Positive Identification in a Wireless World

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

The use of wireless systems for network and Web access is exploding-from wireless LANs to e-mail capable cell phones. It makes network access completely portable, and with systems starting at under $300, it’s very affordable.

But widespread wireless use has raised serious new security challenges. How can you be certain the person connecting to your wireless network is a legitimate user and not a hacker sitting in your parking lot?

In a recent study, over half of the companies surveyed didn’t even use the most basic encryption and security features of their wireless LAN systems. For those companies who choose to implement security features, solutions include access control appliances or VPNs to protect their wireless systems instead of (or in addition to) wireless encryption to establish a secure session.

Once a secure session is initiated, however, security cannot stop there. The organization must be confident that users entering the secure sessions are who they say they are-they must be positively identified.

Most organizations, unfortunately, choose fixed passwords to identify users, and fixed passwords are inherently weak. Many password attacks exist today-from hacking dictionaries to sniffers, from social engineering to personal information attacks. These tools-like the L0phtCrack brute-force password cracker -are readily available on dozens of Web sites, free to anyone with a Internet access. These attacks can easily compromise fixed passwords, no matter how stringent the organization’s password policy. In fact, organizations lose millions of dollars every year due to password breaches. In late 2002, an identity theft ring was exposed is the U.S. that had victimized over 30,000 people; the suspects allegedly stole passwords from credit agencies and banks, accessing credit reports and information, and costing customers over US$2.7 million.

Best defense: strong authentication

Passwords are easily compromised because there’s only one factor to possess: the password. With it, an attacker can access network systems again and again. With strong authentication, there are usually at least two factors. Often, these two factors are something you know, like a personal identification number, and something you have, which can be a hardware token, a digital certificate, a smart card, or other device. An ATM card is an excellent example of this: you must have the ATM card and know the PIN to access your accounts.

The user experience: logging on

When a strong authentication system with hardware tokens is put in place to protect a wireless LAN, a user requests access and is presented with an onscreen dialog box or prompt to enter a username and a one-time password. The user activates the hardware token in order to get the one-time password on the token screen, which must be typed in at the prompt in order to gain access to the requested resource. Once a one-time password is used, it can’t be re-used to gain access. This eliminates many of the vulnerabilities of fixed passwords, making sniffing, hacker dictionaries, personal information attacks, and other common password attacks useless to hackers.

The administrator experience: adding strong authentication

There are generally three ways to use strong authentication systems to protect wireless LANs:

1. EAP and 802.1X. Specialized authentication servers can interoperate with strong authentication services using the Extensible Authentication Protocol (EAP) and 802.1X infrastructure. This combination is much more secure than competing standards. EAP and 802.1X are used to control access to network devices, including wireless LANs. These standards have been embraced by a number of leading hardware and software vendors including Cisco, Microsoft, and Hewlett-Packard, and many products, designed for both wireless and wired networks, already implement these standard. Only certain types of EAP protocols, like TTLS (Tunneled Transport Layer Security) and PEAP (Protected EAP), support strong authentication.
2. Wireless access control appliances. Because Web-based authentication is easy to deploy, it is becoming more pervasive. One solution to use Web-based authentication with wireless LANs is called an access control appliance, a firewall-like device that sits between the wireless access point and the rest of the network. These appliances force wireless users to authenticate at the application level (typically from their Web browsers over HTTPS) before receiving access to the rest of the network. In this setup, anybody can connect to the wireless access point without authentication, but users must authenticate in order to get beyond the local subnet to organizations’ trusted networks. Interoperability with strong authentication systems is often accomplished using the RADIUS protocol.
3. Virtual private networks. VPNs are traditionally used to link internal networks across an insecure network, or for remote access. More and more organizations are using VPNs to wireless LAN connections by connecting the wireless client to an internal network via the VPN gateway through an encrypted tunnel. This ensures the authenticity and secrecy of the information as it is passes across insecure networks. To securely authenticate VPN users (whether wireless or not), strong authentication can be added (often using the common RADIUS protocol) to provide a high level of security recommended by experts.

The device experience: embedded in the BIOS
Some organizations prefer an extra layer of security: allowing authorized users only to access protected information from certain computers or workstations. While some authentication systems can recognize and authenticate IP addresses, there is now another way to identify devices. Many BIOS chips can utilize security software that embed security information directly on the BIOS. This information, similar to digital certificates, is recognized by some authentication systems, and ensures that users must access protected networks only from their assigned laptops or other BIOS-based devices.

The bottom line
Creating a secure tunnel for wireless access is a vital element of corporate security, but can be easily undermined by weak user passwords. Without strong authentication, attackers can often access back-end information just as easily as your authorized users.