Wireless Security

Using a wireless network

There has been criticism of WEP security. WEP keys are static. They must be changed manually and frequently on both the wireless device and the APs. On a small company or network with a few users and APs, this is not a big issue. However, the more users and APs, changing WEP keys regularly can become an administrative headache and potentially error prone. Consequently, keys are rarely changed over months or years, leaving a hacker plenty of time to get the key and gain access to the network.

In small wireless networking environments, activating WEP security will significantly minimize outside infiltrators from getting in your network and is better than no security at all. However, it is still very important that you regularly change the WEP key, at least weekly; or monthly at most.

Wi-Fi Protected Access (WPA)

WPA was developed to replace the WEP standard and provide a higher level of data protection for wireless networks. WPA provides two methods of authentication; through 802.1X authentication or pre-shared keys.

802.1X authenticates users through an EAP authentication server such as a RADIUS server authenticates each user before they can connect to the network. The encryption keys can be changed at varying intervals to minimize the opportunity for hackers to crack the key being used.

In a network setup where a RADIUS server is not a viable option, WPA also provides authentication with preshared keys using Temporal Key Integrity Protocol (TKIP). Using TKIP, the encryption key is continuously re-keyed while the user is connected to the wireless network. This creates a unique key on every data packet. To further ensure data integrity, a Message Integrity Code (MIC also known as Michael) is incorporated into each packet. It uses an 8 byte message integrity code that is encrypted using the MAC addresses and data from each frame to provide a more secure packet transmission.

WPA provides a more robust security between the wireless device and the access point. The FortiWiFi unit supports both WPA methods.

Additional security measures

The FortiWiFi unit includes other security measures you can use to block unwanted users from accessing your wireless network. By setting a few extra options, you can be assured your network and its information is secure.

MAC address filtering

To improve the security of your wireless network, consider enabling MAC address filtering on the FortiWiFi unit. By enabling this feature, you define the wireless devices that can access the network based on their system MAC address. When a user attempts to access the wireless network, the FortiWiFi unit checks the MAC address of the user to the list you created. If the MAC address is on the approved list, the user gains access to the network. If the user is not in the list, the user is rejected. Using MAC address filtering makes it more difficult for a hacker using random MAC addresses or spoofing a MAC address to gain access to your network.

60

FortiWiFi-60A/AM FortiOS 3.0 MR4 Install Guide

01-30004-0283-20070215

Page 60
Image 60
Fortinet ORTIWIFI-60A /AM manual Wi-Fi Protected Access WPA, Additional security measures, MAC address filtering