cnPilot security: How is wireless client traffic secured?

Securing User Traffic

The access point bridges traffic from wireless clients to the wired network and there are multiple stages along this path where security is important. Traffic over the air can be intercepted by packet capture tools run by users in the vicinity of the network. To prevent that, the WLAN should be configured with WPA2 security, which uses AES-CCM based encryption. Per-session encryption keys are derived between the Access Point and the wireless client, based on either pre-share security keys (WPA2-Pre-Shared) or RADIUS/802.1x authentication (WPA2-Enterprise). All traffic on the air, both to and from the AP is then encrypted this way.

The use of WPA2 is recommended, WPA2-Enterprise is preferred as it also provides strong mutual authentication, in addition to encryption.

cnPilot access points also support MAC based access control lists. These can be configured on the access point or maintained centrally on a RADIUS server. The AP can look up the server to decide whether a particular device is to be allowed access to the network or not. While MAC addresses can be spoofed, when used in conjunction with WPA2 mac-authentication can provide an additional layer of security.

Securing Access To The Wired Network

In addition to securing traffic it is also important to ensure that traffic is bridged out appropriately to the wired side. On cnPilot APs this includes the mapping of VLAN to each WLAN and user traffic is only bridged out to the appropriate VLAN. This ensures separation of traffic on both wired and wireless sides, allowing use of guest and corporate networks together on the same AP.

In addition, access to/from the wired network can also be controlled using Access Control Lists. These are per-SSID lists of IP addresses, Port numbers and Subnets that the administrator can configure.

The AP will then only allow traffic that matches these rules. One example of ACLs is to allow access only for web browsing (TCP ports 80, 443) while blocking other services such as SMTP.

cnPilot enterprise APs also include a firewall that provides protection from some basic network denial of service attacks from malformed or spoofed packets.