How do you eliminate the risk of spoofing?
My question is regarding the connection between a WLAN-enabled PDA and a Wireless Access Point. First, how do you eliminate the risk of spoofing? Can you have an overlay point-to-point connection over a broadcast medium? Finally, could you please explain what Layer 2 security really means in the wireless context?
Spoofing can occur at (at least) two layers: wireless stations can spoof by using another station's MAC address, and hosts can spoof by using another host's IP address. You cannot prevent MAC address spoofing, but authenticating based on something besides MAC address can ensure that spoofed frames don't get very far into your network. For example, use 802.1X with client certificates (EAP-TLS) or tunneled user-level authentication (PEAP or EAP-TTLS). To prevent IP address spoofing, use a security measure with message source authentication – for example, IPsec VPN tunnels. IPsec hashed message authentication codes (HMACs) detect when any host except the legitimate peer sends a packet with a spoofed source IP address, discarding spoofed packets.
Yes, you can overlay point-to-point connections on a broadcast medium. TCP connections that ride Ethernet illustrate this point, as do 802.11 peer-to-peer ad hoc connections over wireless. If you don't want others on the broadcast medium to eavesdrop on or participate in your point-to-point connection, you must use cryptographic protection – for example, IPsec transport mode.
Layer two security for wireless LANs refers to security measures applied at the Media Access (MAC) layer. IEEE 802 standard security measures provide authentication, confidentiality, message integrity (with WPA/802.11i), and access control (with 802.1X). These measures are applied to the layer two protocol - the 802.11 management and data frames that flow over the physical medium. You may also have seen products with proprietary layer two security - they just use different frame encapsulation or crypto algorithms to secure the layer two protocol, protecting frames over the air between the station and AP.
This was first published in July 2003