Cisco Cisco Aironet 1200 Access Point 产品宣传册
© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 4 of 15
With open authentication, even if a client can complete authentication and associate with an access point, the use of WEP prevents the client from
sending data to and receiving data from the access point, unless the client has the correct WEP key. A WEP key is composed of either 40 or 128 bits
and usually is statically defined by the network administrator on the access point and all clients that communicate with the access point. When static
WEP keys are used, a network administrator must perform the time-consuming task of entering the same keys on every device in the WLAN.
If a device that uses static WEP keys is lost or stolen, the possessor of the stolen device can access the WLAN. An administrator won’t be able to
detect that an unauthorized user has infiltrated the WLAN, unless and until the theft is reported. The administrator must then change the WEP key
on every device that uses the same static WEP key used by the missing device. In a large enterprise WLAN with hundreds or even thousands of
users, this can be a daunting task. Worse still, if a static WEP key is deciphered through a tool such as AirSnort, the administrator has no way of
knowing that the key has been compromised by an intruder.
Some WLAN vendors support authentication based on the physical address, or MAC address, of the client network interface card (NIC). An access
point will allow association by a client only if that client’s MAC address matches an address in an authentication table used by the access point. But
MAC authentication is an inadequate security measure, because MAC addresses can be forged, or a NIC can be lost or stolen.
Basic Security with WPA or WPA 2 Pre-Shared Key
Another form of basic security now available is WPA or WPA2 Pre-Shared Key (PSK). The PSK verifies users via a password, or identifying
code, (also called a passphrase) on both the client station and the access point. A client may only gain access to the network if the client’s password
matches the access point’s password. The PSK also provides keying material that TKIP or AES use to generate an encryption key for each packet
of transmitted data. While more secure than static WEP, PSK is similar to static WEP in that the PSK is stored on the client station and can be
compromised if the client station is lost or stolen. A strong PSK passphrase that uses a mixture of letters, numbers, and non-alphanumeric
characters is recommended.
Basic Security Summary
Basic WLAN security that relies on a combination of SSIDs, open authentication, static WEP keys, MAC authentication, or WPA/WPA2 PSK is
sufficient only for very small businesses, or those that do not entrust mission-critical data to their WLAN networks. All other organizations must
invest in a robust, enterprise-class WLAN security solution.
Enhanced Security
Enhanced security is recommended for those customers requiring enterprise-class security and protection. The Cisco Unified Wireless Network
delivers an enhanced wireless security solution that provides full support for WPA and WPA2 with its building blocks of 802.1X mutual
authentication and TKIP or AES encryption. The Cisco Unified Wireless Network includes the following:
•
802.1X for strong, mutual authentication and dynamic per-user, per-session encryption keys
•
TKIP for enhancements to RC4-based encryption such as key hashing (per-packet keying), message integrity check (MIC), initialization vector
(IV) changes, and broadcast key rotation
•
AES for government-grade, highly secure data encryption
•
Integration with the Cisco Self-Defending Network and NAC
•
Intrusion Prevention System (IPS) capabilities and advanced location services with real-time network visibility
•
Management Frame Protection (MFP) for strong cryptographic authentication of WLAN management frames
Detailed information about the Cisco Unified Wireless Network’s enterprise-class wireless security is provided later in this document.