5 security, 1 wired equivalent privacy (wep), 1 cisco fast secure roaming (fsr) – Polycom H340 User Manual

23

© 2010 Polycom, Inc. All rights reserved. POLYCOM

®

, the Polycom “Triangles” logo and the names and marks associated with Polycom’s products are trademarks and/or service marks of Polycom, Inc.

and are registered and/or common law marks in the United States and various other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or

transmitted in any form or by any means for any purpose other than the recipient’s personal use without the express written permission of Polycom

Deploying SpectraLink e340, h340 and i640 Wireless Telephones

BEST PRACTICES GUIDE

October 2010

5 Security

Proper security provisions are critical for any enterprise Wi-Fi network. Wireless technology does not provide any

physical barrier from malicious attackers since radio waves penetrate walls and can be monitored and accessed from

outside the facility. The extent of security measures used is typically proportional to the value of the information

accessible on the network. The security risk for VoWLAN is not limited to the typical wired telephony concerns of

eavesdropping on telephone calls or making unauthorized toll calls, but is equivalent to the security risk of the data

network that connects to the APs. Different security options are supported on SpectraLink Wireless Telephones.

Determining the proper level of security should be based on identified risks, corporate policy and an understanding of

the pros and cons of the available security methods.

5.1 Wired Equivalent Privacy (WEP)

SpectraLink Wireless Telephones support Wired Equivalent Privacy (WEP) encryption as defined by the 802.11

standard. The handsets can use either 40-bit or 128-bit key lengths. WEP is intended to provide the same level of

security over a wireless LAN as on a wired Ethernet LAN. Although security flaws have been identified, WEP still

provides strong encryption that requires an experienced and dedicated hacker to break. While WEP is often not an

acceptable option for many high security or privacy focused enterprises, it is still useful and provides reasonable

performance for voice due to the shortened (quicker) key exchange process.

5.2 Wi-Fi Protected Access (WPA) Personal, WPA2 Personal

Recognizing the need for stronger security standards beyond WEP, the IEEE developed the 802.11i standard, which

includes stronger encryption, key management, and authentication mechanisms. Wi-Fi Protected Access (WPA) is

based on draft 3.0 of the 802.11i specification and uses TKIP (Temporal Key Integrity Protocol) encryption. WPA2 is

based on the ratified 802.11i standard. The major enhancement of WPA2 over WPA is the inclusion of the Advanced

Encryption Standard (AES), which is widely accepted as one of the most secure encryption algorithms available.

Personal mode uses a password-based authentication method called Pre-Shared Key (PSK). Personal mode is

good for time-sensitive applications such as voice, because the key exchange sequence is limited and does not

adversely affect roaming between APs. The PSK can be entered in hexadecimal or as an ASCII passphrase from

the handset’s administration menu or the HAT. The handset supports both WPA Personal and WPA2 Personal

modes.

5.2.1 Cisco Fast Secure Roaming (FSR)

Cisco’s Fast Secure Roaming (FSR) mechanism uses a combination of standards-based and proprietary security

components including Cisco Client Key Management (CCKM), LEAP authentication, Michael message integrity

check (MIC) and Temporal Key Integrity Protocol (TKIP). FSR provides strong security measures for authentication,

privacy and data integrity along with fast AP roaming on Cisco APs.

5.3 Using Virtual LANs

Virtual LANs (VLANs) can be used to segregate traffic into different security classes. By using separate VLANs, data

traffic can utilize the most robust but processing-intensive wireless security methods. In order for voice to operate

efficiently in a WLAN, it is critical that it be separated from the data traffic by using VLANs, mapped to WLAN SSIDs.

The 802.1Q standard establishes a method for inserting VLAN membership information into Ethernet frames via

header-information tags. SpectraLink infrastructure equipment and SVP do not generate or forward these tags, but

are otherwise compatible with 802.1Q up to the Ethernet switch ports used for the SpectraLink equipment.

5.4 MAC Filtering and Authentication

Most access points can be configured to allow or deny association of wireless clients based on their unique MAC

address, which can be used as a method of securing the WLAN. This process generally works well, but can cause

some performance issues on some APs and is never recommended when using voice on a WLAN.