Wireless LAN Security Basics
With Wireless LANs becoming mainstream, organizations want to tightly integrate Wireless LANs with wired LANs. Network managers are reluctant or unwilling to deploy Wireless LANs unless those LANs provide the type of security, manageability, and scalability offered by wired LANs. The chief concern is security, which encompasses access control and privacy. Access control ensures that sensitive data can be accessed only by authorized users. Privacy ensures that transmitted data can be received and understood only by the intended audience.
Access to a wired LAN is governed by access to an Ethernet port for that LAN. Therefore, access control for a wired LAN often is viewed in terms of physical access to LAN ports. Similarly, because data transmitted on a wired LAN is directed to a particular destination, privacy cannot be compromised unless someone uses specialized equipment to intercept transmissions on their way to their destination. In short, a security breach on a wired LAN is possible only if the LAN is physically compromised.
With a Wireless LAN, transmitted data is broadcast over the air using radio waves, so it can be received by any Wireless LAN client in the area served by the data transmitter. Because radio waves travel through ceilings, floors, and walls, transmitted data may reach unintended recipients on different floors and even outside the building of the transmitter. Installing a Wireless LAN may seem like putting Ethernet ports everywhere, including in your parking lot. Similarly, data privacy is a genuine concern with Wireless LANs because there is no way to direct a Wireless LAN transmission to only one recipient.
An emerging standard currently being defined by the IEEE deals with Wireless LAN security. Proposed by a group of companies led by Cisco Systems and Microsoft, 802.11i is based on LEAP, Cisco’s proprietary security mechanism on its Wireless LAN products.
The IEEE 802.11b standard includes components for ensuring access control and privacy, but these components must be deployed on every device in a Wireless LAN. The two mechanisms for providing access control and privacy on Wireless LANs: service set identifiers (SSIDs) and wired equivalent privacy (WEP). SSIDs and WEP however have inherent flaws including:
Theft of Hardware
It is common to statically assign a WEP key to a client, either on the client’s disk storage or in the memory of the client’s Wireless LAN adapter. When this is done, the possessor of a client has possession of the client’s MAC address and WEP key and can use those components to gain access to the Wireless LAN. If multiple users share a client, then those users effectively share the MAC address and WEP key.
When a client is lost or stolen, the intended user or users of the client no longer have access to the MAC address or WEP key, and an unintended user does. It is next to impossible for an administrator to detect the security breach; a proper owner must inform the administrator.
When informed, an administrator must change the security scheme to render the MAC address and WEP key useless for Wireless LAN access and decryption of transmitted data. The administrator must recode static encryption keys on all clients that use the same keys as the lost or stolen client. The greater the number of clients, the larger the task of reprogramming WEP keys.
Rogue Access Points
The 802.11b shared-key authentication scheme employs one-way, not mutual, authentication. An access point authenticates a user, but a user does not and cannot authenticate an access point. If a rogue access point is placed on a Wireless LAN, it can be a launch pad for denial-of-service attacks through the “hijacking” of the clients of legitimate users.
Other Threats
Standard WEP supports per-packet encryption but not per-packet authentication. A hacker can reconstruct a data stream from responses to a known data packet. The hacker then can spoof packets. One way to mitigate this security weakness is to ensure that WEP keys are changed frequently.
By monitoring the 802.11 control and data channels, a hacker can obtain information such as: • Client and access point MAC addresses • MAC addresses of internal hosts • Time of association/disassociation
The hacker can use such information to do long-term traffic profiling and analysis that may provide user or device details. To mitigate such hacker activities, a site should use per-session WEP keys.
Addressing Security Threats
To address such security concerns, a Wireless LAN security scheme should:
• Base Wireless LAN authentication on device-independent items such as usernames and passwords, which users possess and use regardless of the clients on which they operate;
• Support mutual authentication between a client and an authentication (RADIUS) server;
• Use WEP keys that are generated dynamically upon user authentication, not static keys that are physically associated with a client;
• Support session-based WEP keys.
First-generation Wireless LAN security, which relies on static WEP keys for access control and privacy, cannot address these requirements.
A Complete Security Solution
What is needed is a Wireless LAN security solution that uses a standards-based and open architecture to take full advantage of 802.11b security elements, provide the strongest level of security available, and ensure effective security management from a central point of control. Central to the 802.11i proposal are the following elements:
• Extensible Authentication Protocol (EAP), an extension to Remote Access Dial-In User Service (RADIUS) that can enable wireless client adapters to communicate with RADIUS servers • IEEE 802.1X, a proposed standard for controlled port access
When the security solution is in place, a wireless client that associates with an access point cannot gain access to the network until the user performs a network logon. When the user enters a username and password into a network logon dialog box or its equivalent, the client and a RADIUS server (or other authentication server) perform a mutual authentication, with the client authenticated by the supplied username and password. The RADIUS server and client then derive a client-specific WEP key to be used by the client for the current logon session. All sensitive information, such as the password, is protected from passive monitoring and other methods of attack. Nothing is transmitted over the air in the clear.
Support for EAP and 802.1X delivers on the promise of WEP, providing a centrally managed, standards-based, and open approach that addresses the limitations of standard 802.11 security. In addition, the EAP framework is extensible to wired networks, enabling an enterprise to use a single security architecture for every access method. It is likely that dozens of vendors will implement support for 802.1X and EAP in their Wireless LAN products.
Competing Wireless Technologies
Other technologies such as Bluetooth and 3G also enable devices to wirelessly talk to each other but these should not be seen as competing with 802.11x Wireless LAN. Each play a very defined role with differing applications and supporting technologies. Bluetooth for example can be seen as a personal area network solution enabling a user to seamlessly connect devices within a short range for specific purposes; for example, charging a mobile phone or hot synching a PDA with a computer. 3G on the other hand can be viewed as a wide area network solution to enable handheld devices, primarily mobile phones to wirelessly access the Internet or data networks much the same way that they provide voice access today.
And Wireless LAN is just what it name indicates, a local area network technology that provides Ethernet-like data speeds for laptop computers to wirelessly connect to the corporate network. When used in a public location, it becomes a powerful way of extending the corporate network outside the physical office boundaries and liberating the employee even further.
The Growth of Wireless LANsUntil recently, wireless local-area network (LAN) products were used primarily in certain vertical markets — such as retail, education, and health care — where mobile users with a need for LAN access were satisfied with data-transfer rates of 2 megabits per second (Mbps) or less.
Even though most Wireless LANs were extensions of wired LANs, the proprietary nature and slow speeds of Wireless LANs forced organizations to manage Wireless LANs as unique entities. To make Wireless LANs more “mainstream,” customers pressed vendors to develop a high-speed Wireless LAN standard that would encourage interoperability, reduce prices, and provide the bandwidth needed by today’s business applications.
In 1999, the Institute of Electrical and Electronics Engineers (IEEE) ratified an extension to a previous standard. Called IEEE 802.11b, it defines the standard for Wireless LAN products that operate at an Ethernet-like data rate of 11 Mbps, a speed that makes Wireless LAN technology viable in enterprises and other large organizations. Interoperability of Wireless LAN products from different vendors is ensured by an independent organization called the Wireless Ethernet Compatibility Alliance or WECA,which brands compliant products as “Wi-Fi.”
Dozens of vendors market Wi-Fi products, and organizations of every size and type are considering, if not deploying, Wireless LANs. Demand for wireless access to LANs is fueled by the growth of mobile computing devices, such as laptops and personal digital assistants, and a desire by users for continual connections to the network without having to “plug in”. There will be over a billion mobile devices by 2003, and the Wireless LAN market is projected to grow to over US$2 billion by 2002.
The Various Standards
Most of the Wireless LAN products and solutions offered today comply with the IEEE 802.11b standard, which transmits data at speeds of 11 Mbps in the 2.4 Ghz radio band. The IEEE 802.11a standard has a data rate of 54 Mbps and operates in the 5 GHz spectrum and products compliant with this standard are just coming to market today.
802.11a though has a smaller range than 802.11b and although it provides higher data speeds, covers 30 per cent less area than 802.11b. This means that more Access Points need to be deployed to cover the same area. In addition, the 802.11a client adapter cards consume more power from the battery of laptop computers. 802.11a products are also not backward compliant with 802.11b products.
802.11g is another developing standard that has yet to be ratified by the IEEE but may yet show more potential than 802.11a. 802.11g operates in the same spectrum as 802.11b at 2.4 GHz but provides similar data speeds as 802.11a of between 20 and 50 Mbps. It is also backward compliant with 802.11b products. However, it may take up to a year before the IEEE ratifies the standard and vendors start producing the products.
Wireless LAN market in Asia Pacific
Market research company, IDC Asia Pacific estimated that the Wireless LAN market in the region was worth about US$45 million in the year 2000 but projects this to grow at a compound annual growth rate of 51% to approximately US$350 million by 2005.
In addition, the company reports that Managed Wireless LAN services – which are Wireless LAN access services provided to the general public through subscription by a service provider – will help spur the adoption of Wireless LAN throughout the region.
By providing mobile business professionals with convenient, easy access to their corporate network from “hot spot” locations including airports and airline lounges, convention centers, hotels, restaurants and other hospitality venues, enterprises will realize increased productivity for their employees and controlled costs when employees access the corporate network while on the move.
Fredy Chung is Director of Core Technologies at Cisco Systems Asia Pacific