SpectraLink NetLink Wireless Telephones Best Practices White Paper Wireless Telephone manual

5.1Security Concerns

Security provisions are critical for any enterprise Wi-Fi network. Wireless technology does not provide any physical barrier to the network, since radio waves penetrate walls and can be monitored and accessed from outside a facility. The extent of security measures utilized are typically proportional to the value of the information accessible on the network. The security risk for Wi-Fi telephony is not limited to the typical wired telephony concerns of eavesdropping on telephone calls or making unauthorized toll calls, but is equivalent to the security risk of the data network that connects to the APs. Several different security solutions can be implemented with NetLink Wireless Telephones. Determining the proper level of security should be based on identified risks, corporate policy, and an understanding of the pros and cons of the available security methods.

5.1.1Wired Equivalent Privacy (WEP)

NetLink Wireless Telephones support Wired Equivalent Privacy (WEP) encryption as defined by the 802.11 standard. The handsets can use either 40-bit or 128-bit key lengths. WEP is intended to provide the same level of security over a wireless LAN as on a wired Ethernet LAN. Although security flaws have been identified, WEP still provides strong encryption that requires an experienced and dedicated hacker to break.

5.1.2Cisco Fast Secure Roaming (FSR)

802.1x based authentication protocols such as EAP-TLS or Cisco’s LEAP were developed to provide a higher level of security for wireless networks. These advanced methods require a back-end authentication server to authenticate users and generate new keys. This authentication and re-keying process can take up to several seconds and is required each time a user hands-off from one AP to the next in the same subnet. While this is taking place, the client device is not authenticated to an AP and there is an interruption in the data stream and therefore in the voice conversation. This interruption caused by the authentication process is unacceptable for voice communication in most enterprise applications.

To address the voice quality issues with most security mechanisms, SpectraLink and Cisco have worked together to deliver a Fast Secure Roaming (FSR) mechanism. FSR allows the authentication process to be done in a way that minimizes the number of messages required between the NetLink Wireless Telephones and the Cisco wireless LAN infrastructure. It is designed to be compatible with wireless standards and allow backward compatibility with devices utilizing previous security mechanisms, such as Cisco’s LEAP.

Implementation of FSR for Cisco Aironet APs utilizes several standard and proprietary security components, including Cisco Client Key Management (CCKM), LEAP authentication, Michael message integrity check (MIC), and Temporal Key Integrity Protocol (TKIP). FSR not only addresses the roaming issue, but also provides strong security measures for authentication, privacy, and data integrity.