Talk About an Oxymoron
|
Throughout the process, the 802.11i Task Group remained painfully aware that the transition from old station hardware would be slow because of the installed base of wireless networking cards that conform to the Wi-Fi standard. RSN does provide for both RC4 and AES encryption, though it will take new Wi-Fi adapters or fast stations to support the AES encryption. But the principal concession to the RSN migration effort is the inclusion of Transition Security Network (TSN), which is defined only to facilitate migration to an RSN, according to the standard. "A TSN is insecure, since the pre-RSN equipment can compromise the larger network," the standard says. The contradiction of an insecure security network comes from the ways broadcast and multicast traffic are (and aren't) protected and from the inclusion of preshared (manually configured) keys in RSN.
An access point sends broadcast and multicast frames encrypted with the weakest configured security method: WEP (Wired Equivalent Privacy), TKIP (RSN with RC4) or CCMP (RSN with AES). If the AP is configured for TSN, the WEP-encrypted broadcast frames will easily yield the WEP key, exposing all broadcast traffic even if no associated station is using WEP. And if RSN is being deployed with preshared keys because setting up RADIUS and choosing a trustworthy authentication method are too difficult, chances are the same key is being used for WEP and preshared-key RSN! So much for robust security.
Sure, every security system has its weakest link. And RSN does address all three aspects of a security system--authentication, key distribution and data confidentiality. But it provides only legacy approaches to them all, and the legacy 802.11 Wi-Fi standard has shared keys for authentication; it has no key distribution and only weak data confidentiality. Using any of these legacy features in an RSN leaves the network compromised.
He Who Hesitates ...
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
