Wireless Security Primer for Data Acquisition

NI Wi-Fi data acquisition (DAQ) devices use IEEE 802.11 to stream continuous waveform data over a wireless network. Because IEEE 802.11 uses over-the-air RF signals as its physical transmission medium, it offers unique security challenges beyond those of a wired system. Previously, many companies have been reluctant to deploy wireless applications over fears of security breaches. Today, however, IEEE 802.11 network security is a viable solution for wireless data acquisition applications, having matured significantly in the IT space for more than 10 years.

NI Wi-Fi DAQ supports the highest commercially available security, IEEE 802.11i (commonly known as WPA2 Enterprise). This primer provides an overview of the industry-standard security practices associated with IEEE 802.11i and steps for protecting data with NI Wi-Fi DAQ devices.

IEEE 802.11 Security Background

A proper understanding of wireless security requires some background on the history of wireless networking and the lessons learned from early wireless deployments. Since the original IEEE 802.11 standard was introduced in 1997, the IEEE 802.11 task group has iterated on several security protocols, finally arriving at one (IEEE 802.11i) that is universally accepted by IT departments worldwide.

Wireless Security History

Fears over the security of wireless networks have their roots in the history of early networks. The original IEEE 802.11 standard introduced Wired Equivalent Privacy (WEP) as a means of protecting against unwanted wireless network access. In this type of network, each client computer has a password to an access point on the network. That password is used to gain access to the network and to encrypt all messages between the access point and the client.

Figure 1. Wireless security standards define how data is encrypted across a wireless network link.

Most home and small office networks use WEP because of its easy setup. However, WEP can be vulnerable to attack, especially if used improperly. WEP uses an RC4 cipher to encrypt data and a 40-bit key to encode and decode messages.

WEP Vulnerabilities

Attackers have found weaknesses in the WEP protocol and have developed methods for breaching a WEP network that is not properly protected:

Dictionary Attack – Many users leave their wireless access points and network interface cards at the factory default settings. Others choose a “weak” WEP key that can be found in a dictionary. Potential attackers can take advantage of these networks by “guessing” at security settings. Some may use a brute force method, but more sophisticated algorithms are also available. Dictionary attacks are easily prevented by choosing a strong password.

Man-in-the-Middle Attack – Most Wi-Fi network access points broadcast their service set identifiers (SSIDs) so that clients can easily find and connect to them. A rogue access point broadcasting the same SSID can trick a client into sending its security information, thereby giving an attacker access to the real network. A common best practice is to turn off SSID broadcasts from your router.

Replay Attack – A replay attack occurs when an attacker eavesdrops on wireless communication packets and records the transmitted data. The attacker then uses that data to replay messages with false or erroneous data to “trick” an access point into transmitting additional Address Resolution Protocol (ARP) packets. With enough packets (50,000 to 100,000), an attacker can decrypt the WEP key.

NI Wi-Fi DAQ supports WEP security. However, many wireless data acquisition applications require stronger security protocols.

NI Wi-Fi DAQ Network Security Components

NI Wi-Fi DAQ supports several wireless security protocols, including WEP, Wi-Fi Protected Access (WPA), and IEEE 802.11i (commonly known as WPA2 Enterprise). WPA offers better security than WEP by preventing replay attacks. WPA2 and WPA2 Enterprise offer the best wireless network security, providing both stronger data protection (encryption) and access control (authentication).

Encryption

For effective protection of wireless data transmissions, a Wi-Fi network must have a strong encryption algorithm (cipher) and some form of key management. Two encryption standards are widely used today with Wi-Fi networks: TKIP and AES.

The IEEE 802.11i task group introduced the Temporal Key Integrity Protocol (TKIP) with WPA as a stop gap for existing WEP networks. Access points and clients can upgrade from WEP to WPA/TKIP with a simple firmware or software change. One advantage of TKIP over WEP is that it uses a 128-bit key versus a 40-bit key, though the encryption algorithm (RC4) is still the same. The more significant difference is that TKIP uses a different key for every message packet, hence the name “temporal.” This key is created dynamically by mixing a known pairwise transient key (PTK) with the MAC address of the client and a serial number for each packet. The PTK is created when a client connects to an access point using a preshared key (a passphrase that is known to all network members) and a random number generator. The serial number is incremented each time a new packet is sent. This means that replay attacks are impossible because the same key is never used from one packet to the next. An access point can detect when an attacker attempts to replay old packets.

As a final security solution, the IEEE 802.11i task group chose the Advanced Encryption Standard (AES) as the preferred encryption algorithm for Wi-Fi networks. Unlike TKIP, AES requires hardware upgrades for most older WEP installations because the cryptographic algorithm is more processor-intensive. AES uses a 128-bit cipher that is significantly more difficult to crack than the RC4 algorithm used by TKIP and WEP. In fact, the National Institute of Standards and Technology (NIST) chose AES as the encryption standard recommended for all U.S. government agencies. (FIPS publication 197 describes these requirements in detail.) Any wireless data acquisition application for the government or military likely has to use AES to transmit data.

Table 1. Time Required for Exhaustive Key Search or Brute Force Attack (FIPS 197)

Table 1 shows that even with massively parallel computing systems, it takes 10¹⁸ years to crack a 128-bit AES cipher.

Authentication

Authentication is the second key component of wireless security. Network authentication is essentially client access control. Before a client can communicate with a wireless access point, it must authenticate with the network. There are two basic forms of authentication: server-based and preshared key (PSK)-based.

Most enterprise networks have at least one authentication server, usually running a Remote Authentication Dial-In User Service (RADIUS). WPA2 Enterprise network security makes use of the IEEE 802.1X port-based authentication standard and consists of the following components:

Supplicant – the client wireless devices accessing the network

Authenticator – the wireless access point that controls what a supplicant can access

Authentication server – the server that provides an authentication service (usually RADIUS) to the authenticator

Figure 2. The IEEE 802.1X authentication process involves a layered exchange between the supplicant, authenticator, and authentication server.

When a supplicant requests access to a network, the authenticator provides access to uncontrolled ports for authentication. The authenticator forwards the access request to the authentication server, which either accepts or denies access to the supplicant. The authenticator forwards the response from the authentication server to the supplicant and either grants access to controlled ports or continues to block a denied supplicant.

A successful authentication process results in a pairwise master key (PMK) used to encrypt wireless traffic. The details of this exchange depend on which Extensible Authentication Protocol (EAP) method the network supports. The following are the most common EAP methods (all supported by NI Wi-Fi DAQ devices):

LEAP (Lightweight EAP) – an older, propriety EAP method developed by Cisco Systems. There is no native support for LEAP in any Microsoft Windows operating system, though most wireless network interface card (NIC) software supports it.

EAP-TLS (EAP-Transport Layer Security) – an open standard supported by most wireless vendors. EAP-TLS requires both server- and client-side certificates, which can make installations more difficult.

EAP-TTLS (EAP-Tunneled Transport Layer Security) – a protocol that removes the client-side certificate requirement from the EAP-TLS method for a more scalable network.

PEAP (Protected EAP) – an open standard developed by Cisco Systems, Microsoft, and RSA security. This is a popular EAP method that requires only server-side certificates. PEAPv0/MS-CHAPv2 is the most common variant of this method.

All the EAP methods listed above support mutual authentication, which prevents man-in-the-middle attacks because the client has to authenticate the server and vice versa. A rogue wireless access point cannot fake the server-side security certificate.

Not all networks have an authentication server, which makes the previous authentication methods impossible. Small office or home office (SOHO) networks can use a PSK instead between the client (wireless data acquisition device) and access point. This is essentially a passphrase that the user provides to initiate authentication with the network.

Implementing a Secure Network with NI Wi-Fi Data Acquisition

NI Wi-Fi DAQ devices support the full IEEE 802.11i security standard, including AES encryption and IEEE 802.1X authentication. This is the highest commercially available wireless network security, meaning your sensitive data is protected from unwanted access.

Figure 3. NI Wi-Fi DAQ streams continuous waveform data over a secure IEEE 802.11 network.

If you are connecting to an enterprise network, you should work with your IT group to determine which security protocols and EAP methods your server(s) accept. Because NI Wi-Fi DAQ devices support the most common IEEE 802.1X EAP methods (LEAP, PEAP, EAP-TLS, and EAP-TTLS), you are free to choose which works best for your application and network infrastructure.

Security settings for NI Wi-Fi DAQ devices are easy to use. In Measurement & Automation Explorer (MAX), select your NI Wi-Fi DAQ device under “NI-DAQmx Devices” and click on the “Network” tab at the bottom of the screen. Select the “Wireless” tab to configure your network security options with a series of drop-down menus.

If your EAP method requires a client-side certificate, be sure to obtain it before attempting to set up your data acquisition device. And if you are setting up your own network without an authentication server, be sure to use a strong PSK passphrase (with both WPA and WPA2 networks).

Figure 4. Configure your NI Wi-Fi DAQ encryption and authentication settings using MAX.

MAX uses an encrypted, write-only process based on transport layer security (TLS) to send all this configuration and setup data, including usernames, passwords, and client-side certificates, to a wireless data acquisition device, which further protects your network.

For more detailed instructions, refer to the MAX help file.

Summary

NI Wi-Fi DAQ devices implement the highest commercially available wireless network security standard, IEEE 802.11i (WPA2 Enterprise), including network authentication and data encryption. Authentication ensures that only authorized devices have network access, and encryption prevents data packets from being intercepted. IEEE 802.11 security standards build on more than 10 years of use in the IT sector, and are widely adopted worldwide. By using standard security protocols, NI Wi-Fi DAQ devices make it easy to add wireless measurements to your IT networks safely. 

Additional Resources

Webcast: Simplify Remote Monitoring with NI LabVIEW and Wi-Fi DAQ »

Watch the Six-Minute NI Wi-Fi DAQ Guided Tour »

Browse NI Wi-Fi DAQ Device Pricing and Specifications »

Learn More about Wireless Data Acquisition »

Reader Comments | Submit a comment »