|
When reports began circulating in mid-2001 that researchers had found the IEEE 802.11 WEP (Wired Equivalent Privacy) security system was vulnerable to attack, the news cooled an extremely hot wireless LAN market. Wireless technology's performance, interoperability and manageability continued to improve, while security loomed as an insurmountable hurdle.
Indeed, when Network Computing led a four-city "Solutions Summit" on WLANs (wireless LANs) late last year, nearly 80 percent of the 300 attendees identified security as the greatest obstacle to deployment of wireless LANs in their organizations. Our recent WLAN security reader poll confirmed these impressions. Fewer than one-third of the respondents said they would be willing to accept a little less security in exchange for the benefits of wireless network access.
But the biggest barrier to implementing WLAN is beginning to come down. If you're contemplating adding wireless LANs to boost productivity in your organization, you can implement a secure system. However, the IEEE 802.11 Task Group 1 has struggled to gain enough vendor consensus to get new wireless security standards out the door. On a more positive note, a broader and more robust set of products based on existing 802.1X standards has begun to appear in the market. In addition, a number of vendors have jumped on the obvious market opportunity and released WLAN security overlays that provide a range of enhanced services, addressing the major problems. Agere Systems, Cisco Systems, Proxim Corp., Symbol Technologies and others have enhanced their WLAN security offerings, though their solutions often force you to forsake multivendor interoperability.
In implementing a secure WLAN, you'll need to ante up to acquire security hardware and software and accept the burden of increased complexity. One size definitely does not fit all. First, you need to understand the key elements of a comprehensive WLAN security system. Next, you must assess your organization's level of risk aversion and the price you are willing to pay to achieve security. Finally, you have to understand the alternative systems available.
The Business Case for WLANs Organizations have long recognized that providing mobile access to information using WLANs can improve the bottom line. In one of the most systematic studies of WLAN benefits, NOP World Technology, a British research outfit owned by United Business Media, concluded that companies implementing WLAN technology can increase the amount of time an enterprise network is available by 70 minutes per day for the average user, boosting his or her productivity by as much as 22 percent. This study did a good job of identifying the types of organizations that benefit most from WLAN deployment and the types of applications for which the technology is best suited. If the employees in your organization spend all day, every day, glued to the computers in their cubicles and don't have much need for mobility, you won't see many benefits from a WLAN, save perhaps for reduced wiring costs. At the other extreme, if mobile access to information can transform your business processes, you can look forward to some significant ROI (return on investment). Most of us work in organizations that fall somewhere in-between. And in many cases, WLANs are just a convenience. Sure, it would be nice to be able to access e-mail and the Web from conference rooms, cafeterias and other quasi-public spaces, but can you justify such an investment if one of the costs is diminished security? Some organizations feel security trade-offs may be worthwhile. In fact, in a TNS Intersearch study commissioned by Microsoft, only 42 percent of sites that had installed WLANs had implemented authentication systems. Some of these sites undoubtedly implement their internal WLANs "outside the firewall," providing limited access to internal systems. When users need more sensitive information, you can provide them with VPN connections, just as you do for dial-up, DSL and cable-modem users. That's all well and good, but you still may be vulnerable to war-driving or other external attacks, in which users outside your organization gain access to your Internet connection or to insecure internal systems where they can mount further attacks. The equation gets more complex when your goal is to provide truly mobile wireless access to secure information systems. For many organizations, that's where the long-term ROI can be found. It's not that tough to imagine the benefits of anytime, anywhere information access to people equipped with wireless-enabled mobile devices like PDAs. Just having Web and e-mail access can be a huge boon to mobile professionals and their employers. IEEE 802.11 Security Basics One measure of a standard's success is the degree to which it encourages competition and makes technology more cost-effective for users. By this measure, 802.11b/WiFi has been an unbelievable triumph. Wireless NICs that cost $500 a few years ago are now available for less than $100 and are five times as fast to boot. That's progress even Gordon Moore couldn't predict. However, another measure of success is the degree to which a standard anticipates and addresses future implementation issues. TCP/IP, for example, crafted more than 30 years ago, has withstood the test of time. By that yardstick, IEEE 802.11's ongoing changes at both the physical and the data-link layers, together with minimal security capabilities, make it easy for us to second-guess the designers. Of course, it took nearly seven years to develop the initial 802.11 standard. Making it secure from day one would have taken longer. The bottom line is that the 802.11 standard failed to deliver any workable security provisions that would pass muster with enterprise administrators. In the early days, people thought of 802.11's ESSID (extended service set identifier), a string that was defined for each access point, as a wireless password. But implementers soon discovered that the access points routinely broadcast these "wireless passwords" over the LAN. Even when broadcasting was disabled, the strings could be extracted in clear text, from the management frames passed by wireless clients and access points. Today, ESSIDs often are detected automatically by WLAN clients, letting users connect to wireless networks transparently, provided no other security points exist. Since the standard doesn't provide an authentication framework, sites sometimes implement MAC (Media Access Control) address restrictions to control access to the network. However, this approach is an administrative burden and is vulnerable to address spoofing, and it ties access to the device (which can be stolen) rather than to the user. Finally, there's wired equivalent privacy--or WEP. Yes, it provides privacy equivalent to the privacy you had on your wired LAN, as long as that LAN had no privacy whatsoever. Noted security experts Scott Fluhrer, Itsik Mantin and Adi Shamir pulled WEP's pants down in 2001, and lots of faces turned red (see "WEP Has No Clothes," page 44). But even if they hadn't exposed the weaknesses in the underlying encryption system, WEP's static shared-key architecture has little appeal for enterprise IT professionals. Clearly, there's a need for privacy based on dynamic session keys that are distributed after a robust authentication. APA ASAP Authentication, privacy and access control (or authorization) are the three key services necessary for a comprehensive wireless LAN security implementation. In some organizations, accounting is also important to track usage (think wireless hot spots in hotels and airports). Although each of these security services can be delivered, your challenge is to ensure they are reliable, interoperable, scalable and cost-effective. And if you want to deliver these solutions soon, the systems better be flexible enough to integrate with existing mobile devices and infrastructure. In many environments, the No. 1 need is for a WLAN security system that authenticates users via an existing user ID and password. In a recent reader poll, 79 percent of our respondents said authentication is mandatory, and another 13 percent said they consider it desirable. In some WLAN systems, authentication is transparent, with the standard Windows login information passed to a wireless authentication system. In other cases, users are given enough initial network access to pass credentials to a Web-based authentication server, and if the process is successful, they are given extended network access. In more sophisticated implementations, a server authenticates the users, and they, in turn, authenticate the wireless network to ensure they are not being seduced by rogue access points. The IEEE 802.1x protocol, used in conjunction with EAP (RFC 2284), is the key component for future standards-based WLAN authentication, and while most of the enterprise-oriented WLAN vendors have built 802.1x support into their newest access points, the availability and interoperability of 802.1x clients are somewhat limited. Privacy (encryption) services are commonly linked to authentication such that unique per-session keys are distributed at the time of authentication. In our poll, 99 percent of respondents said encryption is mandatory or desirable. Unfortunately, today's most widely implemented WLAN encryption standard, WEP, requires frequent rekeying to be effective. In the long run, the industry will implement AES (Advanced Encryption Standard), which is more robust, but that transition will require new hardware. WLAN chipsets are just beginning to ship with integrated AES encryption. An interim fix to WEP is the TKIP (Temporal Key Integrity Protocol), which overcomes some of WEP's known vulnerabilities without requiring hardware replacement. But most would agree that TKIP is more of a tactical bandage than a strategic cure. Controlling user and group access to specific servers and applications based on credentials is an important element of many enterprise networks. Even though access control is arguably one of the most critical security services (96 percent of our poll respondents said it's mandatory or desirable), it is not effectively addressed in emerging WLAN standards. In fairness to the IEEE 802.11 committee, access control is often seen as a component of policy-based network management, which should be applied to all wired and wireless LAN technologies at higher protocol layers. Likewise, accounting, which is important for some enterprise environments and critical to the emerging WLAN hot-spots market, is an element that will be managed up the stack. The Wireless VPN Solution You may think that a simple solution to WLAN security exists in the form of VPN technology. But while VPNs may solve key problems associated with WLAN security, they aren't a panacea--at least not yet. VPN gateways are implemented within many organizations at the boundary of the enterprise LAN and the Internet to provide secure remote access for dial-up, DSL, cable-modem and extranet users. Today's VPNs aim to provide authentication and privacy, but they also can be integrated with firewall software to control access and with traffic-shaping software to limit bandwidth consumption by application, user or group. Implementing a VPN for WLAN security presents challenges. If you want to use a single VPN gateway to secure all WLAN traffic, all that traffic will need to funnel through a connection to the VPN. In many organizations, a distinct wireless network is created and connected to other internal networks by a VPN gateway. You'll need to have appropriate Ethernet network infrastructure, including plenty of bandwidth and VLAN capabilities, to support this separation. In addition, as with any VPN, you'll need to ensure that all users have appropriately configured VPN clients, which may require a software installation on every mobile device. Many organizations are implementing generic VPNs to provide wireless LAN security, but a number of new products can enhance VPN capabilities to meet wireless users' unique needs. In some cases, this may involve more sophisticated policy-based access controls. In other cases, it may include supporting VPN access while users roam between access points not only on the same subnet but also between subnets, with session-persistence capabilities to ensure that applications are not interrupted. The Future Vision Today's market for WLAN security primarily comprises third-party infrastructure overlays. In the future, we hope to see more wireless security capabilities built into the client OSs and the infrastructure equipment. Microsoft, for example, has implemented 802.1x authentication in Windows XP, though interoperability challenges still loom. And the major enterprise-oriented access-point vendors are including 802.1x support in their products. In our poll, 87 percent of respondents said they shouldn't need to turn to third-party products for security. Are those respondents naive, or are vendors and standards bodies simply trailing demand? The answer probably falls somewhere in the middle. Although most IT managers understand the unique security challenges WLANs pose, implementing robust wireless security doesn't make much sense without taking adequate steps to secure more traditional systems. Thus you should look to establish comprehensive security policies backed by integrated systems that address all their needs, not just the protection of mobile users. Even if you've been lax in implementing security on legacy systems, often because it would inconvenience users, you have a chance to take a stand on wireless. In this sense, wireless may provide an opportunity for security officers seeking to correct past ills. Meantime, your choices are somewhat more tactical in nature, and they aren't cheap. However, if the benefits of mobility are visible on the bottom line, you can indeed engineer a system that won't keep you awake at night. Dave Molta is a senior technology editor of Network Computing. He is also an assistant professor in the School of Information Studies at Syracuse University and director of the university's Center for Emerging Network Technologies. Cornell W. Robinson III is a freelance reviewer and a research associate at the Center for Emerging Network Technologies. Send your comments on this article to them at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Executive Summary: WLAN Security | 
|
Despite the demise of WEP as a wireless security standard, the wireless LAN industry has cleared many hurdles. WLANs are faster, more manageable and more interoperable than ever. But thanks to the demise of WEP, security remains an obstacle to this growing market. If you want a secure WLAN--and indeed, our research shows that you do--you need to invest in new hardware and software, and accept the complexity and cost of the new equipment. And you may need to sacrifice multivendor interoperability too. Nevertheless, you can implement a secure wireless LAN, with the appropriate levels of authentication, privacy and access control. One option is to implement a VPN; however, that solution is fraught with challenges. Recently, several vendors have come up with products that offer authentication, encryption and access-control services that make WLANs more feasible than ever. We tested six such solutions, from Bluesocket, Columbitech, Ecutel, NetMotion Wireless, ReefEdge and SMC. Bluesocket WG-1000 Wireless Gateway, ReefEdge Connect System and SMC EliteConnect WLAN Security System are hardware-based, while Columbitech Wireless VPN, Ecutel Viatores M-VPN and NetMotion Mobility are Microsoft Windows-based software--though the distinction had little effect on the outcome of our tests. Ultimately, SMC's product, which is manufactured and marketed under a different label by Vernier, impressed us as a secure solution with the best set of features, as well as top-notch configuration and management tools, and earned our Editor's Choice award.
| WEP Has No Clothes | |
Wired Equivalent Privacy was the foundation for WLAN privacy services until its deficiencies were exposed. Here are pointers to some of the key research that burst the WEP bubble: • Nikita Borisov, Ian Goldberg and David Wagner paper, July 2001, documents flaws in WEP that the authors attribute to misapplication of cryptographic primitives. • Scott Fluhrer, Itsik Mantin and Adi Shamir paper, July 2001, describes weaknesses in the key-scheduling algorithm of RC4, using 802.11 as an example of an insecure RC4-based system. • Adam Stubblefield, John Ioannidis and Aviel D. Rubin paper, August 2001, documents passive attack, based on Fluhrer, Mantin and Shamir paper, on 128-bit WEP that can result in key retrieval within 15 minutes. Concludes "WEP is totally insecure."
| WLAN Security Research | |
Building Secure Wireless Local Area Networks
Pierre Trudeau, Colubris Networks, 2001 This white paper provides an overview of the challenges faced to secure WLANs. Instead of having you place the burden on the physical layer, it advocates that network administrators concentrate on the network layer. The author establishes the need to create secure end-to-end connections between stations, instead of encrypting radio transmissions. VPN is chosen as the best solution to secure a WLAN, and specific implementation approaches are explained for enterprise, public and home/SOHO environments. Wireless 802.11 LAN Security: Understanding the Key Issues
System Experts, January 2002 This white paper includes a basic view of the current stage of WLAN security. It addresses the individual security issues that affect each component of the network and provides real examples and practical recommendations to address these issues and make things better. Finally, it provides a brief safety statement about 802.11-based hot spots (public WLANs). Serious WLAN Security Threats Part I |Part II
Gerry Blackwell, 80211-planet.com, January 7/14, 2002 A two-part guide that defines the major threats to 802.11 technology and provides the author's recommended techniques to make WLANs more secure. Blackwell security tips are classified in two categories: those that work on the enterprise network side (firewall, RADIUS, encryption and VPN); and those that work on the wireless LAN side (WEP, SSID, broadcast, access points, intrusion detection and DHCP). Wireless Insecurities
Dale Gardner, Information Security Magazine, January 2002 After stressing the importance of securing the wireless LAN environment, the article analyzes what the author considers the weakest point in wireless network security: handheld devices. It contains information on both physical and operating system security. After his considerations on handhelds, Gardner then turns to the subject of how to protect WLAN. Here Gardner includes information on the tools used by wireless network crackers (he refers to them as "war drivers") and the tools available from different vendors to increase WLAN security. He also addresses the use of VPN as one of the most effective tools of protection in a WLAN environment. Finally he includes a section with recommendations to secure the network. Securing Air
Andy Briney, Information Security Magazine, January 2002 This article is based on a personal experience by the magazine's editor trying to see how secure WLANs are. "Betcha didn't know that wireless networks in Seattle are more secure than those in Los Angeles. Why? Simple. When rainwater collects on a window, it essentially decreases the strength of a wireless signal. The glass becomes more like a mirror, deflecting packets and reducing the range and persistence of any wireless connection -- including rogue ones."
link: http://www.nwc.com/1312/1312f1.html |
