authenticates using the RADIUS server.

Open Authentication

This security type assigns an identity string to an access point, or to several access points to form a segmented wireless network referred to as an identifier for service sets (SSID). A client isn’t able connect to an access point until it’s configured to use that SSID. The process of connecting to your network can be as simple as finding the SSID on any of the clients on the network. Access points can be made so that it does not transmit the SSID which can increase security. Many companies will use dynamic or static keys to enhance secure SSID.

Keys for static WEP

Configuring your client adapter to use an unchanging wired equivalency public (WEP) key increases your security when it comes to wireless transmissions. Your access point can be setup using the same 40 bits and 128 bit WEP keys and while establishing the connection, those keys encrypted are to be compared. The problem is that hackers are able to capture wireless communications and decode the WEP key.

WPA keys that are dynamic. (WPA)

The use of WEP keys that are dynamically encrypted per session improves security by using an algorithm for hashing that creates fresh key pair at specified intervals. This makes spoofing difficult. The standard protocol for WEP incorporates 802.1x authentication techniques that incorporate TKIP along with MIC encryption. The wireless client’s authentication and authentication server RADIUS permits dynamic management of security. It is important to note that every authentication type will provide Windows system support. One illustration is PEAP for which you need Windows XP with service pack 2. Windows 2000 with SP4 or Windows 2003 at each client.

It is the 802.1x standard provides authentication that includes per-user and per-session encryption using these supported EAP types: EAPTLS, LEAP, PEAP, EAP-FAST as well as EAP-TTLS and the EAP-SIM. Credentials for authentication on the network of the user are not related to the configuration of the client’s computer. Loss of equipment on computers does not affect security. Encryption is dealt using TKIP an improved encryption standard that improves WEP encryption by using per-packet key hashing (PPK) and messages integrity verification (MIC) as well as broadcast key rotation. The protocol employs 128 bit keys to encrypt data, and 64 bit keys to authenticate. The transmitter adds a few bytes or MICs to a packet prior to encrypting it, and the receiver then analyzes and confirms the MIC. Broadcast key rotation rotates both broadcast and unicast keys in certain intervals. Fast reconnect is an WPA option that’s accessible which allows employees to travel without needing to sign-in again via the RADIUS server in the event that they move rooms or floors. The username and password for the client is saved by the RADIUS server for the specified time.


Utilizes algorithmic symmetric key in order to create a secure tunnel

Client and server side RADIUS mutual authentication

Client provides the username and password credentials through a secure tunnel


SSL version 3 creates an encrypted tunnel

Client and RADIUS server side assign PKI certificates that have mutual authentication

Dynamic per client for each session keys that are used to encrypt data

Protected EAP (PEAP)

It is implemented on Windows clients that use any EAP authentication method.

Server-side RADIUS server authentication that includes the root CA digital certificate

Client-side authentication with RADIUS server of Microsoft MS-CHAP client with password and username encrypted credentials

Wireless Client EAP Network Authentication Process

  1. Clients are associated via the access point
  2. Access point permits 802.1x traffic
  3. Client authenticates RADIUS server certificate
  4. The server for RADIUS sends username along with password-secured request to the client
  5. Client transmits username and password encrypted to the RADIUS server.
  6. Client and server of RADIUS obtain WEP key.The RADIUS server transmits WEP key to access point.
  7. Access point encodes 128 bit broadcast key using this active session key.Sends key to clients.
  8. Clients and access points make use of session keys to decrypt/encrypt packets


WPA pre-shared keys utilize certain features associated with static WEP keys as well as the dynamic keys protocols. Every access point and client is set with a static passcode. It generates key which TKIP utilizes to encrypt the data for each session. The passcode must contain minimum 27 characters in order to protect against attacks using dictionary.


It is the WPA2 standard implements WPA authentication methods using Advanced Encryption Standard (AES). This encryption technique is employed in government-related implementations, etc. in situations where the highest security measures must be in place.

Application Layer Passcode

SSG employs a passcode at the layer of application. Clients aren’t able to authenticate until they have the password. SSG is used in public areas, like hotels, where clients pay for the password to gain entry to the internet.

VLAN Assignments

As mentioned, companies will use access points equipped with SSID assignments which define the logical wireless networks. Access point SSID will be then assigned to the VLAN that is connected to the wired network which divides traffic between specific groups, similar to a traditional wired network. Wireless deployments that have multiple VLANs can then be configured with 802.1q and ISL Trunking between the access point as well as Ethernet switch.

Miscellaneous Settings

Turn Microsoft File Sharing OFF

Implement AntiVirus Software and Firewall

Set up your business VPN client

Stop Auto Connect on any wireless network

Don’t make use of AdHoc Mode – this allows unidentified laptops to connect to your computer.

Beware of signal overruns with a thorough site survey

Set the transmit power to the lowest setting.

Anti Theft Option

Certain access points come with an anti theft feature that is available by using a padlock and cables to secure equipment being used in public areas. This is a crucial aspect of public installations where access points could be lost or stolen. There is a reason to have them installed in a low ceiling.

Security Attacks

Wireless packet sniffers capture the packets, decode them and analyze them transmitted between the client’s computer and the AP. The aim is to understand security information.

The dictionary attacks try to discover the decryption keys that are configured in the wireless network, using the dictionary or list of thousands of common passcode phrases. Hackers collect information during authentication and then scans every dictionary word to determine the encryption key until they find a match.

The mode that is assigned to every wireless client can affect security. Ad Hoc is the least secure option , but it lacks AP authentication. Every computer on the network is able to send data directly to another Ad Hoc neighbor computer. Choose the infrastructure mode if it is available.

IP spoofing is an extremely common network attack that involves faking or changing the source IP address of every packet. The device on the network believes it’s communicating with a computer that is approved.

SNMP can be a sign of security breaches. Implement SNMP version 3 with complicated community strings.