Security has always been a concern with Wi-Fi because the network boundary has moved. Wireless signals can travel through solid matter, such as ceilings, floors, walls, outside of the home, or office space. Without stringent security measures in place, installing a WLAN can be the equivalent of putting Ethernet ports everywhere, even outside.
To address the threats of keeping wireless intruders out and protecting data, two early security features were used:
- SSID cloaking - APs and some wireless routers allow the SSID beacon frame to be disabled. Wireless clients must manually identify the SSID to connect to the network.
- MAC addresses filtering - An administrator can manually allow or deny clients wireless access based on their physical MAC hardware address.
Although these two features would deter most users, the reality is that neither SSID cloaking nor MAC address filtering would deter a crafty intruder. SSIDs are easily discovered even if APs do not broadcast them and MAC addresses can be spoofed. The best way to secure a wireless network is to use authentication and encryption systems, as shown in Figure 1.
Two types of authentication were introduced with the original 802.11 standard:
- Open system authentication - Any wireless client should easily be able to connect, and should only be used in situations where security is of no concern, such as in locations providing free Internet access like cafes, hotels, and in remote areas.
- Shared key authentication - Provides mechanisms, such as WEP, WPA, or WPA2 to authenticate and encrypt data between a wireless client and AP. However, the password must be pre-shared between both parties to connect.
The chart in Figure 2 summarizes the various types of authentication.