Manualshelf

WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
1-31
Introduction
ProCurve Wireless Edge Services zl Module
Encryption Options for WLANs
A wireless network is an open medium. Anyone with a wireless network interface
card (NIC) can intercept traffic and attempt to read it. Encryption, therefore, is
required for any degree of security.
The Wireless Edge Services zl Module can enforce one of the following encryption
standards on a WLAN:
Wired Equivalent Privacy (WEP) with 64-bit or 128-bit keys
Wi-Fi Protected Access (WPA)/WPA2 with Temporal Key Identity Protocol
(TKIP)
WPA2 with Advanced Encryption Standard (AES)
WPA/WPA2 with both TKIP and AES (802.11i Mixed Mode)
A detailed analysis of encryption is beyond the scope of this guide. Briefly, however,
the security of an encryption scheme often stands on the number of times an
encryption key is reused. Each of the above standards attempts to create per-frame
keys—that is a key that is used only one to encrypt a single frame.
WEP did not succeed at creating per-frame keys for several reasons that are beyond
the scope of this overview to describe. You simply need to know that, in an enterprise
setting, you should always use the more secure WPA or WPA2. WPA requires TKIP,
a protocol that implements key mixing to successfully create per-frame keys. In
addition to backward-compatibility support for TKIP, WPA2 requires support for
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
(CCMP) with AES—an extremely secure block cipher.
As was suggested throughout “Authentication Options for WLANs” on page 1-23,
authentication is an important component of encryption. This is because 802.1X
authentication provides a means for the Wireless Edge Services zl Module and the
wireless devices to automatically receive an encryption key specific to their associ-
ation.
Without 802.1X authentication, all wireless stations must use the same key. The key
also acts as a password: unless the user enters the correct key, the station cannot
successfully encrypt and forward data. For WPA/WPA2, the additional security
provided by TKIP or AES offsets the lesser security of using a shared, manually
configured encryption key. For WEP, however, a static key provides little real
security, particularly in a busy, enterprise environment.