Ruckus wireless LAN security method solves usability versus security dilemma

Summary:One of the biggest problems with wireless LAN security standards is the lack of an intermediate solution.  Your only choices in securing a wireless LAN were to deploy enterprise grade WPA wireless LAN security which requires RADIUS (Remote Authentication Dial In User Service) servers in addition to a PKI (Public Key Infrastructure) or you deployed shared secret technology using WPA-PSK.

One of the biggest problems with wireless LAN security standards is the lack of an intermediate solution.  Your only choices in securing a wireless LAN were to deploy enterprise grade WPA wireless LAN security which requires RADIUS (Remote Authentication Dial In User Service) servers in addition to a PKI (Public Key Infrastructure) or you deployed shared secret technology using WPA-PSK.

The problem with the enterprise grade WPA is that it's relatively difficult to deploy (though I try to simplify it for you with this comprehensive guide) so many organizations resort to the alternative method WPA-PSK.  The problem with WPA-PSK - while the encryption algorithm is secure - is that it's using shared secret technology which means too many people know what the secret is.  If one of those people in the know leave the company or need to be stripped of access, the only choice that an organization has is to change the shared key for everyone or live with the risk.  Since changing shared key is a huge administrative task and given the fact that people tend to choose convenience over security, all too often the choice is made to live with the risk.

Ruckus recently entered the small to mid enterprise wireless LAN space with a new line of products.  Those products brought much needed smart antenna technology to the enterprise space but they also brought a new type of wireless LAN security to the table designed to address the needs of businesses too small to deploy full scale enterprise wireless LAN security and too big to use WPA-PSK mode.  This new security model which Ruckus calls "Dynamic PSK" (specifications in PDF) is simply a variation on the basic theme of WPA-PSK.  It doesn't attempt to invent a whole new form of wireless LAN security which is good since this won't require a lot of vetting by the cryptography community since it is fundamentally WPA-PSK mode.  Dynamic PSK simply issues one per client (presumably one per MAC address) instead of using the same PSK for each and every client.  It's so simple that you wonder why it wasn't implemented in the 802.11i standard in the first place.

To further simplify things, the Ruckus access point controller allows automated key generation and client configuration via password protected web page accessible only to the LAN.  Access control to the webpage can be restricted via local database or it can tie in to something like Active Directory.  The client is configured using Microsoft-provided APIs that configure WPA-PSK and the whole thing becomes a point and click first time deployment while subsequent connections are cached.

It's important to note that this shouldn't be confused for the worthless type of MAC filtering technology that so many people falsely believe to be worthwhile.  The MAC address in Dynamic PSK is essentially used as the username and the unique PSK is used as the per-MAC/per-client password.  MAC filtering is insecure because it strictly depends on the MAC address which is always transmitted in the clear within every Ethernet frame.  Dynamic PSK mode only uses the publicly known MAC address as the "username" but it requires a unique WPA-PSK passphrase to unlock the door.  Normal WPA-PSK mode uses the same WPA-PSK passphrase for everyone which limits it to home deployments and isn't suitable for business use.  But the reality however is that businesses all too often rely on shared key technology because they can't or won't make the effort to deploy enterprise grade security.  Now those businesses have the choice to use a solution that doesn't require a PKI or RADIUS authentication servers but doesn't force the use of shared secrets.

There are also other situations in geographically diverse deployments such as retail chain stores where enterprise grade WPA wireless LAN security isn't practical.  I discovered this firsthand in my previous life as an IT consultant where I designed secure wireless LANs.  While it's possible to use a centralized RADIUS server and simply have each remote chain use the centralized RADIUS for authentication and authorization, it wasn't a survivable configuration if the remote WAN (Wide Area Network) link became unusable.  While a downed link was rare, it's common enough to be a problem and chain stores couldn't afford to have their wireless LAN authentication down anytime the WAN became inaccessible.  Deploying a localized RADIUS server per remote location is technically possible but highly unfeasible so many of those retail chains ultimately settled on WPA-PSK mode if we were lucky.  If we weren't lucky, they used and continue to use WEP which opens them up to TJX level disasters.  With something like Ruckus' Dynamic PSK solution, retail chain stores finally have something that can survive a severed WAN connection and still avoid shared secret security.

Topics: Security, Networking, Wi-Fi

About

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.