Wi-Fi Plays Defense

The new 802.11i wireless LAN security standard is a step forward, but Wi-Fi LANs still aren't impervious to attacks.

Unbounded by the physical constraints of cabling and walls, wireless LANs have proved tricky to secure. Now that the long-awaited 802.11i standard for enhanced WLAN security has been ratified, can IT assume that WLANs have grown as secure as their cabled counterparts?

Hardly.

It will take time for vendors to migrate their products to 802.11i, approved in June, and for IT organizations to adopt them. And the Wi-Fi Alliance won't even start interoperability testing of 802.11i products until next month.

More important, 802.11i represents just the finishing touch to a series of steps in wireless security standards development. Much of it has already been available for about 18 months in an 802.11i subset called Wi-Fi Protected Access (WPA). And while standards-based security technology plays a big part in protecting enterprises, the issues reach beyond a signed set of technical specs.

For example, there's a broad installed base of specialized client devices, such as bar code scanners, that run the MS-DOS operating system. They are not upgradable, even to earlier versions of authentication and encryption, let alone to 802.11i, which requires Advanced Encryption Standard protection. AES will require hardware upgrades - even for far newer products. As enterprises expand their WLANs, these legacy devices might well become the weakest link in the wireless security chain.

And some administrators lack confidence in their ability to properly implement the various pieces of WLAN security, particularly since new attacks regularly make headlines.

Asserts Pete Davis, assistant network engineer for the Spring Independent School District in Spring, Texas, "It requires much time and effort to determine what's real and what's market-speak. There's a lot of FUD [fear, uncertainty and doubt] being spread about wireless security."

Technology Headway

The formal 802.11i standard, which includes WPA, does bolster the confidentiality and integrity of WLANs. Tom Hagin, vice president of the wireless business practice at integrator NetXperts Inc. in San Ramon, Calif., says the standard has taken Wi-Fi security "from prepuberty to just past puberty."

"In the past six months, we haven't had anyone say they weren't going to install wireless because it isn't secure. Prior to that, we did," he says.

WPA, available in many WLAN network interface cards (NIC) and access points (AP), was developed after university researchers demonstrated the ease with which hackers could break static encryption keys in the 802.11's Wired Equivalent Privacy (WEP) mechanism in 2001. WPA requires products to rotate encryption keys on a per-packet basis so they are much harder to crack. WPA also uses the industry-standard 802.1x framework for strong user authentication.

And AES, the U.S. government block-cipher standard for 128-bit data encryption, replaces the RC4 stream-cipher encryption that WEP and WPA use.

Still, "WPA will be good for three to five years before those smart kids who broke WEP break RC4. Then everyone will need AES," says Michael Disabato, an analyst at Burton Group in Midvale, Utah. 802.11i also specifies a way to achieve fast secure handoffs among APs (in the 25-msec range) and a simpler authentication scheme for small WLANs.

Practical Limits

But technology can solve only so much. Through 2006, 70% of successful Wi-Fi attacks will occur as a result of the misconfiguration of APs and client software, according to Gartner Inc.

This is why the Bethesda, Md.-based SANS Institute, which offers information security training and certification, recommends regular wireless audits. "AES is great," says Joshua Wright, deputy director of training. "But if people don't audit their networks, they might not know that a misconfigured AP isn't using it. This is low-hanging fruit for attackers."

Conducting audits requires tasks both on the wired and wireless sides of the network. First, says Wright, administrators should regularly download each AP's configuration and make sure it accurately reflects the organization's internal security policies.

For example, if an enterprise has adopted 802.1x and has selected Protected Extensible Authentication Protocol, one of several available authentication methods, network administrators should regularly check that all APs are indeed configured for PEAP.

In addition, airborne packets should be regularly examined using a wireless protocol analyzer to verify that they are actually using the EAP method selected. "Sometimes settings on APs have not been applied and do not kick in," Wright says.

Another recommended practice is treating the WLAN as an untrusted network, like the Internet, and putting a firewall or gateway where wireless and wired networks meet. Though this is a well-established guideline, "a lot of companies don't do it," observes Davis.

The Spring school district, however, has deployed the internal firewalling capabilities in Aruba Wireless Networks Inc.'s WLAN switches.

"We have an apartment complex behind us, and outsiders could poach on our Internet connection [without the firewall]," Davis notes. "Our district could be held accountable if they did nefarious things using our source network address."

Davis says the setup also lets him use an access control list to determine which network resources are available to each user in the 26,700-student, 25-school district. Wireless gateways from companies such as Bluesocket Inc. and Vernier Networks Inc. provide similar access control list functions.

It is not obvious to all network implementers how to glue the many available security mechanisms together. "Wi-Fi security is not something that you can set and forget," says Boris Shubin, director of IT at Dunkin' Donuts Inc., which recently deployed a wireless speech-recognition-based picking system in its Swedesboro, N.J., warehouse using centralized WLAN switches from Airespace Inc. "APs ship wide open. WLAN security is iffy; it's a very high-touch standard."

Dunkin' Donuts uses media access control address filtering to keep suspicious packets off its network. If a MAC client source address isn't on an approved list in the switch, it isn't allowed access.

Disabato says MAC filtering works but isn't scalable. "You have to change your system if a card breaks. If a guest leaves, you have to remember to remove their MAC address," he says. Such labor-intensive approaches tend to be less secure simply because they are error-prone.

Even the world's largest WLAN operator -- Microsoft Corp. -- isn't using WPA yet on its 4,500-AP WLAN, built on APs from Cisco Systems Inc. Many of Microsoft's older APs are first-generation technology and are not WPA-capable.

Microsoft is poised to make a wholesale change to its global WLAN infrastructure, which supports about 100,000 unique mobile devices. "11i is our main goal, but we can't move to it yet because no NICs support it," says Don Berry, the wireless network engineer who has overseen Microsoft's global WLAN implementation since 1999.

"We're assessing what the various EAP security strengths are," he says. "What will it take to live day to day using a particular method? How many servers would each type require? What's the security strength of each?"

Which EAP?

Most enterprises will select an EAP authentication method based on the type of database they have, says Dave Halasz, who chaired the 802.11i Task Group and is manager of software systems in Cisco's wireless networking business unit. "If you don't already have a certificate database for authenticating users, you might not put one in just for wireless," he says.

In fact, notes Kevin Tseng, senior wireless engineer at NetVersant Solutions, a systems integrator in Seattle, "most companies do not run a public-key infrastructure," which is required for using EAP methods that use client- and server-side certificates, such as EAP-Transport Layer Security.

Cisco's broadly deployed Lightweight EAP supports easier-to-manage username/password schemes but is prone to off-line dictionary attacks in shops that can't enforce strong password policies. LEAP also supports mutual authentication, an 802.11i recommendation, as do PEAP and another common method, EAP-Tunneled Transport Layer Security.

"But these are mostly supported in smart clients such as laptops," says Tseng. "Scanners for tracking inventory don't support them." He estimates that less than 30% of devices in the field are outfitted with mutual authentication today, leaving many deployments exposed.

Still, WLAN security has come a long way, says Disabato. "Two years ago, people who hadn't been antenna-heads for very long didn't even understand that walls don't stop signals. Now that people are thinking of networks radiating in a 360-degree sphere, they're doing much better."

Wexler is a freelance writer in Silicon Valley. Contact her at joanie@jwexler.com.

Copyright © 2004 IDG Communications, Inc.

  
Shop Tech Products at Amazon