Every Access Point on the market is vulnerable because even though encrypted information may go out, unencrypted information goes in. The flawed assumption is that the wire going into the AP is trusted. This makes it easy to tap, sniff or spoof.
Today's standards for WPA2 (Personal or Enterprise) perpetuate the exposure by requiring key material or RADIUS passwords to be stored on the AP itself. This is a vulnerability for AP hacking -- either physical (opening up the AP) or by gaining wireless access to the AP administrative channel and getting Pre-Shared Keys or RADIUS shared secrets). The AP could then spoof the backend or be reprogrammed to broadcast traffic in the clear on another channel. This is particularly true of the Atheros Multiband chipsets that can support many "virtual" APs.
Access and firewall policies are not centralized or standard between AP vendors. These must be replicated on each AP whenever the policy changes, adding to cost and complexity of administration, which means they are less likely to be changed often even though that would strengthen security. Various remote management schemes add another dimension to the exposure.
Centralized Security Management offers the advantage of keeping key material and 802.1X authenticator passwords at the Datacenter rather than on APs at the edge of the security envelope. This model is reflected in the "Split-AP" model in the upcoming IETF CAPWAP standards and used by WirelessWall. It keeps the APs blind to all security profiles.
In summary, WirelessWall is recommended because it follows the CAPWAP Taxonomy guidelines for a Split-AP mode. CAPWAP is a future standard that is not yet ratified and years away from market. WirelessWall provides comparable security-model functionality today as a FIPS 140-2 software solution using AES-CCMP Layer 2 encryption, 802.1X and EAP-TTLS with mutual authentication. It is smart security to keep APs "dumb" -- administrators have less to worry about because they don't expose the data center to compromise at every AP location.
Subscribe to:
Post Comments (Atom)
Posts
1 comment:
Thanks you for sharing this information
Data center security in Andhra Pradesh works through a data center transformation by securing data and embedding security postures into their whole surroundings.
Data center security in Andhra Pradesh
Post a Comment