Ask the Expert

How do you eliminate the risk of spoofing?

My question is regarding the connection between a WLAN-enabled PDA and a Wireless Access Point. First, how do you eliminate the risk of spoofing? Can you have an overlay point-to-point connection over a broadcast medium? Finally, could you please explain what Layer 2 security really means in the wireless context?

    Requires Free Membership to View

Spoofing can occur at (at least) two layers: wireless stations can spoof by using another station's MAC address, and hosts can spoof by using another host's IP address. You cannot prevent MAC address spoofing, but authenticating based on something besides MAC address can ensure that spoofed frames don't get very far into your network. For example, use 802.1X with client certificates (EAP-TLS) or tunneled user-level authentication (PEAP or EAP-TTLS). To prevent IP address spoofing, use a security measure with message source authentication – for example, IPsec VPN tunnels. IPsec hashed message authentication codes (HMACs) detect when any host except the legitimate peer sends a packet with a spoofed source IP address, discarding spoofed packets.

Yes, you can overlay point-to-point connections on a broadcast medium. TCP connections that ride Ethernet illustrate this point, as do 802.11 peer-to-peer ad hoc connections over wireless. If you don't want others on the broadcast medium to eavesdrop on or participate in your point-to-point connection, you must use cryptographic protection – for example, IPsec transport mode.

Layer two security for wireless LANs refers to security measures applied at the Media Access (MAC) layer. IEEE 802 standard security measures provide authentication, confidentiality, message integrity (with WPA/802.11i), and access control (with 802.1X). These measures are applied to the layer two protocol - the 802.11 management and data frames that flow over the physical medium. You may also have seen products with proprietary layer two security - they just use different frame encapsulation or crypto algorithms to secure the layer two protocol, protecting frames over the air between the station and AP.

This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: