ch12lev1sec3.html

Mitigating WLAN Attacks

A variety of attacks can be launched against WLAN networks. Both WPA and WPA2 devices offer protection to the network from a variety of network attacks when IEEE 802.1x, EAP types, and TKIP and AES are used. Table 12-3 shows a list of common attacks and the EAP enhancements that are used to protect against known attacks.

Table 12-3. WLAN Attack Mitigation
Attacks Authentication: Open Encryption: Static WEP Authentication: EAP-FAST, EAP-TLS, PEAP, or Cisco LEAP Encryption: Dynamic WEP Authentication: EAP-FAST, EAP-TLS, PEAP, or Cisco LEAP Encryption: Cisco TKIP, WPA TKIP, AES
Man-in-the-Middle Attack Vulnerable Vulnerable Protected
Authentication Spoofing Vulnerable Protected Protected
AirSnort Attack Vulnerable Vulnerable Protected
Replay Attack Vulnerable Vulnerable Protected
Brute-Force Attacks Vulnerable Protected^[*] Protected^[*]
Dictionary Attacks Vulnerable Protected^[*] Protected^[*]

Table 12-3. WLAN Attack Mitigation
Attacks	Authentication: Open Encryption: Static WEP	Authentication: EAP-FAST, EAP-TLS, PEAP, or Cisco LEAP Encryption: Dynamic WEP	Authentication: EAP-FAST, EAP-TLS, PEAP, or Cisco LEAP Encryption: Cisco TKIP, WPA TKIP, AES
Man-in-the-Middle Attack	Vulnerable	Vulnerable	Protected
Authentication Spoofing	Vulnerable	Protected	Protected
AirSnort Attack	Vulnerable	Vulnerable	Protected
Replay Attack	Vulnerable	Vulnerable	Protected
Brute-Force Attacks	Vulnerable	Protected^[*]	Protected^[*]
Dictionary Attacks	Vulnerable	Protected^[*]	Protected^[*]

^[*] Strong password policy is required for Cisco LEAP.

Note

The information in Table 12-3 is taken from "Cisco Wireless LAN Security Overview" at http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_brochure09186a00801f7d0b.html.