User's Manual
7-2
Cisco 3200 Series Wireless MIC Software Configuration Guide
OL-7734-02
Chapter 7 Configuring WEP and WEP Features
Understanding WEP
Understanding WEP
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of a bridge can receive the bridge's radio transmissions.
Because WEP is the first line of defense against intruders, Cisco recommends that you use full
encryption on your wireless network.
WEP encryption scrambles the radio communication between bridges to keep the communication
private. Communicating bridges use the same WEP key to encrypt and unencrypt radio signals. WEP
keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on
the network. Multicast messages are addressed to multiple devices on the network.
Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless
devices. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder
passively receives enough packets encrypted by the same WEP key, the intruder can perform a
calculation to learn the key and use it to join your network. Because they change frequently, dynamic
WEP keys prevent intruders from performing the calculation and learning the key. See Chapter 8,
“Configuring Authentication Types” for detailed information on EAP and other authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication
on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco
Centralized Key Management (CCKM). Because cipher suites provide the protection of WEP while also
allowing use of authenticated key management, Cisco recommends that you enable WEP by using the
encryption mode cipher command in the CLI or by using the cipher drop-down menu in the
web-browser interface. Cipher suites that contain TKIP provide the best security for your wireless LAN,
and cipher suites that contain only WEP are the least secure.
These security features protect the data traffic on your wireless LAN:
• WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally
designed to provide your wireless LAN with the same level of privacy available on a wired LAN.
However, the basic WEP construction is flawed, and an attacker can compromise the privacy with
reasonable effort.
• TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is
designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four
enhancements to WEP:
–
A per-packet key mixing function to defeat weak-key attacks
–
A new IV sequencing discipline to detect replay attacks
–
A cryptographic message integrity Check (MIC), called Michael, to detect forgeries such as bit
flipping and altering packet source and destination
–
An extension of IV space, to virtually eliminate the need for re-keying
• CKIP (Cisco Key Integrity Protocol)—The Cisco WEP key permutation technique based on an early
algorithm presented by the IEEE 802.11i security task group. (ckip and ckip-cmic are supported
only on the 2.4-GHz (802.11b/g) WMIC.)
• CMIC (Cisco Message Integrity Check)—Like TKIP, the Cisco message integrity check mechanism
is designed to detect forgery attacks.
Note If VLANs are enabled on your bridges, WEP, MIC, and TKIP are supported only on the native VLAN.