Home > Articles > Wireless LAN Security Bookmark page
Enterprise Level Wireless LAN Security
Author: George C. Ou, Network and Information Systems Architect

June 2002

Introduction………………......... The case for REAL Wireless LAN Security
The problem with WEP……....... Why Wired Equivalent Privacy is not so private
Interim solution with VPN……..Why VPN is not the best solution
Introducing 802.1x and EAP……The new gold standard in Wireless LAN Security
Various flavors of EAP…………The emergence of four EAP standards
Hardware requirements…………Compatible Client Adaptor and Access Points
Conclusion……………………… Security is worth every penny

As the promise of Wireless LANs become ever more enticing, the perils of your LAN security being split wide open becomes ever more daunting. The problem, Joe User (your typical technically savvy employee) can just walk down to the local computer store, buy a $100 Wireless Access Point and have Wireless LAN freedom in 15 minutes. Unfortunately, he just opened up your private internal network to the entire world because any one within range can now instantly bypass your firewall. Additionally, finding one of these rogue access points is no simple matter and when you finally manage to shut it down, another two pop up somewhere else. WEP (Wired Equivalent Privacy), the encryption protocol used by all WiFi 802.11b devices to secure the wireless network is at best implemented half the time. Even when WEP is implemented, the well publicized weaknesses of WEP add only minimal protection against the casual hacker. The only solution to this problem is to implement an official Wireless LAN with real Wireless LAN security while banning users from implementing their own Wireless Networks. Providing a convenient and secure alternative is the only way to enforce this ban on personal wireless networking. In this paper, we will examine the problems with WEP, the solution with 802.1x and EAP, and the concepts and implementation of an Enterprise worthy wireless LAN.

The problem with WEP:
During the inception of the 802.11 standards for wireless networking, a fundamental issue of wireless security needed to be resolved. Because the physical layer of wireless networking uses Radio Signals through the open air waves and not electrical signals through closed wires, there was no physical security of the wireless signal compared to that afforded by wired networking. WEP was created to address this fundamental liability. It was suppose to give wireless networks the equivalent privacy of wired networks by using 40 and 104 bit encryption. Unfortunately for what ever reason, their effort resulted in a Wired Equivalent Privacy that was not so private. Soon after the release of the 802.11b specification with WEP, security researchers discovered massive weaknesses in WEP due to it’s poor implementation of the RC4 encryption scheme. Well publicized papers like "Weaknesses in the Key Scheduling Algorithm of RC4" by Fluhrer, Mantin, and Shamir have spawned freeware applications like AirSnort and WEPCrack to first passively capture a data sample (100 to 1000 MBs) and crack WEP using non-brute force techniques in as little as a few hours. This means that anyone with a laptop and a 60 dollar 802.11b adapter can get behind your firewall with minimal time and effort even when maximum encryption is enforced.

Making the situation worse, the limited range of 802.11 products is no sanctuary against hackers because you can be attacked from well beyond your own parking lot. Ten dollars of parts from Radio Shack and a Pringles potato chip can will boost an 802.11 card’s 100 foot range to about 10 miles line of sight, not to mention what an industrial grade directional antenna can do to you.

Then to put the nail in the coffin, because the 802.11 standard has no facility to centrally manage or distribute keys, WEP is fatally crippled by the fact that WEP keys are the same for all users, all sessions and never changes. Attempting to manually change the WEP key is highly impractical due to the fact it requires you to manually communicate to every wireless user what the new WEP key is so that they can manually enter it in to their WEP settings. The final result is a WEP standard that is worthless for anything other than casual home web surfing.

Interim solution with VPN:
As a temporary measure to secure wireless networking, the IT industry began turning to IPSEC based VPNs with 3DES encryption. Sometimes, companies could even leverage their existing Internet based VPN infrastructure if they had the excess capacity but otherwise, cost considerations could become a major prohibitive factor. But even ignoring the cost issue, VPN is not the cure all solution due to several key issues.

The first problem is ease of use; wireless users must take the additional step of acquiring a VPN connection after they manage to acquire a wireless solution. Then any interruption in service (as is common with wireless networking) will drop the VPN connection forcing the user to reconnect to the VPN server often.

The second problem is QOS; because all of the wireless traffic is tunneled, it prevents quality of service from prioritizing traffic. Without QOS, certain applications that require priority handling may fail.

The third problem is security; although all wireless traffic is encrypted via VPN, the wireless LAN interface on the client machine is wide open. This is just like connecting to the public Internet without a firewall allowing hackers a free crack at your WLAN interface over the air or over the web. To address this issue, software based personal firewalls must be installed on the WLAN interface.

Several VPN vendors have sprung up to meet this challenge and address some of these issues by doing things like “Auto-Reconnect”, unfortunately none of them address the real issue of achieving true “Wired Equivalent Privacy”. This is not to say that VPN does not have a place in Wireless Networking because it does. Wireless ISPs or Wireless Hotspots such as Starbucks are the perfect place to use VPNs and is in fact the only appropriate solution in that scenario. This shares the same VPN infrastructure as Wired ISPs or Wired Hotspots and is identical in purpose and functionality. Being Wired or Wireless on the Internet makes no difference because you are on a hostile network to begin with. How ever, VPNs should not be used for Wireless LANs. This is where a true “Wired Equivalent Privacy” solution would make perfect sense allowing for a secure and direct VPN-free connection to your internal LAN.

Introducing 802.1x and EAP:
Soon after the IEEE recognized the shortcomings of WEP and 802.11, they quickly came up with the 802.1x and EAP solution. 802.1x is a standard for “Port Based Access Control” for both wired and wireless networking and in it self does not make wireless networking secure. But, in conjunction with the EAP (Extensible Authentication Protocol) standard, the gold standard in Wireless Network Security is born. 802.1x acts as the gate keeper while EAP acts as the authentication mechanism and the combination of the two makes it possible to resolve the biggest liability of WEP, Static User and Static Session Keys. User authentication is now mutually assured, WEP keys can now be centrally managed with policies and keys can be distributed securely. With this new key management and distribution infrastructure, WEP keys can now be unique for individual users and individual sessions. In addition, the key can be set to automatically expire every 10 minutes to force constant re-keying making it impossible to collect the 100-1000 Megabytes of data required to break WEP. “Wired Equivalent Privacy” can finally be a reality.

In the illustration below, the client first connects to the Access Point in an unauthorized state (this is the 802.1x portion) and is in restricted mode. Using EAP (Extensible Authentication Protocol), mutual authentication is performed. The exact type of EAP authentication is an open standard and based on vendor implementation and will be covered in detail later in this paper. Once mutual authentication is completed using EAP, the Access Point will switch to an authorized 802.1x mode allowing the Supplicant on to the internal network. Then each 10 minutes later (Administrator definable expiration), the session will time out forcing the EAP process to run again to buy another 10 minutes of wireless access. Note that the entire 802.1x and EAP process is fully transparent to the user and only takes a few milliseconds to complete.

Figure 1:

Various flavors of EAP:
Because the 802.1x and EAP are open standards, implementation is left to the individual vendors. As a result, four type of EAP have emerged as standards. But they all share the same underlying 802.1x and EAP architecture found in Figure 1. The only difference is in the way they implement mutual authentication for the EAP.
  • LEAP: Cisco Proprietary EAP implementation
  • EAP-TLS: IETF open standard with maximum vendor support and maximum security
  • EAP-MD5: IETF open standard with minimal security
  • EAP-TTLS: Funk Software's IETF open standard with great security
  • PEAP: Cisco/Microsoft/RSA IETF open standard with great security

Cisco was one of the first to market with their Lightweight EAP (LEAP) “standard” in December 2000. Actually, this is a very proprietary solution and initially only worked with Cisco 802.11 adapter cards, RADIUS Servers, and Cisco Access Points. Recently, Cisco began working with other vendors to make their software LEAP compliant. You now have some choice when choosing Client 802.11 PC Cards (with third party client support) and there are at least four other RADIUS (Remote Authentication Dial-In User Service) solutions that support LEAP. Some Laptop vendors even support this solution natively with their integrated 802.11 adaptors. Implementation of LEAP is relatively simple; Cisco’s ACS RADIUS can easily be tied in to your LDAP or NT Domain and user authentication is transparent. The only down side to this is that your password policy better be strong because LEAP is vulnerable to man in the middle dictionary attacks. But with a strong password policy, LEAP is a convenient and secure solution. But be warned! If a strong password policy is not strictly enforced, a sniffed password not only allows the hacker to get on the WLAN, but he also has the usernames and passwords to get on to your servers. Because LEAP was one of the earliest solutions to address the weaknesses of WEP and it has such a complete array of support for all major client operating systems, Cisco enjoys a dominant market share with LEAP in the wireless LAN space.

EAP-TLS (Transport Layer Security) is an open standard that is supported by nearly every vendor. TLS is the next version of the SSL (Secure Socket Layer) standard. It’s strength is that it is the most widely supported implementation of EAP and it requires the use of PKI (Public Key Infrastructure). PKI makes EAP-TLS extremely secure with the use of asymmetric Public and Private Keys on the Radius and Client side. It’s only down side is that implementing a PKI may appear daunting but could easily be implemented with a weeks worth of research or a few hours of consulting time. Microsoft is firmly entrenched in this camp and they have put native OS client support for EAP-TLS in Windows XP. Later this year, Microsoft will release support for Windows 2000, NT, 98, and Pocket PC. For the time being, you will have to use a third party solution like that provided by Meetinghouse Data Communications for non-XP operating systems. Even Cisco is now recommending dual support for LEAP and EAP-TLS. EAP-TLS is used as a fall back solution with version 3 of Cisco ACS RADIUS because Cisco realizes that most of the other vendors are not compatible with LEAP. Cost of implementing EAP-TLS is almost negligible if you use Microsoft RADIUS and PKI technology. This is because Microsoft’s IAS (Internet Authentication Service) RADIUS is bundled with the Windows 2000 server operating system and is as stable as any other solution in my experience. Because Microsoft recommends that you implement IAS on your Domain Controllers, there is no cost of an extra server nor are there additional licensing costs. The required PKI can be addressed by implementing the CA (Certificate Authority) service also bundled with Windows 2000 server and deployment of Client Certificates can be automated by Microsoft Active Directory Group Policies. Deployment, licensing and server cost is kept to a minimum. Bottom line, if you spend the time to learn and build the required infrastructure, you will get one of the most opened, secure and least expensive solution. The only additional burden over LEAP requirements is setting up a PKI in your organization. But, keep in mind that a PKI is extremely useful and can be used for many other things like L2TP VPN, EFS encrypted folders, digital code signing, email signing and encryption, SSL web pages, and so much more. Fortunately, this is just a one time set up and once EAP-TLS is fully implemented, it is almost completely maintenance free and transparent to the user.

EAP-MD5 is the least secure version of EAP because it is vulnerable to dictionary attacks and cannot support dynamic WEP. Although EAP-MD5 is an open standard supported by nearly every vendor, it is definitely not recommended for Wireless Networking due to the lack of security.

EAP-TTLS (Tunneled Transport Layer Security) is Funk software’s version of EAP using Funk’s Odyssey or Steel Belted RADIUS server. This is currently an IETF draft jointly authored by Funk Software and Certicom. EAP-TTLS requires Funk software’s Odyssey client or third party client software from vendors like MDC (Meetinghouse Data Communications). Funk’s selling point is that PKI Certificates are only required on the Authentication Server but not the Clients. Unlike TLS, Funk has an excellent range of OS support right now. This is definitely an advantage but the advantage is a small one due to the fact that Windows XP has unparallel seamless support for wireless networking. There are no reasons not to use Windows XP for wireless networking to begin with unless your IT department simply bans Windows XP outright. In general, TTLS is considered almost as secure as EAP-TLS while making deployment simpler. You don’t need a PKI because the RADIUS certificate can be bought from a third party public Certificate Authority for a small fee.

Cisco, Microsoft Corp. and RSA Security Inc is currently proposing a new RFC for PEAP (Protected Extensible Authentication Protocol) to address the needs of organizations that want a more convenient password based solution instead of the certificate based solution used by EAP-TLS. Similar to EAP-TTLS, it will require a certificate for the Authentication Server but not the Clients and use an encrypted channel for password transmission to mitigate dictionary attacks. PEAP products are now widely available.

Requirements for 802.1x and EAP:

  • Client Wireless Network Adaptor compatible with 802.1x
  • Client Access Software capable of EAP
  • Wireless Access Point (Base station) compatible with 802.1x and EAP
  • RADIUS compatible with EAP
  • Public Key Infrastructure

Almost all 802.11 Wireless Adapters support 802.1x and EAP-TLS natively with Windows XP. With older operating systems, 802.1x driver support depends on the vendor of the wireless adapter. For true Cisco LEAP support, you will need to purchase a Cisco PC Card. Only Cisco 802.11 adaptors support LEAP natively. Most client adapters are also compatible with Funk’s EAP-TTLS. Some of the Intersil Prism Wireless chipsets can emulate all four EAP standards with the aid of the MDC (Meetinghouse Data Communications) Aegis client although it does not achieve 100% compatibility. Most of the Orinoco adaptors cost $60 to $100 while the Cisco adapters cost $110 to $140. Integrated adapters from a Laptop vendor with full EAP-TLS support and LEAP emulation can cost as little as $50.

For Client Access Software, Windows XP provides OS native support for EAP-TLS. Support for older Windows operating systems like 2000, 98, NT, and Pocket PC will be added by Microsoft by the end of 2002. For LEAP support, Cisco's provides the only native client for LEAP support and it’s OS support is extensive. Cisco's Client is bundled with their Aironet Wireless Adaptors. Funk has their own Odyssey Client for native EAP-TTLS support and OS support is also excellent. Third Party solutions like that provided by MDC (Meetinghouse Data Communications) can offer EAP support for any of the four EAP types and some Integrated Wireless Solutions bundle the MDC solution. For the most part, 802.1x and EAP is exclusive to the Microsoft Windows platform. How ever, there are rare echoes of a Unix Supplicant.

For Access Points, only the industrial grade solutions will support 802.1x and EAP such as those from Agere (Lucent Spin Off), Cisco, Intel, Avaya, Buffalo Technology, 3Com, Enterasys, Intermec, Nokia, and Symbol. But you definitely need to check with the vendors on which of their product line supports 802.1x and your desired flavor of EAP. These high-end Access Points cost $400 to $1000 depending on the features included. Certainly this is a lot more expensive than the SOHO solutions that cost $100 to $200 but you get vastly superior features like Dynamic WEP, better antennas, upgradeable hardware and software, and better reliability than the cheap SOHO solutions.

For RADIUS support, you can use FreeRADIUS on Linux, Cisco's ACS/AR RADIUS, Funk Software's Odyssey or Steel Belted RADIUS, Interlink Networks, Open Systems Consultants, and Microsoft IAS (Bundled with Windows 2000). Pricing for the Linux and Microsoft Solutions are virtually free since Linux is open source and you can run IAS on your existing Domain Controllers. However, IAS is substantially easier to install and administrate and it has proven to be reliable. The other solutions range between $2000 and $6000 dollars. All of these RADIUS solutions support EAP-TLS. LEAP is supported by all but Microsoft and EAP-TTLS is only supported by Funk's solution.

PKI (Public Key Infrastructure) is required for the EAP-TLS solution. Microsoft Windows 2000 Server has the CA (Certificate Authority) Service bundled with the OS so pricing is extremely attractive. Much of the PKI can be put onto your existing Windows 2000 servers. You can also purchase certificates from public CAs like Verisign, but that is not recommended for practicality and pricing issues.

Side note:
While Cisco and funk have proprietary versions of EAP, Agere uses their own proprietary encryption scheme AS2000 that completely bypasses WEP and EAP while using 802.1x. How ever, all three vendors like nearly every other vendor support EAP-TLS.

Making the choice:
As you can see, you have quite a few options to choose from. It can be at tough decision to make considering that LEAP and EAP-TTLS has full OS support now but are locked to a single vendor while EAP-TLS is just the opposite with full vendor support but currently locked to a single OS. Possibly confusing the issue more, PEAP is on the horizon. The decision is made simpler if you already have some of the required infrastructure in place that can be leveraged for implementing a specific flavor of EAP or if you have strong preferences for a certain vendor. The ultimate direction of wireless LAN security will likely be EAP-TLS for maximum enterprise level security and PEAP’s pretty good security for small businesses that lack the skill set to implement a public key infrastructure. Cisco’s LEAP will continue to have a large legacy installed base for the next few years. But regardless of the lack of a single standard, make no mistake that WEP can and should be secured now with any of these three existing solutions. Fortunately, most of the hardware firmware and client software you buy now will be upgradeable in the future.

Security is worth every penny
For any business network where Wireless Encryption needs to hold beyond one day, the time for real wireless LAN security is now. 802.1x and EAP have finally brought us true “Wired Equivalent Privacy” by giving us dynamic WEP keys. The days that we can tolerate the cheap $100 SOHO solutions are long gone and even though this may seem like a steep investment, your company’s security should worth every penny. Overall security is about the weakest link. Your $100,000 firewall is useless if someone can run a simple bypass on a Rogue Access Point with or with out standard WEP.