S 2.383 Selection of a suitable WLAN standard

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator, IT Security Officer

In the context of WLAN planning, an analysis of the current situation must be performed first to determine which of the systems in the organisation operate in the ISM band at 2.4 GHz and in the 5 GHz band. After the analysis of the current situation is complete, it can be determined from the analysis which WLAN standard can be used. The WLAN standards IEEE 802.11, IEEE 802.11b, and IEEE 802.11g use the 2.4 GHz band while the IEEE 802.11a and IEEE 802.11h standards operate in the 5 GHz band. By selecting the correct frequency band, interference in the WLAN generated by other systems operated by the organisation can be prevented. Only the IEEE 802.11 and IEEE 802.11i standards contain descriptions of security mechanisms.

In addition to these technical considerations, the security mechanisms available in the individual WLAN standards must be compared to each other. In general, only methods generally recognised as secure should be used for authentication and encryption. In this case, it must be ensured that recognised cryptographic methods with sufficient key lengths as well as collision-free hash procedures are used (see also S 2.164 Selection of a suitable cryptographic procedure). When using WPA or WPA2, it is recommended to use authentication procedures with mutual authentication. In procedures with mutual authentication, the WLAN client must provide authentication to the access point and vice-versa. A secret text, the pre-shared key, or the EAP framework with a RADIUS server can be used for authentication purposes. If a high protection level is required, then it is recommended to use device and user authentication so that only those clients known to the organisation (and configured according to the security policies) are permitted to access the WLAN.

The IEEE 802.11 standard, for example, uses Wired Equivalent Privacy (WEP) with static keys, which has been determined to be insecure. For this reason, WLANs in which WEP is used should not be used without additional security safeguards in areas in which confidential information will be transmitted. In this case, the Wi-Fi Protected Access (WPA) method created by the Wi-Fi Alliance should be selected. Even better is the use of the supplemental IEEE 802.11i standard and WPA2 to secure WLAN communication. The standard specifies the use of pre-shared keys with the temporal key integrity protocol (TKIP), among others, to secure communication in the WLAN. IEEE 802.11i itself prescribes the use of the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) as a prospective method for authentication which also guarantees additional confidentiality using the Counter Mode method. Likewise, CCMP uses the Advanced Encryption Standard (AES) to encrypt the information, in contrast to the use of RC4 in WEP and WPA.

A careful examination of each of the WLAN standards, especially in terms of their security functions, is unavoidable and must always be performed. It is possible to decide on the use of a certain WLAN standard only after detailed assessment of each of the standards. The reasons for the decision must be documented so that the decision can be understood later.

Review questions:

© Federal Office for Information Security. All rights reserved.