Got VPN? You'll still want new 802.1x hotspot

Summary:Recently, T-Mobile announced that they are the firstU.S.

Recently, T-Mobile announced that they are the firstU.S. Wireless carrier to implement 802.1x (IEEE port-based authenticationalso known asDot1x). This is a huge improvement in the security and robustness of wireless LAN hotspots, and all other hotspot vendors should followsuit. Here are some of the benefits of an 802.1x enabled hotspot and why enterprise organizations should care, even if they think they're already secure by using VPN.

  • Per session per user keying
  • Transparent logins
  • Transparent proxied logins
  • Datalink security

Per session per user keying
The lack of "per session per user keying" is a massive security problem that afflicts nearlyall wireless 802.11 hotspots. Commercial hotspots that use secure SSL logins are also not immune because the secure login only secures admission to the network, not the subsequent data flowing across the air. Essentially, what you currently have is a "party line" link to the wireless AP where everyone within earshotcan see everything you transmit and receive. This is a security nightmare for hotspot users whenever they login on common applications such as IMAP, POP3, SMTP relay, FTP, HTTP, or anything with a clear text login. Because your passwords are transmitted in clear text, any rookie hacker with a wireless sniffer and a password recorder can reek havoc on any user who uses a traditional hotspot. Even VPN users who use PPTP are not safe since their hashed authentication session is sent in the clear and can typically be cracked in a very short amount of time with an offline dictionary attack. With "per session per user keying" that 802.1x and a good EAP (Extensible Authentication Protocol) affords, every hotspot user getshis or herown secure encryption tunnel. Even legitimate users within the same wireless infrastructure cannot snoop on each other.>

Transparent logins
One of the most annoying aspects of public hotspots is the fact that you usually have to go through a tedious Web-based secure login to prove that you are a paying customer before you get admissionto the hotspot. With an 802.1x hotspot implementation, authentication is taken care of before an IP address (access to the datalink layer) is even granted. You just turn on your laptop or PDA and the let your 802.1x supplicant do the talking. Within seconds, if not less, you're securely attached to a wireless hotspot with no tedious logins. The lack of transparent and convenient logins is what makes Wi-Fi PDAs and Wi-Fi-enabled VoIP phones infeasible as a mobile phone platform and incapable of being a serious disrupter of the cell phone. The day will come when you will have a sleek and compact SIP-capable VoIP phone that can transparently login to and roam to any ubiquitous Wi-Fi hotspot within a second so that you can make and receive calls when you want and where you want. Only then will Wi-Fi hotspotscombined withVoIP present a serious alternative to the ubiquitous cell phone. Until then, it will be more of a novelty for most and only useful for the few.

Transparent proxied logins
Just having transparent logins is one thing, but having it integrated into your corporate user directory in a centrally managed location under a centralized accounting system is a corporate requirement. Managing hundreds of individual user accounts and paying for them separately is a costly proposition. A proxied login allows the admission control authentication requests to be relayed to a user's own corporate backend so that they don't need to set up a whole new user account with each individual ISP. It is essentially a single sign-on process extended to the wireless ISP environment. By some estimates, it costs $60 to process a single expense claim in large corporations and it can quickly get out of hand. For years, corporations have been using a proxied RADIUS login model for dial-up Internet access, but companies like iPass within the last year or two have been consolidating hotspots under their wireless ISP aggregation model. Currently, a user would have to use iPass' custom connection manager software to log into a hotspot, using their standard corporate identity which is proxied to their corporate RADIUS server via iPass' proprietary authentication protocol. With an 802.1x-empowered hotspot, it will be possible to use the integrated Windows XP 802.1x client, which can be centrally deployed and managed by a corporation's group policy if they use Microsoft Active Directory. With a solution like this, the user would not need to worry about memorizing another username/password and will benefit from a completely integrated and transparent process. Not having to pull out a credit card and then having to expense it later is just icing on the cake.

RADIUS proxy example:

Datalink security
Datalink security is often overlooked as a security requirement and VPN can only go so far down the OSI model to secure you at the network layer. I've blogged in the past about the new "Domaincasting" technique that enables people to get free Internet access by disguising their network traffic as legitimate DNS requests. Under the current hotspot model, almost all non-802.1x hotspots are vulnerable to this exploit. While this may seem like more of a problem for the wireless ISP, bandwidth theft is everyone's problem because it raises the cost of bandwidth for legitimate users and further depletes a scarce resource. Another problem with current hotspots is that they automatically grant IP addresses using the DHCP (Dynamic Host Configuration Protocol) mechanism. This means that they leaves themselves open to DHCP poisoning, where a malicious person could flood the DHCP server with spoofed requests that fill up the available IP pool. Once filled, no more IP addresses can be granted to legitimate users until the DHCP server is reset. Other more severe forms of attack can completely shut down the wired network that is attached to the wireless access point. These types of DoS (Denial of Service) attacks can affect any wireless LAN that subscribes to the VPN-only model of wireless LAN security. An 802.1x hotspot protects a network from Layer 2 and up regardless of whether VPN is used or not.

So, are you feeling less secure? It gets worse. Read my blog about why the conventional Wi-Fi hotspot business model is simply too dangerous for anyone to use anymore. And let me what your company is doing -- leave a comment in TalkBack.

Topics: Networking

About

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.