Reality: A WPA2-based WLAN deployment cannot protect you from all types of wireless security threats.
Myth 3: I have enabled 802.1X port control and I am secure. IEEE 802.1X port-based access control provides an authentication mechanism for devices wishing to communicate via a port (e.g., a LAN port). It allows further communication only if the authentication succeeds. If it fails, it disallows further communication via the port. The goal of the designers of 802.1X was not to protect a network from wireless security threats. As we can expect, 802.1X is completely ineffective against Wi-Fi client-based threats. Even though 802.1X-based port control can act as a deterrent to rogue APs, it can be easily bypassed via a "hidden rogue AP" -- for example, by an employee with the knowledge of 802.1X credentials. First, he needs to connect a Layer-2 bridge AP in "silent" mode by configuring it with a static IP (so that it never has to reveal identify over the wire). Then, he can masquerade the identity (i.e. MAC address) of a Wi-Fi client to that of his Ethernet card to deceive 802.1X control.
Reality: The basic problem here is that 802.1X is a one-time (i.e., entry level) control, but, what you actually need is continuous monitoring and control.
Myth 4: My network access control (NAC) solution will protect me from Wi-Fi based threats. NAC aims to control access to a network with policies. It includes pre-admission endpoint security policy checks (to determine who can access the network) and post-admission controls (to determine what they can access). Since NAC solutions include some host-based checks (i.e., operating system, services running on host), it can protect against the class of rogue APs that function as a router or a network address translator. NAC also fails against the "silent rogue AP" threat.
Reality: Similar to 802.1X, NAC is also an entry level control and the arguments made against 802.1X hold true against NACs as well.
Myth 5: 802.11w eliminates Wi-Fi denizl-of-service (DoS) mattacks. By its very nature, Wi-Fi is susceptible to DoS attacks. The unlicensed radio frequency spectrum coupled with a "keep-it-simple" MAC protocol have lead to the development of several DoS attacks on Wi-Fi (e.g., RF jamming, deauthentication/disassociation flood, virtual jamming). IEEE recently ratified the 802.11w standard, which adds cryptographic protection to a certain subset of 802.11 Management frames (e.g., deauthentication frames, disassociation frames). This definitely mitigates the attacks based on such protected frames.
Reality: Attacks based on frames that are outside of the purview of 802.11w protection (e.g., virtual jamming) and RF spectrum based attacks are still possible.
Myth 6: Part-time security. WLAN infrastructure may support a mode wherein an AP can be programmed at times to act as a wireless intrusion-detection sensor. However, if you need a higher level of protection, for example to comply with industry or government regulations, you really need wireless intrusion-prevention (and not just detection), as switching an AP from access to protection provides, at best, part-time protection. A device acting as an AP cannot spend significant cycles on security. If it does, it will affect its performance as data/voice carrying device. Therefore when this mode is employed, such devices end up spending less time on scanning and threat mitigation. This introduces delays in threat detection and can affect blocking/prevention severely.
Sign up for MIS Asia eNewsletters.