Some people say that the safety and reliability of flying is very high, the probability of accident is only a few millionths, but it can not guarantee 100% safety.
The same is true for wireless local area networks, where security risks are everywhere. Bringing together the world's top security experts cannot guarantee that the wireless LAN is 100% safe.
802.11i certification
Security experts recommend using 802.11i authentication + AES GCM encryption. This security system is very secure. Every client accessing the network needs to use the TLS secure tunnel encryption "username / password" combination to complete the authentication. The security completely depends on the TLS security reliability. TLS security reliability is beyond doubt. There are almost no security holes here.
After the authentication is completed, TLS will output a set of keys for the AES GCM algorithm to protect the user traffic of the wireless client. This encryption algorithm is strongly recommended by security experts, and the security is not in doubt.
As if everything is impeccable, seamless. Then a different approach is made. The bad guys come on stage. Get a wireless hotspot. The SSID is the same as the regular army. When computers or mobile phones are connected to wireless hotspots, they will scan for available SSIDs. Whoever has a strong signal will pounce on whom. User authentication. When the user sees the authentication box and enters "username / password", the computer phone is bound to the fake AP. The user's Internet traffic flows through the fake AP. At this time, how the fake AP manipulates the traffic depends on the interests of the bad guys. With mood.
Do n’t forget, the bad guys also know the user ’s “username / password”, which is a piece of cake for the regular army.
what? Is it really that scary? This strict security system is commonly used in enterprise wireless solutions. If a wireless solution cannot effectively counterfeit wireless APs, then this wireless solution is insecure.
How to deal with fake AP?
The wireless management monitoring system needs to monitor the existence of fake APs in the wireless coverage area in real time, find and locate it, and then remove it from the network.
Of course, if the fake AP is outside the company's fence, even if it is found and located, it may not be realistic to remove it. The best way to deal with this uncontrollable area is to shield external wireless signals from entering the campus, while shielding internal company signals from leaving the campus.
In this way, the computer of the company's employees would not be able to even fake the SSID, because the fake SSID cannot be found.
Shared password authentication
Wireless solutions using PSK authentication with shared passwords, because each user uses the same password to connect to the AP, cannot control the spread of passwords, and some even spread to the Internet.
Anyone who knows the password can connect to the wireless AP, can capture all the wireless signal data, and then decrypt all the encrypted wireless data to find the treasure in the treasure of plain text data.
WEP encryption
This is the weakest wireless encryption scheme. Weak is using the 24-bit initialization vector (IV) length, which means that the probability of repeatedly using the same IV is very high. Tutorials for cracking wireless passwords online are all for this algorithm, and it can be easily cracked using tools. Once you get the password, you can rub the net for free. . .
Although WEP has been abandoned by a new generation of wireless technology standards, it is still supported on older wireless routers. People without professional knowledge will continue to use it inadvertently.
If someone continues to use WEP, please discard it mercilessly, because it is very unsafe!
The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps, CCNP Written dumps and CCIE Written dumps waiting for you.
Comments