Security; Security Concerns; Wired Equivalent Privacy (Wep); Wi-Fi Protected Access (Wpa/Wpa2) - Avaya 3616 Installation Manual

Installation Guide

5.0 Security

5.1 Security Concerns

Proper security provisions are critical for any enterprise Wi-Fi network. Wireless technology does not
provide any physical barrier from malicious attackers since radio waves penetrate walls and can be
monitored and accessed from outside a facility. The extent of security measures used is typically
proportional to the value of the information accessible on the network. The security risk for Wi-Fi
telephony is not limited to the typical wired telephony concerns of eavesdropping on telephone calls or
making unauthorized toll calls, but is equivalent to the security risk of the data network that connects to
the APs. Several different security solutions can be implemented with Avaya wireless telephones.
Determining the proper level of security should be based on identified risks, corporate policy and an
understanding of the pros and cons of the available security methods.

5.1.1 Wired Equivalent Privacy (WEP)

Avaya wireless telephones support Wired Equivalent Privacy (WEP) encryption as defined by the
802.11 standard. The handsets can use either 40-bit or 128-bit key lengths. WEP is intended to
provide the same level of security over a wireless LAN as on a wired Ethernet LAN. Although security
flaws have been identified, WEP still provides strong encryption that requires an experienced and
dedicated hacker to break.

5.1.2 Wi-Fi Protected Access (WPA/WPA2)

Recognizing the need for stronger security standards beyond WEP, the IEEE developed and ratified
the 802.11i standard, which includes stronger encryption, key management, and authentication
mechanisms. Wi-Fi protected Access 2 (WPA2) is the Wi-Fi Alliance's specification and certification
program based on the 802.11i standard. WPA2 includes the Advanced Encryption Standard (AES),
which is widely accepted as one of the most powerful forms of encryption available. Avaya wireless
telephones running on v2.0 or greater are fully compatible WPA2-certified wireless infrastructure
equipment.
WPA2 has two different authentication modes: Enterprise Mode uses 802.1x EAP-based
authentication and Personal mode uses a pre-shared key (PSK). Due to serious call quality concerns
with 802.1x EAP-based authentication, Avaya wireless telephones support WPA2 only using the Pre-
shared Key (PSK) authentication method. 802.1x authentication employs a RADIUS authentication
server and an EAP-based key exchange sequence. The time intensive key exchange sequence and
roundtrip network latency results in an interruption in service when a client roams from one access
point to another. It is unlikely that this interruption will disrupt data clients but real-time services such
as voice and video will experience a degradation of service.

5.1.3 Cisco Fast Secure Roaming (FSR)

Certificate-based authentication protocols such as EAP-TLS and Cisco's LEAP were developed to
provide a higher level of security for wireless networks. These advanced methods require a back-end
authentication server to authenticate users and generate new keys. This authentication and re-keying
process can take up to several seconds and is required each time a user hands off from one AP to the
next in the same subnet. While this is taking place, the client device is not authenticated to an AP.
There is an interruption in the data stream, and therefore in the voice conversation. This type of
interruption is unacceptable for voice communication in most enterprise applications.
To address security and voice quality on Cisco WLANs, Avaya supports Cisco's Fast Secure Roaming
(FSR) mechanism. FSR allows the authentication process to be done in a way that minimizes the
number of messages required between the Avaya wireless telephones and the Cisco WLAN
infrastructure. Implementation of FSR for Cisco APs uses a combination of standards-based and
proprietary security components including Cisco Client Key Management (CCKM), LEAP
Octiober 2008 14