Filter
Top Products
Deploying SpectraLink 8020/8030
Wireless Telephones
May 2009 Best Practices Guide
5 Security
Proper security provisions are critical for any enterprise Wi-Fi network. Wireless technology does not
provide any physical barrier from malicious attackers since radio waves penetrate walls and can be
monitored and accessed from outside the facility. The extent of security measures used is typically
proportional to the value of the information accessible on the network. The security risk for VoWLAN is
not limited to the typical wired telephony concerns of eavesdropping on telephone calls or making
unauthorized toll calls, but is equivalent to the security risk of the data network that connects to the APs.
Different security options are supported on SpectraLink Wireless Telephones. Determining the proper
level of security should be based on identified risks, corporate policy and an understanding of the pros
and cons of the available security methods.
5.1 Wired Equivalent Privacy (WEP)
SpectraLink Wireless Telephones support Wired Equivalent Privacy (WEP) encryption as defined by the
802.11 standard. The handsets can use either 40-bit or 128-bit key lengths. WEP is intended to provide
the same level of security over a wireless LAN as on a wired Ethernet LAN. Although security flaws have
been identified, WEP still provides strong encryption that requires an experienced and dedicated hacker
to break. While WEP is often not an acceptable option for many high security or privacy focused
enterprises, it is still useful and provides reasonable performance for voice due to the shortened key
exchange process.
5.2 Wi-Fi Protected Access (WPA) Personal, WPA2 Personal
Recognizing the need for stronger security standards beyond WEP, the IEEE developed the 802.11i
standard, which includes stronger encryption, key management, and authentication mechanisms. Wi-Fi
Protected Access (WPA) is based on draft 3.0 of the 802.11i specification and uses TKIP (Temporal Key
Integrity Protocol) encryption. WPA2 is based on the ratified 802.11i standard. The major enhancement
of WPA2 over WPA is the inclusion of the Advanced Encryption Standard (AES), which is widely
accepted as one of the most secure encryption algorithms available.
Personal mode uses a password-based authentication method called Pre-Shared Key (PSK). Personal
mode is good for time-sensitive applications such as voice, because the key exchange sequence is
limited and does not adversely affect roaming between APs. The PSK can be entered in hexadecimal or
as an ASCII passphrase from the handset’s administration menu or the HAT. The handset supports both
WPA Personal and WPA2 Personal modes.
5.2.1 Cisco Fast Secure Roaming (FSR)
Cisco’s Fast Secure Roaming (FSR) mechanism uses a combination of standards-based and proprietary
security components including Cisco Client Key Management (CCKM), LEAP authentication, Michael
message integrity check (MIC) and Temporal Key Integrity Protocol (TKIP). FSR provides strong security
measures for authentication, privacy and data integrity along with fast AP roaming on Cisco APs.
5.3 Using Virtual LANs
Virtual LANs (VLANs) can be used to segregate traffic into different security classes. By using separate
VLANs, data traffic can utilize the most robust but processing-intensive security methods. In order for
voice to operate efficiently in a WLAN, it is critical that it be separated from the data traffic by using
VLANs, mapped to WLAN SSIDs.
The 802.1Q standard establishes a method for inserting VLAN membership information into Ethernet
frames via header-information tags. SpectraLink infrastructure equipment and SVP do not generate or
24
©2009 Polycom, Inc. All rights reserved.
Polycom and the Polycom logo are registered trademarks of Polycom, Inc. All other trademarks are the property of Polycom, Inc. or their respective companies.