Got VPN? You'll still want new 802.1x hotspot

Got VPN? You'll still want new 802.1x hotspot

Summary: Recently, T-Mobile announced that they are the firstU.S.

SHARE:
TOPICS: Networking
2

Recently, T-Mobile announced that they are the firstU.S. Wireless carrier to implement 802.1x (IEEE port-based authenticationalso known asDot1x). This is a huge improvement in the security and robustness of wireless LAN hotspots, and all other hotspot vendors should followsuit. Here are some of the benefits of an 802.1x enabled hotspot and why enterprise organizations should care, even if they think they're already secure by using VPN.

  • Per session per user keying
  • Transparent logins
  • Transparent proxied logins
  • Datalink security

Per session per user keying
The lack of "per session per user keying" is a massive security problem that afflicts nearlyall wireless 802.11 hotspots. Commercial hotspots that use secure SSL logins are also not immune because the secure login only secures admission to the network, not the subsequent data flowing across the air. Essentially, what you currently have is a "party line" link to the wireless AP where everyone within earshotcan see everything you transmit and receive. This is a security nightmare for hotspot users whenever they login on common applications such as IMAP, POP3, SMTP relay, FTP, HTTP, or anything with a clear text login. Because your passwords are transmitted in clear text, any rookie hacker with a wireless sniffer and a password recorder can reek havoc on any user who uses a traditional hotspot. Even VPN users who use PPTP are not safe since their hashed authentication session is sent in the clear and can typically be cracked in a very short amount of time with an offline dictionary attack. With "per session per user keying" that 802.1x and a good EAP (Extensible Authentication Protocol) affords, every hotspot user getshis or herown secure encryption tunnel. Even legitimate users within the same wireless infrastructure cannot snoop on each other.

Transparent logins
One of the most annoying aspects of public hotspots is the fact that you usually have to go through a tedious Web-based secure login to prove that you are a paying customer before you get admissionto the hotspot. With an 802.1x hotspot implementation, authentication is taken care of before an IP address (access to the datalink layer) is even granted. You just turn on your laptop or PDA and the let your 802.1x supplicant do the talking. Within seconds, if not less, you're securely attached to a wireless hotspot with no tedious logins. The lack of transparent and convenient logins is what makes Wi-Fi PDAs and Wi-Fi-enabled VoIP phones infeasible as a mobile phone platform and incapable of being a serious disrupter of the cell phone. The day will come when you will have a sleek and compact SIP-capable VoIP phone that can transparently login to and roam to any ubiquitous Wi-Fi hotspot within a second so that you can make and receive calls when you want and where you want. Only then will Wi-Fi hotspotscombined withVoIP present a serious alternative to the ubiquitous cell phone. Until then, it will be more of a novelty for most and only useful for the few.

Transparent proxied logins
Just having transparent logins is one thing, but having it integrated into your corporate user directory in a centrally managed location under a centralized accounting system is a corporate requirement. Managing hundreds of individual user accounts and paying for them separately is a costly proposition. A proxied login allows the admission control authentication requests to be relayed to a user's own corporate backend so that they don't need to set up a whole new user account with each individual ISP. It is essentially a single sign-on process extended to the wireless ISP environment. By some estimates, it costs $60 to process a single expense claim in large corporations and it can quickly get out of hand. For years, corporations have been using a proxied RADIUS login model for dial-up Internet access, but companies like iPass within the last year or two have been consolidating hotspots under their wireless ISP aggregation model. Currently, a user would have to use iPass' custom connection manager software to log into a hotspot, using their standard corporate identity which is proxied to their corporate RADIUS server via iPass' proprietary authentication protocol. With an 802.1x-empowered hotspot, it will be possible to use the integrated Windows XP 802.1x client, which can be centrally deployed and managed by a corporation's group policy if they use Microsoft Active Directory. With a solution like this, the user would not need to worry about memorizing another username/password and will benefit from a completely integrated and transparent process. Not having to pull out a credit card and then having to expense it later is just icing on the cake.

RADIUS proxy example:

Datalink security
Datalink security is often overlooked as a security requirement and VPN can only go so far down the OSI model to secure you at the network layer. I've blogged in the past about the new "Domaincasting" technique that enables people to get free Internet access by disguising their network traffic as legitimate DNS requests. Under the current hotspot model, almost all non-802.1x hotspots are vulnerable to this exploit. While this may seem like more of a problem for the wireless ISP, bandwidth theft is everyone's problem because it raises the cost of bandwidth for legitimate users and further depletes a scarce resource. Another problem with current hotspots is that they automatically grant IP addresses using the DHCP (Dynamic Host Configuration Protocol) mechanism. This means that they leaves themselves open to DHCP poisoning, where a malicious person could flood the DHCP server with spoofed requests that fill up the available IP pool. Once filled, no more IP addresses can be granted to legitimate users until the DHCP server is reset. Other more severe forms of attack can completely shut down the wired network that is attached to the wireless access point. These types of DoS (Denial of Service) attacks can affect any wireless LAN that subscribes to the VPN-only model of wireless LAN security. An 802.1x hotspot protects a network from Layer 2 and up regardless of whether VPN is used or not.

So, are you feeling less secure? It gets worse. Read my blog about why the conventional Wi-Fi hotspot business model is simply too dangerous for anyone to use anymore. And let me what your company is doing -- leave a comment in TalkBack.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Re: Got VPN? You'll still want new 802.1x hotspot

    I had not realised that web-based logons are bad news for Wi-Fi-enabled VoIP phones. Thanks for the insight. I agree that 802.1x could be a solution to this obstacle.

    Could you elaborate on the part about transparent proxied logins? Is it safe for companies to rely on third-party wireless providers? The username/password cannot be intercepted by these providers, right?

    802.1x could even enable roaming between different wireless providers (like GSM today). And perhaps it could even be a boon to ordinary home users who buy an 802.1x enabled wireless router and start earning money by accepting connections from roaming users.
    jacco
    • Good questions

      Nice to hear from you again Jacco. It's even worse that it looks, check out my subsequent blog "You use my Hotspot; I'll use your Credit Card". It would be very easy to steal your user credentials or your credit card with a rogue hotspot.

      On the transparent proxied login, RADIUS authentication using PEAP allows you to authenticate an end user to a back end database securely and protect the user's password (not the username). The RADIUS servers in the middle are not privy to the password because it is protected by a TLS tunnel that terminates on the end user's Supplicant and the final destination RADIUS server. When doing 802.1x/PEAP authentication, the user hands off a username@realm to the Access Point. The AP hands it off to the hotspot provider's RADIUS server. That RADIUS server hands it off to a hotspot aggregator who handles centralized billing and does revenue sharing with the hotspot infrastructure companies (this could include some Joe with a Linksys Wireless Router and a DSL line). That RADIUS server in turn hands it off to the user's corporate RADIUS server which in turn responds with a server side digital certificate to prove it's identity to the end user and to create a secure TLS tunnel with that user. The Hotspot infrastructure provider and the Hotspot Aggregator cannot see the user's passwords in that TLS tunnel. Once authenticated by the end RADIUS server which in this case is the user's corporate RADIUS server, the EAP success message will flow to the Aggregator and then the Infrastructure provider and then finally to the Access Point to grant access. RADIUS accounting will take care of the rest. The same thing has been done for years with dial-up Internet access only they don't use a secure authentication mechanism like PEAP and instead use CHAP. This could signify a whole new trend.
      george_ou