Voice over Wireless LAN Solution Guide v1.0 December 2005
______________________________________________________________________________________________________
Page 30
2.3.1 WLAN Handset 2210/11/12 security features For authentication, the WLAN Handsets 2210/11/12 support either open, WEP shared key, or
WPA/WPA2 pre-shared key (PSK) mechanisms, while the 2212 model also supports IPsec VPN.
Note that the WLAN 2300 series can additionally use MAC authentication to increase the level of
confidence in authentication.
For data encryption, the 2210/11/12 handsets support 40-bit and 128-bit WEP, WPA, and WPA2
and the 2212 supports 3DES for VPN encryption. If you use WEP, Nortel recommends that the
authentication type be set to open, due to the known weakness of the 802.11 shared key
authentication algorithm. This is counterintuitive. For WPA and WPA2, the use of PSK does not
pose the same security risk that WEP shared key authentication does. Choice of WPA2 pass
phrase is important, however—weak ones can be broken through dictionary attacks. The
configuration cradle is especially valuable for configuring complex and secure pass phrases.
Bear in mind that the WEP encryption algorithm is compromised and will not thwart determined
attackers and eavesdroppers. Even 128-bit WEP is only roughly twice as secure as 40-bit WEP,
which means the effort to program many handsets with 128-bit keys may not be worth the effort
put into it in the long run. For best handset security on 2210 and 2211 models, implement WPA2-
PSK; for best handset security on the 2212 model, implement IPsec VPN.
2.3.2 IP Softphone 2050 and MCS Client security features The IP Softphone 2050 and MCS Client security features are as wide and flexible as are 802.11
Network Interface Card (NIC) security features. This is one key advantage of the PC-based voice
applications. Most current NICs can support 802.1x clients, IPsec clients, government grade
security protocols such as Fortress and Cranite, and WPA. Essentially, any mechanism that is
desired for protecting data and is required for laptops can be easily leveraged to secure voice
over the WLAN. Battery power is generally not a major issue in laptops, and should not unduly
influence what security measures you implement.
2.3.3 MVC 2050 security features Supported PDA models do support the more robust 802.1x protocol for authentication and can
dynamically rotate WEP keys for encrypting data. Dynamic keying dramatically increases the
security of WEP-based encryption, because the keys can be changed before being compromised
by an attacker. Some models of supported PDAs also support WPA for more robust security—
consult the manufacturers’ web site for more information on particular PDAs. Alternatively, you
can use the Movian IPsec client for securing voice. But this comes at a penalty of slightly reduced
battery life due to the high CPU use of the client. However, the CPU usage itself has a bigger
potential impact because Movian client adds about 20 percent utilization, and calls destabilize at
about 70 percent utilization. Maximum talk time varies with the particular PDA and battery, but
with the Movian client running it will be a little less than the normal maximum.
The optimal compromise that maximizes battery life while providing good enough security on a
PDA is to implement 802.1x and dynamic WEP keying.
2.3.4 Minimum security recommendations for WLAN 2300 Configure the WLAN 2300 series with a single SSID for both data and voice if the following
requirements can be met:
Common encryption type between data devices and handsets
The use of MAC authentication plus PSK authentication for handset devices is
considered acceptable from a security policy perspective
Whether or not you implement handset voice with a separate SSID, the WLAN 2300 series
should implement either WPA2-PSK, or MAC authentication, but preferably both. Alternatively