Avoid Wireless LAN Security Pitfalls

Wireless Local Area Networks (WLANs) are taking off. Enterprises are turning to WLANs in droves because they offer mobility and huge cost advantages. In fact, studies show that wireless workers are more productive, less pressured and save businesses money. Gartner, Inc., for instance, finds WLANs to be cheaper to install than wired LANs, especially for small organizations. And once they’re in, wireless LANs are less expensive to operate and maintain.

But wireless LANs are not everywhere they could be. Enterprises have heard the horror stories of competitors and crackers sitting in a parking lot and accessing the corporate network. Unfortunately most of these stories are true. Gartner predicts that by the end of this year, a third of all enterprises will suffer a serious security exposure due to a wireless LAN.

The reason? The main protector of wireless LANs, the Wired Equivalent Privacy (WEP) standard, remains full of holes. Research from Cahners’ In-Stat and META Group suggest the lack of security is the biggest deterrent to widespread adoption of WLANs.

But the more IT professionals learn about WLAN technology, and its newer
security options, the better moving to wireless sounds.

Why isn’t every LAN a WLAN?

Wireless will probably never completely replace wired local area connections. Wires have an slight advantage in security and today maintain a dramatic edge in speed.

WLANs, while far slower than their wired counterparts, are multiplying in performance. And more importantly, some very smart and dedicated developers are whittling away at the security problems.

WLAN security is generally breached the same way as any other system – a hacker or two discovers a weakness and devise a mode of attack that is then shared and used by the hacker community at large. Script kiddies, or crackers without a lot of technical background, can implement these attacks too easily and wreak havoc on your network. It’s essentially: point, click and break in!

But not all attacks are aimed at compromising corporate security. Some are built to demonstrate and ultimately lead to a fix. While problems with WEP have been known for years, the dam really burst in July of 2001 when noted cryptographers Fluher, Mantin and Shamir unveiled the Rapid Passive Attack. The Rapid Passive Attack demonstrated that it is relatively easy and fast to break WEP encryption.

A month later, a team from AT&T Labs successfully implemented the attack and concluded that WEP is “totally insecure.” That same month, the AirSnort program was released, letting anyone penetrate WEP weaknesses in virtually any unwired network. Now there are a host of tools for script kiddies, including WEPCrack, and Dnsniff.

The Web makes these break-ins even easier to perpetrate. A trouble maker can simply hop over to Netstumbler.com, a free site that tracks over 8,000 access points, including MAC addresses, performance variables, and other information making it simpler to crack into wireless networks.

The WLAN industry, knowing the huge benefits this technology provides, has been fighting back. In June 2001, the IEEE standards body responsible for defining WEP released its specification for the 802.1x standard, which defines how various wireless technologies can increase the number of secure key exchanges between devices and servers. The absence of key mangagement was of the principal flaws of WEP. Frequent re-keying makes it more difficult to have unauthorized access to wireless networks.

That new spec is already making in-roads. Microsoft Corp. built 802.1x into its Windows XP operating system, and many major wireless vendors such as Bluesocket, Cisco and Funk are touting 802.1x support.

With security defined as one of the main roadblocks to WLAN growth, the question is: Does the new 802.1x do enough to enhance the security of wireless LANs and of other mobile products?

Security Basics

Network security, whether wired or wireless, involves five major activities. Particular security standards or technologies can involve one, two or all five, but any user session must pass through at least these five steps in a secure environment. The steps are:

1) Authentication, which can be handled through identification numbers, user names and passwords, or digital certificates.

2) Authorization, which provides permissions that allow access to vary by user, including the types of systems each user can access, as well as setting priorities.

3) Privacy, which focuses on data confidentiality, usually ensured by the use of encryption.

4) Administration, the ability to manage distributed systems from a central point either for regular maintenance or to respond to an emergency or attack.

5) Accessibility, which focuses on defining Class of Service by user, and in the case of wireless, providing secure mobility.

Although a security system typically involves those five major components, 802.1x is a standard that addresses only authentication and key management for networks. Thus it is a standard focused on roughly two parts of a multi-dimensional challenge to implementing and maintaining a secured, functional network. Extensions to the 802.1x framework (EAP) are progressing to provide authorization.

A Perfect Solution?

802.1x is a large step forward for authentication, access and addressing some of the known issues involving wireless LAN security. A comparison of 802.1x and standard 802.11 security is shown in Table 1. As you can see, there are many advantages to 802.1x. However, as with any fledgling technology or standard, the IT professional should also be concerned with potential problems or limitations.

802.1x is a Framework

As a publicly ratified standard, 802.1x does not mandate specific security procedures. Vendors are free to implement authentication only or authentication and encryption together. Make sure you choose a vendor that implements both authentication and encryption. Bottom line: authentication without encryption is not secure.

Several vendors have implemented proprietary security frameworks based on the emerging 802.1x standard. These product implementations require users to single source vendors, choosing only a single vendor’s Access Points and PC cards to gain 802.1x security advantages.

As 802.1x becomes built into more and more operating systems, interoperability with all vendors who support the standard will be available. However, at this time 802.1x is only supported in Microsoft’s Windows XP. True interoperability with 802.1x will be dependent on the purchase of Microsoft’s Windows XP or a future Service Pack update to Windows 2000.

Also, an authentication server is required. Typically, this will be a RADIUS server. Currently, Microsoft Windows 2000 Server, Cisco ACS, Funk RADIUS and Interlink Networks RADIUS all support 802.1x.

All or Nothing Access

Once a user has authenticated, they are granted full access to the network. 802.1x does not provide any granularity to control whom can access particular services or destinations, so it’s all or nothing access. This is not a problem if your company does not mind that a guest or contractor can easily access your finance server or that a university student can access the Administration server as easily as the Internet. However, reality dictates that everyone is NOT treated equally on LANs.

In the End, 802.1x Is Still WEP

802.1x provides improvements in privacy by using dynamic, per user, per session keys, a better solution than WEP’s fixed keys. However, the underlying WEP mechanism is unchanged. This is still a major concern
summed up by Ron Rivest, who developed the encryption algorithm for WEP, dubbed RC4:

“Those who are using the RC4-based WEP or WEP2 protocols to provide confidentiality of their 802.11 communications should consider these protocols to be broken,” Rivest says, “and plan remedial actions as necessary to mitigate the attendant risks. Actions to be considered should include using encryption at higher protocol layers and upgrading to improved 802.11 standards when these become available.”

Better encryption is on the way. A new security algorithm called Temporal Key Integrity Protocol (TKIP) offers a rapid re-keying protocol that changes the encryption key about every 10,000 packets in order to address the vulnerabilities of WEP. Standards bodies are also investigating the use of the Advanced Encryption Standard (AES) as a possible alternative to RC4 in future versions of 802.11 security. AES is a replacement for DES (Data Encryption Standard) and uses the Rijndael algorithm, which was selected (after several years of analysis) by the US Government to protect sensitive information.

But you don’t have to wait for better encryption. Many security experts recommend the adoption of Internet Protocol Security or IPSec standard that has been deployed in global networks for over five years to protect data from being viewed, utilized or corrupted by a non-trusted party.

Phil Belanger, past chairman and current marketing director of the Wireless Ethernet Compatibility Alliance (WECA) agrees. “We’ve always said that if privacy is a concern, you need to be using end-to-end security mechanisms, like VPNs, based on IPSec along with the WLAN. Even if WEP wasn’t compromised, you ought to be doing that.”

However, once a tunnel is open, the device and user are assumed to be OK. In wireless, you need to continue to view the user as mobile and literally connecting to your network via the air. Thus, it makes sense to implement procedures that allow you to decrypt each packet as it enters your trusted network to enforce your authorization policies.

What about PDAs?

IT managers are faced with the rapid proliferation of PDAs and other hand-held devices. With them comes the crucial issue of how to grant them access to the network. As we examined earlier, using the 802.1x standard would be a good first step, but the many mobile operating systems now widely deployed, such as Microsoft PocketPC 2002, do not support the standard. Further, unlike PCs, there is limited support for even a vendor specific implementation of an 802.1x-like solution.

Currently, the only way to reach an acceptable security level is to implement an IPsec approach. This can be accomplished using the built in Point to Point Tunnel Protocol (PPTP) or by using a proprietary IPSec client.

The Requirement for “Access Servers”

Microsoft and other companies are recommending deployment of an access server to fill in the areas of security not managed easily, e.g. support for multiple Access Points, PDA operating systems and applications, authentication systems and so on.

For those using 802.1x security, an access server passes authentication requests from the Access Point to the authentication server seamlessly. This is a requirement in any network that may have a mixed environment of multiple vendor Access Points, NIC cards and devices as well as environments that may only be partially 802.1x enabled for some time to come.

Bottom Line Recommendations for 802.1x and Beyond

IT professionals are faced with many issues surrounding the implementation of WLANs. The following are recommendations for good practices when purchasing and deploying a complete solution:

* For small, tough to manage locations, turn WEP on using 128bit keys and change the keys periodically.
* Purchase equipment that supports the 802.1x standard, including using Microsoft Windows XP as the operating system when cost effective and available.
* When Windows XP is not an option, use vendors who support the 802.1x framework even if it means proprietary PC cards and Access Points.
* Make sure your vendor supports 802.1x authentication and
encryption. Both. Now.
* Where security is of the utmost concern, use IPSec to provide a layered, robust and manageable approach.
* If using PDAs, use IPsec tunneling technology to provide security or other security, such a PPTP, as available.
* Implement an access server technology. Such a server allows you to tie together all of the various standards and non-standard-based equipment. In addition, you can centrally manage and enforce far-ranging business rules dealing with CoS, user/group based management granularity and IPsec compatibility.

Dave Juitt is Chief Technology Officer at Bluesocket Inc. where he is responsible for the technology evolution of wireless access systems and security. He was previously chief information security officer for Redwood Investment Systems of Boston and department head for GTE Laboratories’ secure systems research. Prior to GTE, he spent nine years at Digital Equipment and was on the technical staff at MITRE Corporation.