Wireless LAN – WLAN
46
3.3
Protecting the wireless network
BAT54-Rail/F..
Release
7.54
06/08
Note: Further information is available from our web site www.hir-
schmann.com under Support FAQ.
3.3.1 LEPS—BAT Enhanced Passphrase Security
U LEPS remedies the security issues presented by global
passphrases.
The modern encryption methods WPA and IEEE 802.11i provide data traffic
in the WLAN with far improved security from eavesdroppers than the older
WEP can. It is very easy to handle a passphrase as a central key; a RADIUS
server such as that for 802.1x installations is not required.
However, the use of WPA and IEEE 802.11i still has some weak spots:
D A passphrase applies globally for all WLAN clients
D The passphrase may fall into unauthorized hands if treated carelessly
D The "leaked" passphrase then offers any attacker free access to the wire-
less network
This means in practice that: Should the passphrase "go missing" or an em-
ployee with knowledge of the passphrase leaves the company, then the
passphrase in the access point really needs to be changed—in every WLAN
client, too. As this is not always possible, an improvement would be to have
an individual passphrase for each user in the WLAN instead of a global pass-
phrase for all WLAN clients. In the case mentioned above, the situation of an
employee leaving the company requires merely his "personal" passphrase to
be deleted; all others remain valid and confidential.
With LEPS (LANCOM Enhanced Passphrase Security), there is an efficient
method that makes use of the simple configuration of IEEE 802.11i with
passphrase, but that avoids the potential security loopholes that come with
global passphrases.
LEPS uses an additional column in the ACL (access control list) to assign an
individual passphrase consisting of any 8 to 63 ASCII characters to each
MAC address. The connection to the access point and the subsequent en-
cryption with IEEE 802.11i or WPA is only possible with the right combination
of passphrase and MAC address.
This combination makes the spoofing of the MAC addresses futile—and
LEPS thus shuts out a potential attack on the ACL. If WPA or IEEE 802.11i
is used for encryption, the MAC address can indeed be intercepted—but this
method never transmits the passphrase over wireless. This greatly increases
the difficulty of attacking the WLAN as the combination of MAC address and
passphrase requires both to be known before an encryption can be negotiat-
ed.
To Next Page
Loading...
