How to Make Wireless Networks Secure

Organisations are eager to migrate to wireless LANs (WLANs). The demand for WLAN access in the USA has surged dramatically over the past year. Users are clamouring for WLAN access because it allows them to access their network and the Internet from anywhere in the workplace, without having to “plug in”. Administrators are attracted to WLANs because they’re easier to install (no cable to pull through walls and ceilings), they’re flexible (they can be installed in places that wired LANs cannot, and do not require rewiring when seating or office plans change), and, in part owing to this flexibility, they’re less expensive to maintain over the long-term.

For these reasons, experts expect the WLAN market to grow steadily, even in the face of an economic downturn. Cahners projects that WLAN revenues will grow to $4.6 billion by 2005. WLANs have already made significant penetration into the education, hospitality, healthcare and financial industries, and continually decreasing equipment prices should help drive adoption in other industries. Even owners of public meeting places – now known in the industry as hotspots – are trying to get into the act. Coffee shops, airline lounges, and libraries are just a few of the venues offering WLAN access to their patrons, enabling their customers to make better use of what used to be mandatory unconnected time.

WLAN Architecture and Security Challenges
As with any technology shift, migrating users to WLANs has its drawbacks.

The initial investment in hardware may be significant and somewhat irksome. Organisations will have to deploy multiple wireless access points, and outfit every user with wireless network cards, when most will already have perfectly good NIC cards for the wired LAN.

But the chief concern in migrating to WLAN access is security. Physical wires turn out to be one of the primary obstacles to attackers looking to hack their way onto a LAN. It’s unlikely that a stranger plugging into a corporate network would go unchallenged, either by the network security that’s already in place, or by surrounding workers.

On a WLAN, of course, this obstacle disappears. Instead, user credentials and data are broadcast from both the client and the wireless access point (AP) in a radius, which may reach 300 feet or more.

Of course, the fact that data is being broadcast via radio waves rather than transmitted over a wire introduces security challenges, namely:

  • How can you prevent user credentials from being hijacked during authentication negotiation?
  • Once authentication is complete, how can you protect the privacy of the data being transmitted between client and access point?
  • How can you make sure the authorised user connects to the right network?
Early WLAN Implementations
The first WLAN implementations – designed primarily for home use – did little to address these security issues. 802.11b, published in 1999, was the first IEEE draft outlining specifications and protocols for WLAN connections with LAN-equivalent speed and security. More popularly known as Wi-Fi (wireless fidelity), 802.11b provides for wireless transmission rates of 11Mbps.

In 802.11b WLAN solutions, user authentication happened in the clear, via the WLAN device’s unique Media Access Control (MAC) address. Each AP contained a database of each authorised client’s MAC address; if the client’s MAC address was present in the AP’s database, the user was granted access to the network. Of course, this left a user’s MAC address exposed: anyone sniffing the network could see a valid MAC address being broadcast (and re-set his own device to that address). Also, if the user’s client device were stolen, the thief would have all the credentials he or she needed to easily access the network (without having to know or guess a username and password).

In addition to the security problems this method introduced, it also didn’t scale well. The MAC address for each user must be stored on each AP on the wireless LAN, creating a cumbersome management scenario and increasing the possibility of security breaches due to administrative oversight.

Data privacy was provided for via a sub-protocol called wired equivalent privacy, or WEP, intended to provide the same level of security found in a wired LAN. As it turned out, first-generation implementations of WEP did not provide this level of security. In fact, numerous published reports, the latest prepared by AT&T, demonstrated convincingly that WEP was easily cracked, seriously breaching the privacy of any wireless data transmission.

The 802.1X Solution
802.1X is a next-generation draft of IEEE WLAN specifications and protocols written to address the security and management pitfalls of 802.11b. The 802.1X protocol provides sub protocols and methods for better protecting authentication and data transmission, including:

An authentication process – such as a RADIUS server or access point-based authentication – to manage WLAN user authentication, connection attributes, and other matters related to setting up and securing the WLAN connection. While the 802.1X protocol does not recommend one authentication process over another, the market has overwhelmingly adopted RADIUS as the preferred authentication process on WLANs for several compelling reasons:

  • With RADIUS, authentication is user-based rather than device-based, so, for example, a stolen laptop does not necessarily imply a serious security breach.
  • RADIUS eliminates the need to store and manage authentication data on every AP on the WLAN, making security considerably easier to manage and scale.
  • RADIUS has already been widely deployed for other types of authentication on the network
Extensible Authentication Protocol (EAP), and EAPoL (EAP over LAN) – EAPoL is the transport protocol used to negotiate the WLAN user’s secure connection to the network. Security is handled by vendor-developed “EAP authentication types”, which may protect credentials, data privacy, or both.

EAP Authentication Types
Because WLAN security is essential – and EAP authentication types provide the nmeans of securing the WLAN connection – vendors are rapidly developing and adding EAP authentication types to their WLAN access points. Some of the commonly deployed EAP authentication types include:

  • EAP-TLS (Transport Layer Security). EAP-TLS – the security method used in the 802.1X client in Windows XP – provides for certificate-based, mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication; dynamically generated user- and session-based WEP keys are distributed to secure the connection. Windows XP includes an EAP-TLS client.
  • EAP-TTLS. Funk Software and Certicom have jointly developed EAP-TTLS (Tunnelled Transport Layer Security). EAP-TTLS is an extension of EAP-TLS, which provides for certificate-based, mutual authentication of the client and network. Unlike EAP-TLS, however, EAP-TTLS requires only server-side certificates, eliminating the need to configure certificates for each WLAN client. In addition, it supports legacy password protocols, so you can deploy it against your existing authentication system (such as tokens or Active Directories). It securely tunnels client authentication within TLS records, ensuring that the user remains anonymous to eavesdroppers on the wireless link and the entire network to the RADIUS server.
  • EAP-Cisco Wireless. Also called LEAP (Lightweight Extensible Authentication Protocol), this EAP authentication type is used primarily in Cisco WLAN APs, including the Aironet Series. It encrypts data transmission using dynamically generated WEP keys, and supports mutual authentication.
  • EAP-MD-5 Challenge. The earliest EAP authentication type, this essentially duplicates CHAP password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP support among 802.1X devices.
It is likely that this list of EAP authentication types will grow as more and more vendors enter the WLAN security market, and until the market chooses a standard. In general, you may wish to evaluate any EAP authentication type you’re considering deploying based on the following functionality:
  • Does it provide adequate credential security?
  • Does it permit mutual authentication of the client and the network?
  • Does it require dynamic encryption keys?
  • Does it support re-keying?
  • Is it easy to manage?
  • Can you easily implement it on your network?
How RADIUS Works in the 802.1X Environment
In the most common 802.1X WLAN environments, the APs defer to the RADIUS server to authenticate users and to support particular EAP authentication types. The RADIUS server handles these functions, and provides crucial authentication and data protection capabilities according to the requirements of the EAP authentication type in use.

Because the RADIUS server plays such as central role in WLAN security -brokering client and AP authentication, and providing and enforcing any other security measures specified by the EAP authentication type – organisations looking to maximise the return on their WLAN investment should seek a RADIUS server that:

  • Supports all existing EAP authentication types
  • Supports multiple vendors’ equipment, on a single WLAN, so that the organisation can grow its WLAN by adding whatever equipment meets its requirements (instead of being tied to solutions provided by a particular vendor).
  • Offers the performance and transaction capacity to support large-scale migration to WLAN, as well as increased transactions that accompany additional security techniques such as reauthentication.
A significant development has been the recent introduction of end-to-end 802.1X security solutions that let users securely connect to WLANs and can be easily and widely deployed across the enterprise.

For example, one such product developed by Funk Software secures the authentication and connection of WLAN users, ensuring that only authorised users can connect, that connection credentials will not be compromised, and that data privacy will be maintained.

When used in conjunction with Steel-Belted Radius, Funk Software’s RADIUS/AAA server, Odyssey forms a total solution for managing remote access and WLAN users. While Odyssey will handle all WLAN user authentication and security set-up, the integrated Odyssey/Steel-Belted Radius solution enables organisations to:

  • Authenticate WLAN users against SQL, LDAP, or other external databases supported by Steel-Belted Radius.
  • Manage dial-in, firewall, and VPN users in addition to WLAN users from a single database and console.
Conclusion
Organisations which have deferred migrating to WLANs because of security concerns can now safely take advantage of the benefits of WLAN technology by implementing 802.1X WLANs which implement advanced security techniques and which are managed by a RADIUS server.

Extremely secure WLAN access, that is easily managed, is now attainable by using the latest specialist software, supporting the innovative and advanced EAP-TTLS authentication type, to achieve a maximum return from an organisation’s WLAN investment.

Network Utilities are exhibiting at Infosecurity Europe, Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003. www.infosec.co.uk

Infosecurity Europe is Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003. www.infosec.co.uk