Design Guide for the Alcatel
OmniPCX
Enterprise – Mobile IP Touch
this practice is often far more troublesome to network administrators than it is to network attackers.
The advantages of SSID broadcast usually far exceed the threat of visibility it offers.
Since all MIPT terminals must be manually configured with an SSID, the decision to enable or disable
SSID broadcast is of little consequence to Alcatel MIPT terminals. There is no impact to ease of use
or functionality presented by the state of SSID broadcast. Alcatel recommends that customers
maintain their current or desired security policies governing this topic.
2.3.2.
Authentication & Encryption
At present, for the MIPT R 1.1.1 offer, Alcatel provides authentication and encryption options based
on WEP 128 (Static Key) and WPA-PSK. This means that, if selected, wireless traffic for VoWLAN can
be encrypted based on RC4 ciphering techniques (with or without TKIP) and “Shared Key”
authentication mechanisms. Pre Shared Keys must be manually entered in each MIPT terminal at
installation. In the case of WPA-PSK implementation, the Pre Shared Key is used for initial
authentication and as the seed for Temporal Key Integrity Protocol key rotations. No other
authentication and/or encryption options are presently available (i.e. 802.1x authentication and/or
802.11i / AES encryption.)
WEP is recognized as being a weak security option due to the static nature of the encryption key.
Derivation of the key is possible through simple passive scanning techniques and data analysis. To
counter this problem, the Wi-Fi Alliance has defined a standard known as WPA. WPA, in reality, is
WEP enhanced with TKIP key rotation. This prevents key derivation through passive scanning and
brute force attacks. WPA-PSK can be implemented in most infrastructure environments through
simple software upgrades, making it a universally available, simple and effective scheme for content
protection.
Alcatel strongly recommends the use of WPA in order to provide for the highest levels of
confidentiality and network security.
2.3.3.
MAC Address Filtering
MAC address filtering facilities are provided for within Alcatel’s OmniAccess product platforms.
Alcatel strongly encourages the use of
LOCAL
MAC address filter rules to help ensure that only
authorized wireless clients are permitted to join the VoWLAN network.
For more information on MAC address filtering, please refer to the Alcatel VoWLAN Engineering
Reference.
2.3.4.
Rogue Activity Detection
Rogue Access Points and Rogue Ad-Hoc Wi-Fi activity can seriously degrade VoWLAN voice quality
by wreaking havoc with carefully designed and implemented Radio Frequency coverage patterns.
For this reason, Alcatel strongly recommends the use of the OmniAccess Wireless Protection option to
identify and eliminate these potential threats. The nominal cost of this technology option provides an
immense amount of investment protection, and the value of Rogue Activity Detection can not be
stressed enough.
ESD/ Central Pre Sales / DF/ JM
15/34
June 2005 – Ed 01
