Authentication a Key Part of Any WLAN Security Policy
This series on network security is for enterprise organizations looking to have a more robust policy in place.
In my last article on wireless network security, we discussed a basic security policy. In today’s post we talk about authentication.
If we were to play the word-association game, most IT people would respond to a query of “security” with “encryption”. And such is a not a bad answer, and in fact a really good start. Cryptography has been the essence of secure storage and communications for centuries. But there’s another element of security that’s even more important, and which, properly implemented, forms the basis for encryption as well: authentication.
Simply put, authentication is about proving one’s identity to another party – the primary goal of authentication is assuring that the presented identity is, in fact, real, or authentic. We do this, for example, at airport security checkpoints, showing a document that identifies us to the satisfaction of the examining officer. But keep in mind that such documents can be forged, albeit at significant cost, so counterfeiting is a challenge well beyond the domain of national currencies.
A variety of other techniques are available, though, most notably biometrics in the form of an iris or retinal scan, and even via DNA – although the latter is hardly inexpensive or even close to real-time, at least today.
But the possibilities here introduce one of the most valuable variants of authentication, known as two-factor authentication. This incarnation is often referred to as “something you have plus something you know”. The something you know could be, for example, the familiar username and password, and the something you have – the second factor – can be a hardware token, ID badge (especially one with an embedded chip, like the new crop of credit cards), or even a wireless handset. We might, for example, send an SMS message to a particular handset, with an authenticated response again serving as the second factor.
Ideally, all authentication should be mutual, with both parties proving their identity to each other. We’re all familiar with phishing attacks, where the identity of one party is “spoofed”, to use the polite term for outright fraud. Mutual authentication solves this problem, and can be accomplished by presenting, for example, a digital picture pre-selected by the other party, assuring an authentic connection.
Finally, good authentication drives encryption by using (hopefully, again, mutual) authentication information to generate the security keys required for encryption. Assuming a good choice of encryption algorithm (such as AES-128 or AES-256), production security in commercial settings today doesn’t get better than this.
Ultimately, we expect everything required for good security to be wrapped up in what’s become known as identity management solutions, which consolidate authentication, access control, authorization, accounting and more into an easy-to-use solution that works across all networks and clients. Yes, when it comes to security, you’re never “done”. But good strategies and solutions are at work today, all starting with authentication.
Next time we discuss the cloud’s role in securing the enterprise WLAN. If you missed part 1, be sure to catch up.
All Posts In This Series: