WLAN Security with SSH, SSL, TLS, HTTPS
Secure Shell (SSH), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HyperText Transfer Protocol over SSL/TLS (HTTPS) represent technologies that can be used to secure communication between a client and a server. Each has proven itself as a method of securing wired or wireless data and keeping it safe. When using wireless networking, use the following:
Secure Shell: SSH is the secure replacement for Telnet. Unlike Telnet, which transmits its data in clear text over the network, SSH encrypts all data that it sends between clients and servers. SSH also allows you to authenticate with either a username and password, or by using certificate-based authentication.
SSH has become the de facto standard when communicating with UNIX/Linux servers and network devices, such as routers and switches. In the WLC/AP environment, SSH can be used as a secure way to reach the management command-line interface for these devices. Always use SSH over Telnet for this type of access.
Secure Sockets Layer: SSL was developed by Netscape and was established as a standard for HTTP traffic encryption. SSL has since been enhanced and replaced by TLS.
Transport Layer Security: TLS is the standard method of encrypting client/server data that starts with a key exchange, authentication, and the implementation of standard ciphers. Many IP-based protocols, such as HTTP (HTTPS), Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), File Transfer Protocol (FTP), and Network News Transfer Protocol (NNTP), support TLS to encrypt data.
Because most major protocols support TLS, when using these protocols over wireless, use TLS if the server supports it. In many cases, the terms SSL and TLS are used interchangeably even if the technology in use is usually the newer TLS.
HyperText Transfer Protocol over SSL/TLS (HTTPS): As the name suggests, HTTPS implements standard HTTP but encrypts all the data transfers with client devices. This is why your online banking websites all require you to use HTTPS when dealing with them. Your WLC and APs allow you to make configuration changes from your favorite web browser.
Often by default, they have HTTP access enabled out of the box. Although HTTP access is available, when unencrypted, it allows for people with tools, such as Wireshark (a network packet capture tool), to capture your user credentials that you use to manage your WLC and APs. This is a serious security breach that is solved by enabling HTTPS.
Most devices on the market that support HTTP access for management also support HTTPS access, and typically it is enabled with a simple click in a check box of the management web page.