Cisco develops WLAN security protocol to defeat password attacks

Computerworld - Cisco Systems Inc. has developed a new wireless LAN security protocol designed to defeat brute force dictionary attacks that capture a user's passwords, and it submitted a draft of the protocol to the Internet Engineering Task Force (IETF) on Monday.
Cisco developed the new WLAN Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) to defeat dictionary attacks against unencrypted passwords in its earlier, proprietary Lightweight Extensible Authentication Protocol (LEAP). Cisco posted a security bulletin last August warning users that LEAP is vulnerable to such attacks (see story).
Ron Seide, WLAN product line manager at Cisco, said EAP-FAST protects against dictionary attacks by sending password authentication between a WLAN client and wireless LAN access points through a secure, encrypted tunnel. Seide added that EAP-FAST also eliminates the need for enterprises to install separate servers to handle the digital certificates used in another WLAN security system, the Protected Extensible Authentication Protocol (PEAP).
Seide said that Cisco believes that EAP-FAST complements PEAP as well as LEAP, "bringing together some of the key advantages of LEAP's convenience and flexibility with the password protection tunneling of PEAP".
According to Seide, Cisco submitted EAP-FAST to the IETF for inclusion in the 802.1x wireless LAN security protocol that is under development and expects to have it available for download for free from its Web site by the end of March. Seide said Cisco doesn't intend EAP-FAST as a replacement for LEAP but as an addition to its WLAN security suite of products, which includes PEAP.
Cisco also intends to make EAP-FAST available to partners in its Cisco Compatible Extensions (CCX) program, (see story) Seide said. Cisco's CCX wireless LAN chip partners include Intel Corp. and Atheros Communications Inc. Hardware manufacturers that are part of the CCX program include Dell Inc., Hewlett-Packard Co. and Toshiba Corp.
EAP-FAST will be available to CCX partners later this year, Seide said, but he didn't specify an exact date.
Enterprise users of Cisco WLAN products contacted by Computerworld said they have had little time to evaluate EAP-FAST since Cisco posted the draft just this week. Mark Wiesenberg, director of network services at Sharp HealthCare in San Diego, said his company "continues to study the area of wireless LAN security and is fully committed to using standards-based solutions. We will track how this proposal is received by the IETF and evaluate a position based on industry acceptance."
Joshua Wright, a systems engineer and deputy director of training at the SANS Institute in Bethesda, Md., called EAP-FAST an "excellent alternative" to PEAP or the