Commentary: War rages over 802.11x security

Not long ago, when wireless networking was new and rare, security was an afterthought. The reason? The scarcity of 802.11b cards acted as a form of back-handed security. If no one had an 802.11b card, outsiders couldn't very well scan your setup, right?

Now, however, that's changed. Wireless gear is readily available--and cheap--so that almost anyone with a PC can afford a Wi-Fi network card, making security more vital.

Why? Ever hear of "war driving"? War driving is the updated version of "war dialing"--popularized in the 1980s by the movie War Games--in which a PC dials number after number attempting to locate other modems. In war driving, you take an 802.11b-equipped notebook, the right software and, well, drive around scanning for 802.11b access points (APs).

YES

For example, with a utility like Marius Milner's nicely done Network Stumbler, pinpointing and cataloging any AP in the area is child's play. Network Stumbler scans for networks roughly every second and logs all the networks it runs into--including the real SSIDs, the AP's MAC address, the best signal-to-noise ratio encountered, and the time you crossed into the network's space. If you add a GPS receiver to the notebook, the program even logs the exact latitude and longitude of the AP.

Milner didn't create Network Stumbler for any nefarious purpose, but rather to learn more about wireless networking and to aid in public-access wireless networking projects. I use the program myself during wireless network installs to test coverage and APs.

Still, those with more devious intentions can use the same tactics to locate unsecured corporate APs behind the firewall. That means everything on the network is potentially accessible. Remember the old saying, "Fool me once, shame on you. Fool me twice, shame on me"? Well, any company that finds its carefully protected network has a wide-open back door when someone sets up a "test" 802.11b AP will likely take steps so it's not fooled again.

How so? For starters, by making sure that any use of corporate wireless networking includes Wired Equivalent Privacy (WEP) and authentication systems. In the face of a determined attack, WEP--which isn't perfect by a long shot--makes it more difficult for the attacker to succeed.

In the meantime, the IEEE 802.11 Task Group I of the 802.11 Working Group is working on a draft text to "enhance the current 802.11 MAC to provide improvements in security." Although everyone recognizes the need for additional wireless security, the Task Group's conclusions and recommendations have raised concerns.

For example, the IEEE 802.11 Task Group I's latest full meeting in May basically settled on making Kerberos authentication mandatory and left open the possibility of requiring new and additional authentication methods (such as RADIUS). Additionally, a motion to remove WEP2, which improves on WEP but doesn't completely address the need for easy, strong encryption, failed. While WEP is acknowledged to have serious problems, WEP2's sliding window algorithm makes breeching more difficult for attackers. WEP2's improvements include 128-bit encryption keys and better encryption algorithms. But since it's based on the same RC4 encryption and key system as WEP, it's vulnerable to the same attacks.

But the Kerberos mandate was one of the major points of disagreement. "The complexity of deploying Kerberos at layer two pushes the solution in the wrong direction," says Dave Juitt, chief security architect at Bluesocket. "The fundamental problem is trying to trick the link layer into performing bulk encryption in a point-to-multipoint fashion. That's where client/server networking comes into play. This is really a VPN issue."

Juitt further notes that the IEEE 802.11 Task Group I has conceded that security provisions need to improve. The group has already examined one proposal to scrap the inclusion of Kerberos altogether--though talk of giving Kerberos the boot is apparently yielding to the need to have a recognized authentication scheme in place, soon. Nonetheless, Juitt believes that "having a full-blown Kerberos implementation in every AP is not going to fly." And that's an understatement if I ever heard one because the issues are complex indeed.

In the near term I foresee that something like RADIUS authentication will be necessary to track metered public access usage, which many installations and APs already support, thereby offloading the authentication from APs altogether. Such systems will still remain fairly open. In the enterprise, however, VPNs and WEP--along with RADIUS and other authentication systems--are going to become the mandated norm in short order.

Layering VPN and WEP on an 802.11b link produces a substantial performance hit, but if we're lucky, 802.11a equipment will hit the scene by the end of this year. Of course, since 802.11a uses the 5GHz Unlicensed National Information Infrastructure band to push raw maximum throughput to 54Mbps, it isn't compatible with 802.11b. But 54Mbps, even slowed by enhanced security measures, is a wireless speed I think we can all live with for the next few years, especially in the name of added security.