WirelessTrakker supports several standardized security algorithms for securing wireless networks. This article will help explain and differentiate between them.
The Wi-Fi Alliance creates standardized security algorithms for limiting access to wireless networks, as well as for encrypting and securing the data sent across the wireless network. These are the methods we support, along with recommendations to use or not use each method.
Wired Equivalent Privacy (WEP)
WEP was the original security algorithm that was developed for use with 802.11. It is supported on almost every 802.11a/b/g/n wireless device. There are two versions of WEP, 64-bit or 128-bit. 64-bit WEP uses a 40-bit key, and 128-bit WEP uses a 104-bit key. WEP was deprecated in 2004 for use as a security mechanism in all new 802.11 protocols. This is because in 2001 several flaws were exposed in the WEP algorithm, rendering it insecure. Further, in 2007 an exploit was demonstrated that allows an attacher to break into a network protected by WEP using 3MB of captured traffic and roughly 3 seconds of computation. Because of it's weaknesses, it is strongly recommended that you do not use WEP on your wireless network.
Wi-Fi Protected Access (WPA)
WPA was developed to replace WEP and solve some of it's shortcoming. It became a standard in 2003. WPA added TKIP encryption to WEP's key, making it more secure (amongst other new security features). WPA was an intermediate protocol, implementing most of the IEEE 802.11i standard. Flaws were exposed in TKIP encryption, so WPA2 was developed as the successor to WPA.
Wi-Fi Protected Access v2 (WPA2)
WPA2 is the current security standard that all wireless networks should use. WPA2 added support for a much stronger encryption method, AES. This solved the flaws that the TKIP encryption method provided in the WPA protocol.
Pre-Shared Key Mode (PSK)
In PSK mode, there is a common key / password shared between all wireless hosts. The user must enter this key to connect to the wireless network (or if the computer remembered the key, it can provide it on it's own). All of the above encryption methods support this mode of operation. It is simple to setup since it just requires a common password to access the network, however it's security is somewhat limited:
- Everyone that needs to connect to the network typically knows the password (or finds it out over time). The more people that know the password, the higher the chance of someone loosing it and getting to someone that shouldn't have it (for example, a student or visitor with bad intentions).
- The key is subject to simple brute force attacks. Most people choose simple words that are easy to remember for keys. For example, the school's mascot, a phone number, or something similar. If the key cannot simply be guess by a hacker, then there are a variety of tools that can run dictionary attacks on the network to try to get in. If you make the key complicated by making it a random string of letters and numbers, then no one will remember it and it will end up written down and easily copied by someone with bad intent.
In Enterprise mode, clients must authenticate to the wireless network with a username and password. This authentication is handled by a process running on WirelessTrakker that can talk to one of several different databases: a built in user database in WirelessTrakker, a remote SecureSchool user database, or a Microsoft Windows Active Directory. Additionally, the login can be checked by WirelessTrakker for permissions, similar to how Filter Sets work on SecureSchool. For example, for a user to get access to the "MySchool" SSID, there can be a requirement stating the user must be in the "WT_MySchool" group in Active Directory. This method provides more security then PSK mode because each user uses their own username and password and nothing is shared between users. This also adds accounting to the wireless network. Since users are required to provide a username, you can see who logged in and at what time.