Wi-Fi Security Primer for Data Acquisition

IEEE 802.11 (Wi-Fi) network security has matured significantly in the IT space over the past ten years, making it a viable solution now for wireless data acquisition applications. Because Wi-Fi uses air as its physical media, it offers unique security challenges beyond those of a wired system. The following primer provides an overview of industry standard security techniques for data protection using NI Wi-Fi data acquisition (DAQ).

History of Wi-Fi Security

The original IEEE 802.11 standard introduced Wired Equivalent Privacy (WEP) as a means of protecting against unwanted wireless network access. Each client computer has a password to an access point on the network. That password is used to gain access to the network and as a basis for encrypting all messages between the access point and the client.

 

 

Most home and small office networks use WEP because of its easy setup. However, WEP can be vulnerable to attack, especially if used improperly. WEP uses an RC4 cipher to encrypt data and a 40-bit key to encode and decode messages. Attackers have found weaknesses in this protocol and have developed methods for breaching a WEP network that is not properly protected:

• Dictionary Attack – Many users leave their wireless access points and network interface cards at the factory default settings. Others choose a “weak” WEP key that could be found in a dictionary. Potential attackers can take advantage of these networks by “guessing” at security settings. Some may use a brute force method, but more sophisticated algorithms are also available. Dictionary attacks are easily prevented by choosing a strong password.
• Man-in-the-Middle Attack – Most Wi-Fi network access points broadcast their SSID so that clients can easily find and connect to them. A rogue access point broadcasting the same SSID can trick a client into sending its security information, thereby giving an attacker access to the real network. A common best practice is to turn off SSID broadcasts from your router.
• Replay Attack – A replay attack occurs when an attacker eavesdrops on wireless communication packets and records the transmitted data. The attacker then uses that data to replay messages with false or erroneous data to “trick” an access point into transmitting additional Address Resolution Protocol (ARP) packets. With enough packets (50,000–100,000) an attacker can decrypt the WEP key.

NI Wi-Fi DAQ supports WEP security. However, many wireless data acquisition applications will require stronger security protocols.

Components of NI Wi-Fi Data Acquisition Network Security

NI Wi-Fi DAQ supports several wireless security protocols, including WEP, Wi-Fi Protected Access (WPA), and IEEE
802.11i (commonly known as WPA2). WPA offers better security than WEP by preventing replay attacks. WPA2 offers the best wireless network security, providing both stronger data protection (encryption) and access control (authentication).

Encryption

For effective protection of wireless data transmissions, a Wi-Fi network must have a strong encryption algorithm (cipher) and some form of key management. Two encryption standards are widely used today with Wi-Fi networks: TKIP and AES.

The IEEE 802.11i task group introduced the Temporal Key Integrity Protocol (TKIP) with WPA as a stop gap for existing WEP networks. Access points and clients can upgrade from WEP to WPA/TKIP with a simple firmware or software change. One advantage of TKIP over WEP is that it uses a 128-bit key versus a 40-bit key, though the encryption algorithm (RC4) is still the same. The more significant difference is that TKIP uses a different key for every message packet, hence the name “temporal.” This key is created dynamically by mixing a known pairwise transient key (PTK) with the MAC address of the client and a serial number for each packet. The PTK is created when a client connects to an access point using a preshared key (a passphrase that is known to all network members) and a random number generator. The serial number is incremented each time a new packet is sent. This means that replay attacks are impossible, because the same key is never used from one packet to the next. An access point can detect when an attacker attempts to replay old packets.

As final security solution, the IEEE 802.11i task group chose the Advanced Encryption Standard (AES) as the preferred encryption algorithm for Wi-Fi networks. Unlike TKIP, AES requires hardware upgrades for most WEP installations, because the cryptographic algorithm is more processor intensive. AES uses a 128-bit cipher that is significantly more difficult to crack than the RC4 algorithm used by TKIP and WEP. In fact, the National Institute of Standards and Technology (NIST) chose AES as the encryption standard required for all US government agencies. (FIPS publication 197 describes these requirements in detail.) Any wireless data acquisition application for the government or military will likely have to use AES to transmit data.

 

 Authentication

Network authentication is essentially client access control. Before a client can communicate with a wireless access point it must authenticate with the network. There are two basic forms of authentication: server- and PSK-based.

Most enterprise networks have at least one authentication server, usually running Remote Authentication Dial-In User Service (RADIUS). WPA2 network security makes use of the IEEE 802.1X port-based authentication standard, and consists of the following components:

• Supplicant – the client wireless devices accessing the network
• Authenticator – the wireless access point that controls what a supplicant can access
• Authentication server – provides an authentication service (usually RADIUS) to the authenticator

 

 

When a supplicant requests access to a network, the authenticator provides access to uncontrolled ports for authentication. The authenticator forwards the access request to the authentication server, which either accepts or denies access to the supplicant. The authenticator forwards the response from the authentication server to the supplicant and either grants access to controlled ports or continues to block a denied supplicant.

A successful authentication process results a pairwise master key (PMK) used to encrypt wireless traffic. The details of this exchange depend on which Extensible Authentication Protocol (EAP) method the network supports. The following are the most common EAP methods (all supported by NI Wi-Fi data acquisition devices):

• LEAP (Lightweight EAP) – an older, propriety EAP method developed by Cisco Systems. There is no native support for LEAP in any Microsoft Windows operating system.
• EAP-TLS (EAP-Transport Layer Security) – an open standard supported by most wireless vendors. EAP-TLS requires both server- and client-side certificates, which can make installations more difficult.
• EAP-TTLS (EAP-Tunneled Transport Layer Security) – a protocol that removes the client-side certificate requirement from the EAP-TLS method for a more scalable network.
• PEAP (Protected EAP) – an open standard developed by Cisco Systems, Microsoft, and RSA security. This is a popular EAP method that requires only server-side certificates. PEAPv0/EAP-MsCHAPv2 is the most common variant of this method.

All the EAP methods listed above support mutual authentication, which prevents man-in-the-middle attacks because the client has to authenticate the server and vice-versa. A rogue wireless access point would be unable to fake the server-side security certificate.

Not all networks have an authentication server, which makes the previous authentication methods impossible. Small office or home office (SOHO) networks can use a preshared key (PSK) between the client (wireless DAQ device) and access point instead. This is essentially a passphrase that the user provides to initiate authentication with the network.

Implementing a Secure Network with NI Wi-Fi Data Acquisition

NI Wi-Fi data acquisition (DAQ) devices support the full IEEE 802.11i security standard, including AES encryption and the most popular EAP authentication methods. This is the highest commercially available wireless network security, meaning your sensitive data will be protected from unwanted access. In fact, AES encryption may be required for your application if it is used in a government or military facility. For other applications, you may choose to use WPA with existing access point hardware.

 

View the NI Wi-Fi DAQ guided tour

 

If you are connecting to an enterprise network, you should work with your IT group to determine which security protocols and EAP methods your server(s) accept. Because NI Wi-Fi DAQ devices support the most common EAP methods (LEAP, PEAP, EAP-TLS, and EAP-TTLS), you are free to choose which works best for your application and network infrastructure.

Security settings for Wi-Fi DAQ devices are easy to use. In Measurement & Automation Explorer (MAX), select your Wi-Fi DAQ device under “NI-DAQmx Devices” and click on the “Network” tab at the bottom of the screen. Select the “Wireless” tab to configure your network security options with a series of drop-down menus.

If your EAP method requires a client-side certificate, be sure to obtain it before attempting to set up your DAQ device. And if you are setting up your own network without an authentication server, be sure to use a strong PSK passphrase (with both WPA and WPA2 networks).

   
[+] Enlarge Image

Configure your Wi-Fi DAQ encryption and authentication settings using MAX.

MAX uses an encrypted, write-only process to send all this configuration and setup data to a wireless or Ethernet DAQ device, including usernames, passwords, and client-side certificates, to further protect your network.

For more detailed instructions, refer to the NI WLS-9163 User Manual 

Wi-Fi DAQ Network Security Best Practices Checklist

√  Use 802.1X (EAP) if you have an authentication server (such as a RADIUS server) available on your network.

√  Use a strong password for your PSK if you are not using an authentication server. Avoid common phrases or words in  the dictionary, and mix uppercase, lowercase, and numeric characters.

√  Avoid common or factory default SSIDs when setting up a wireless access point or router.

√  Use AES encryption over TKIP if your access point hardware supports it.

√  Do not use WEP if you can avoid it. Upgrade your access point to WPA or download the Windows XP WPA2 Patch

√  Lock the settings on your Wi-Fi DAQ device for extra protection.

 

Additional Resources

View a short webcast on simplifying wireless remote monitoring applications with NI LabVIEW and Wi-Fi data acquisition.

View the six-minute Wi-Fi DAQ guided tour

Browse Wi-Fi DAQ pricing and specifications

 

 

Reader Comments | Submit a comment »