Layered Wireless LAN Security

Like all IT-based security, WLAN security should be handled in layers. This provides several advantages: stronger overall security, the ability to block access at multiple layers of the network, and flexibility in selecting the cost/benefit ratio of the desired solution.

By building security in layers, protection can be provided at each layer in the network model. Each layer provides inherent protection against specific attacks for higher layers of security, correlating to the layers of the ISO network model.

One of the benefits of 802.1X is the additional strength of layered security. If an intruder is able to break the security at one level, he is presented with an entire new level of security to break again. This allows significantly longer time to detect and foil the intruder.

The layered security approach also provides the benefit of selecting the desired level of security, compared against the costs of adding additional layers. Layer 1 - Physical layer security is built into wireless equipment, and is essentially free (except for the cost of configuring and maintaining encryption keys) and may be adequate for a home user who wants to keep out the casual intruder. 802.1X-based security provides strong corporate security at an incremental cost. 802.1X dramatically increases the security protection of the network and provides the level of protection needed by most business and corporate users. In specific vertical segments such as financial and government users where triple-DES encryption is required, VPNs over 802.1X provide the highest level of wireless security, albeit with a cost increase on the order of $30 - $100 per user.

Each layer adds additional protection on top of the layers below it. The first two layers (physical layer encryption and 802.1X user authentication) are generally recognized as the minimum requirements for strong wireless LAN security, now specified in the Wi-Fi Protected Access (WPA) standard. An additional third layer (VPN) can be added to increase the security levels, if the traffic is sent unencrypted over the Internet, or contains highly sensitive information.