Wireless security

A [[Wireless Intrusion Prevention System]] (WIPS) is a concept for the most robust way to counteract wireless security risks.{{Cite web|url=https://www.pcisecuritystandards.org/|title=Official PCI Security Standards Council Site|website=PCI Security Standards Council}} However such WIPS does not exist as a ready designed solution to implement as a software package. A WIPS is typically implemented as an overlay to an existing [[Wireless LAN]] infrastructure, although it may be deployed standalone to enforce no-wireless policies within an organization. WIPS is considered so important to wireless security that in July 2009, the [[Payment Card Industry Security Standards Council]] published wireless guidelines{{cite web|title= PCI DSS Wireless Guidelines|url=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf|access-date=2009-07-16}} for [[PCI DSS]] recommending the use of WIPS to automate wireless scanning and protection for large organizations.

A [[Wireless Intrusion Prevention System]] (WIPS) is a concept for the most robust way to counteract wireless security risks.{{Cite web|url=https://www.pcisecuritystandards.org/|title=Official PCI Security Standards Council Site|website=PCI Security Standards Council}} However such WIPS does not exist as a ready designed solution to implement as a software package. A WIPS is typically implemented as an overlay to an existing [[Wireless LAN]] infrastructure, although it may be deployed standalone to enforce no-wireless policies within an organization. WIPS is considered so important to wireless security that in July 2009, the [[Payment Card Industry Security Standards Council]] published wireless guidelines{{cite web|title= PCI DSS Wireless Guidelines|url=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf|access-date=2009-07-16}} for [[PCI DSS]] recommending the use of WIPS to automate wireless scanning and protection for large organizations.

Several WIPS vendors were established in the early 2000s. AirDefense was founded in 2001 and later acquired by [[Motorola]] in 2008{{Cite web |last=Staff |first=Sensors |date=2008-07-30 |title=Motorola to Acquire AirDefense {{!}} Fierce Sensors |url=https://www.fiercesensors.com/components/motorola-to-acquire-airdefense |access-date=2026-04-22 |website=www.fiercesensors.com |language=en}}. Mojo Networks was founded in 2004 and later acquired by [[Arista Networks]] in 2018{{Cite news |last=Sisler |first=Whitney |title=Arista Acquires Mojo Networks - Arista |url=https://www.arista.com/en/company/news/press-release/5717-pr-20180802 |archive-url=http://web.archive.org/web/20260122234409/https://www.arista.com/en/company/news/press-release/5717-pr-20180802 |archive-date=2026-01-22 |access-date=2026-04-22 |work=Arista Networks |language=en-gb}}. With the rapid growth of Wireless LANs, WIPS became an important part of every organization's security posture.

== Security measures ==

== Security measures ==

{{Main|IEEE 802.1X}}

{{Main|IEEE 802.1X}}

IEEE 802.1X is the [[IEEE Standard]] [[authentication]] mechanisms to devices wishing to attach to a Wireless LAN.

IEEE 802.1X is the [[IEEE Standard]] [[authentication]] mechanisms to devices wishing to attach to a Wireless LAN.

{{Main|Wired Equivalent Privacy}}

{{Main|Wired Equivalent Privacy}}

The Wired Equivalent Privacy (WEP) [[encryption]] standard was the original encryption standard for wireless, but since 2004 with the ratification [[WPA2]] the IEEE has declared it "deprecated",{{cite web|title=What is a WEP key?|url=http://lirent.net/wifi/what-is-a-wep-key.html|publisher=lirent.net|access-date=2008-03-11|archive-date=2008-04-17|archive-url=https://web.archive.org/web/20080417005957/http://lirent.net/wifi/what-is-a-wep-key.html|url-status=dead}} and while often supported, it is seldom or never the default on modern equipment.

The Wired Equivalent Privacy (WEP) [[encryption]] standard was the original encryption standard for wireless, but since 2004 with the ratification [[WPA2]] the IEEE has declared it "deprecated",{{cite web|title=What is a WEP key?|url=http://lirent.net/wifi/what-is-a-wep-key.html|publisher=lirent.net|access-date=2008-03-11|archive-date=2008-04-17|archive-url=https://web.archive.org/web/20080417005957/http://lirent.net/wifi/what-is-a-wep-key.html|url-status=dead}} and while often supported, it is seldom or never the default on modern equipment.

'''LEAP'''

'''LEAP'''

{{Main|Lightweight Extensible Authentication Protocol}}

{{Main|Lightweight Extensible Authentication Protocol}}

This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on [[802.1X]] and helps minimize the original security flaws by using WEP and a sophisticated key management system. This EAP-version is safer than EAP-MD5. This also uses MAC address authentication. LEAP is not secure; THC-LeapCracker can be used to break [[Cisco]]'s version of LEAP and be used against computers connected to an access point in the form of a [[dictionary attack]]. Anwrap and asleap finally are other crackers capable of breaking LEAP.

This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on [[802.1X]] and helps minimize the original security flaws by using WEP and a sophisticated key management system. This EAP-version is safer than EAP-MD5. This also uses MAC address authentication. LEAP is not secure; THC-LeapCracker can be used to break [[Cisco]]'s version of LEAP and be used against computers connected to an access point in the form of a [[dictionary attack]]. Anwrap and asleap finally are other crackers capable of breaking LEAP.

'''PEAP'''

'''PEAP'''

{{Main|Protected Extensible Authentication Protocol}}

{{Main|Protected Extensible Authentication Protocol}}

This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and [[RSA Security]].

This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and [[RSA Security]].

{{Main|IEEE 802.11i}}

{{Main|IEEE 802.11i}}

[[WPA2]] is a WiFi Alliance branded version of the final 802.11i standard.{{cite web|title=Wi-Fi Protected Access |url=http://www.wifialliance.org/knowledge_center_overview.php?docid=4486 |publisher=[[Wi-Fi Alliance]] |access-date=2008-02-06 |url-status=usurped |archive-url=https://web.archive.org/web/20070521092851/http://www.wifialliance.org/knowledge_center_overview.php?docid=4486 |archive-date=May 21, 2007 }} The primary enhancement over WPA is the inclusion of the [[AES-CCMP]] algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK).

[[WPA2]] is a WiFi Alliance branded version of the final 802.11i standard.{{cite web|title=Wi-Fi Protected Access |url=http://www.wifialliance.org/knowledge_center_overview.php?docid=4486 |publisher=[[Wi-Fi Alliance]] |access-date=2008-02-06 |url-status=usurped |archive-url=https://web.archive.org/web/20070521092851/http://www.wifialliance.org/knowledge_center_overview.php?docid=4486 |archive-date=May 21, 2007 }} The primary enhancement over WPA is the inclusion of the [[AES-CCMP]] algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK).

{{Main|WLAN Authentication and Privacy Infrastructure||l2 = }}

{{Main|WLAN Authentication and Privacy Infrastructure||l2 = }}

This stands for WLAN Authentication and Privacy Infrastructure. This is a wireless security standard defined by the [[China|Chinese]] government.

This stands for WLAN Authentication and Privacy Infrastructure. This is a wireless security standard defined by the [[China|Chinese]] government.

{{Main|RADIUS}}

{{Main|RADIUS}}

''Remote Authentication Dial In User Service'' (RADIUS) is an [[AAA protocol|AAA (authentication, authorization and accounting) protocol]] used for remote network access. RADIUS, developed in 1991, was originally proprietary but then published in 1997 under ISOC documents RFC 2138 and RFC 2139.{{Cite book|title= RADIUS: Securing Public Access to Private Resources|author =Jonathan Hassell |publisher= O'Reilly Media |year=2003 |isbn= 978-0596003227|pages=15–16}}{{cite web|url=http://www.interlinknetworks.com/app_notes/History%20of%20RADIUS.pdf|title=The Beginnings and History of RADIUS|author=John Vollbrecht|year=2006|publisher=Interlink Networks|access-date=2009-04-15}} The idea is to have an inside server act as a gatekeeper by verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as record accounting information such as connection time for purposes such as billing.

''Remote Authentication Dial In User Service'' (RADIUS) is an [[AAA protocol|AAA (authentication, authorization and accounting) protocol]] used for remote network access. RADIUS, developed in 1991, was originally proprietary but then published in 1997 under ISOC documents RFC 2138 and RFC 2139.{{Cite book|title= RADIUS: Securing Public Access to Private Resources|author =Jonathan Hassell |publisher= O'Reilly Media |year=2003 |isbn= 978-0596003227|pages=15–16}}{{cite web|url=http://www.interlinknetworks.com/app_notes/History%20of%20RADIUS.pdf|title=The Beginnings and History of RADIUS|author=John Vollbrecht|year=2006|publisher=Interlink Networks|access-date=2009-04-15}} The idea is to have an inside server act as a gatekeeper by verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as record accounting information such as connection time for purposes such as billing.