Access Control And Security; Essid (Extended Service Set Identifier); Mac Address Filtering - ASCOM VoWiFi System System Description

System Description
Ascom VoWiFi System
2.3

Access Control and Security

Since the physical layer in a WLAN is broadcast over the air, the normal methods to control a
conventional LAN cannot be used. To secure the WLAN from intruders, authentication and
encryption are important factors.
Measures like creating a MAC address filter makes it a little more difficult for intruders to
access and use the WLAN. There are stronger methods, such as using authentication, for
example a RADIUS server, but these often require dedicated servers or other hardware.
The use of encryption does not affect the voice stream when the phone is associated to an
AP. When roaming between APs, the exchange of fresh session encryption keys needs to be
completed before transmission of speech frames can be resumed. The exchange of
encryption keys is time consuming and can cause incidents of silence when roaming.
Encryption helps to protect the information sent over the air. That way an intruder will not
be able to snoop on the information that is sent over the air. The encryption types used are
WEP, TKIP and AES.
Security can be divided in two parts:
• Authentication ensures that the identities of the two communication peers are correct
and can be trusted.
• Privacy aims to protect the communication from eavesdropping by encryption.
Authentication and privacy are independent of each other but are often specified to be used
together in some constellations.
2.3.1

ESSID (Extended Service Set Identifier)

The ESSID is the identifying name of an infrastructure WLAN. Only one ESSID can be
specified in the client setup. By specifying the ESSID in the client setup, it makes sure to
connect to the desired WLAN instead of the neighbours WLAN by mistake. The ESSID should
be unique for each system.
It is possible to use many ESSIDs for the same WLAN. This way different user groups can
connect to the same WLAN but get different access rights.
It is possible to hide the ESSID by not letting the APs broadcast the name. That way the
users must know the ESSID and enter it manually to be able to connect to the WLAN.
2.3.2

MAC Address Filtering

MAC address filtering is an authentication method to control who can connect to the WLAN.
Every wireless card (just like an ethernet card) has a unique address. The administrator
creates an Access Control List (ACL) on the AP with the MAC addresses of the mobile devices
allowed to communicate with the AP. To enable roaming, the ACL must be created on every
AP in the network and manually maintain the list. Depending on how many clients, this may
or may not be an issue.
A weakness is that an unauthorized client can sniff the MAC addresses of authorized clients
from the air. Also, MAC addresses are not as unique as they used to be because they can be
changed.
The MAC address filtering is only used for authentication of clients in the system and
provides no encryption of traffic on the network.
7 September 2011 / Ver. G
TD 92313EN
12