Table of Contents
Advertisement
Wireless Security
Wi-Fi Protected Access (WPA, WPA2)
Additional security measures
42
There has been criticism of WEP security. WEP keys are static. They must be
changed manually and frequently on both the wireless device and the access
points. On a small company or network with a few users and APs, this is not a big
issue. However, the more users and access points, changing WEP keys regularly
can become an administrative headache and potentially error prone.
Consequently, keys are rarely changed over months or years, leaving a hacker
plenty of time to get the key and gain access to the network.
In small wireless networking environments, activating WEP security will
significantly minimize outside infiltrators from getting in your network and is better
than no security at all. However, it is still very important that you regularly change
the WEP key, at least weekly; or monthly at most.
WPA was developed to replace the WEP standard and provide a higher level of
data protection for wireless networks. WPA provides two methods of
authentication; through 802.1X authentication or pre-shared keys.
802.1X authenticates users through an EAP authentication server such as a
RADIUS server authenticates each user before they can connect to the network.
The encryption keys can be changed at varying intervals to minimize the
opportunity for hackers to crack the key being used.
In a network setup where a RADIUS server is not a viable option, WPA also
provides authentication with preshared keys using Temporal Key Integrity Protocol
(TKIP). Using TKIP, the encryption key is continuously re-keyed while the user is
connected to the wireless network. This creates a unique key on every data
packet. To further ensure data integrity, a Message Integrity Code (MIC also
known as Michael) is incorporated into each packet. It uses an 8 byte message
integrity code that is encrypted using the MAC addresses and data from each
frame to provide a more secure packet transmission.
WPA and WPA2 provides a more robust security between the wireless device and
the access point.
The FortiWiFi unit includes other security measures you can use to prevent
unwanted users from accessing your wireless network. By setting a few extra
options, you can be assured your network and its information is secure.
MAC address filtering
To improve the security of your wireless network, consider enabling MAC address
filtering on the FortiWiFi unit. By enabling this feature, you define the wireless
devices that can access the network based on their system MAC address. When
a user attempts to access the wireless network, the FortiWiFi unit checks the MAC
address of the user to the list you created. If the MAC address is on the approved
list, the user gains access to the network. If the user is not in the list, the user is
rejected. Using MAC address filtering makes it more difficult for a hacker using
random MAC addresses or spoofing a MAC address to gain access to your
network.
Using a wireless network
FortiWiFi-50B FortiOS 3.0 MR6 Install Guide
01-30006-0445-20080131
Advertisement
Table of Contents
