WLAN Security Domain Conceptual Model

First, look at the WLAN security domain from a conceptual modeling perspective. Figure 1-2 shows the domain conceptual model and the relationship between the various components and acts as a backdrop for this book. This model defines the entities, functionalities, and relationships between them. Further, the mechanisms are the technologies and protocols through which the functionalities are implemented.

Figure 1-2. WLAN Security Domain Conceptual Model

In a nutshell, the WLAN system consists of entities [1] in Figure 1-2. Entities include users, wireless cards, APs, corporate networks, and service provider network access. Each entity is identified by an identity attribute or identifier [2]. Table 1-1 shows the common identifiers for each type of entity.

Table 1-1. Common Identifiers for Entities




Username, DN in a certificate

Client cards

MAC ID, IP address

Access points


You need to know how the entities are identified because, in most cases, the identities could be spoofed, so you need forms of authentication to establish the identity. Entities, of course, have credentials [3] for authentication and authorization that are exchanged using authentication protocols [7]. Entities communicate over channels that need to be secured against different types of attacks (passive and active). The final goal is to securely authenticate the entities using authentication systems [6]. The corporate AAA systems [6] hold the various required elements such as keys, usernames, password hashes, policies, and so on. Authentication protocols [7] facilitate authentication mechanisms to exchange credentials and challenge/response handshakes.

After a client is authenticated to satisfaction (based on the network policies in place), the client is authorized [8]. This authorization can take many forms:

  • In the case of enterprises, the client might get full network privilege or access to restricted areas in the network (such as Internet access for guests and visitors).

  • For public WLANs, this might involve payment gateways, account checks with WSP, and so on, with access provided depending on the level of service.

  • Authorization would also include expiration of connections and other similar functions.

  • In many cases, such as conferences, the authorization might be null in the sense that, after it is authenticated, the clients have access to the network resources. Remember in these cases that the network is just a connection to the Internet and possibly a server with conference-related materials.

The other security aspect is the integrity and confidentiality of the communication channels [5]. The confidentiality is achieved by encryption [9], and message integrity is achieved by digital signatures [10] with suitable mechanisms for bootstrapping, key exchange, and key refresh [11].