Hospitals back off Cisco LEAP security for WLANs

Computerworld - For some health care IT managers, Cisco Systems Inc.'s wireless LAN authentication protocol's vulnerability to attacks aimed at discovering passwords is reinforcing the importance of developing multilayered approaches to securing their networks.
Several users this week said they have already adopted or plan to install a mix of WLAN authentication and encryption protocols to ensure that their companies comply with the data privacy requirements of the federal Health Insurance Portability and Accountability Act.
Chris Lenaghen, a network engineer at St. Alphonsus Regional Medical Center in Boise, Idaho, said he views Cisco's Lightweight Extensible Authentication Protocol (LEAP) as "a temporary solution" until the hospital can install an updated version of Novell Inc.'s Extend Director software.
The Novell software supports the Lightweight Directory Access Protocol (LDAP), which Lenaghen said should make it harder for malicious hackers to run so-called dictionary attacks against the hospital's WLAN. St. Alphonsus will speed up its move from LEAP to LDAP because of the Cisco technology's vulnerability, Lenaghen said.
Cisco disclosed in early August that LEAP could be compromised by dictionary attacks. At a conference earlier this month, Joshua Wright, a systems engineer at Johnson & Wales University in Providence, R.I., demonstrated such an attack using a tool he developed (see story). In an interview this week, Wright said he plans to make the attack tool publicly available in February (see story).
Gene Gretzer, a senior analyst and project leader for access technologies at St. Luke's Episcopal Health System in Houston, said the health care provider uses LEAP to help secure 100 wireless access-point devices made by Cisco. But St. Luke's also controls WLAN access through a database of Media Access Control (MAC) addresses and use of the Advanced Encryption Standard.
Miami Children's Hospital in Coral Gables, Fla., has taken a layered approach to WLAN security as well, said Alex Naveira, its chief information security officer. In addition to LEAP, the hospital is using MAC address authentication and 128-bit Secure Sockets Layer encryption.
Ron Seide, product line manager at Cisco's wireless business unit, agreed that many organizations need stronger authentication capabilities than LEAP provides.
He said Cisco recommends that such users install the Protected Extensible Authentication Protocol (PEAP), which relies on digital certificates to control network access. PEAP was co-developed by Cisco, Microsoft Corp. and RSA Security Inc.