CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.1  Remote Access

2.1  Remote Access 1 2 3 2.1.2  VPN

The IEEE 802.1X standard is a relatively recent protocol enhancement that creates a standard for how authentication is performed over an 802 standards-based network. It improves scalability and security of wireless LAN authentication, and allows for the use of multiple authentication mechanisms as needed.

With a typical wired Ethernet LAN, the moment your station is added to the network, you have access to the wire. You may or may not be able to do much on the network if you don’t authenticate yourself to your organization’s domain controller, but you can usually sniff the raw packets that are reaching your network adapter. With a typical dial-up networking connection, the situation is different, because PPP requires that you authenticate yourself to a server before you can connect via the network. You have to provide a user ID and password (or other authentication) to the network you’re dialing into, before you’re allowed access to the network. No password = no packets.

Wireless networking follows the wired networking model above, rather than the dial-up networking model. If you have physical access to a connection (which in the wireless case means a wireless networking card that can communicate using the same technology as a particular wireless network access point), you can access its raw packets. In the 802.11b case, an attacker can parlay their ability to “sniff” packets from a wireless network, into the ability to connect to it, because it is possible to break the weak encryption typically used on 802.11b if you obtain a large enough sample of packets. This will be discussed in more detail, in section 2.6. The flaws in the attempts at communication privacy in 802.11b make additional layers of security valuable.

Another reason to want to authenticate wireless users before allowing them to connect to your network is that you might always want to be able to identify who’s on a particular network connection. In the wired world, that tends to be easy to do, because physical connections tend to be assigned to individual offices and work areas. In contrast, multiple users can connect to a given wireless access point, just by walking up to the area in which it is located, carrying a machine with a compatible network adapter. They might perform a network action that identifies them, like logging in to a network to reach a data file stored on a file server. But then again, they might opt to just surf the Internet anonymously.

2.1  Remote Access 1 2 3 2.1.2  VPN