Airtight WiFi 101
Wireless security is achievable, but you have to work at it. Here's how:
- By William Jackson
- Jul 27, 2005
As with many other technologies, wireless networking was developed with an eye toward functionality rather than security. The 802.11 family of wireless standards has become the basis of products that are so easy to use and misuse that the National Institute of Standards and Technology in 2002 described wireless access points as 'the logical equivalent of an Ethernet port in the parking lot.'
The security shortcomings enumerated by NIST in Special Publication 800-48, Wireless Network Security, were serious enough that many agencies have shied away from wireless LANs, also known as WiFi.
'It's a wonderful technology that I would like to see be successful,' said Dennis Heretick, director of IT and security for the Justice Department's management division. 'It was too bad that wireless got off to such a weak start.'
But the standards and the products have matured in the three years since NIST issued its warnings, said Praphul Chandra, a software design engineer with Texas Instruments Inc. and author of the book Bulletproof Wireless Security.
'The technology and the standards available today allow you to make your wireless networks secure enough to be used for any commercial purpose,' Chandra said. 'Put another way, you can make your wireless networks as secure as, and some may argue more secure than, your wired networks.'
NIST is in the process of updating SP 800-48 to reflect advances in wireless security, but the principal caveat of that publication still applies: 'All the vulnerabilities that exist in a conventional wired network apply to wireless technologies,' plus a host of others associated with radio communications and mobile clients.
Even agencies that decide against deploying WiFi networks cannot afford to ignore the technology.
'They can't assume wireless will stay outside of their perimeter,' said Tim Cranny, senior security architect for Senforce Technologies Inc. of Draper, Utah.
Most notebook computers today have wireless capability embedded in them and can communicate with each other without a wireless access point, opening unexpected holes in the network. Without tools to discover and control end points and enforce policy, a policy is just so much shelfware.
So how can agencies enjoy the benefits of wireless computing and still rest assured their data is safe? Regardless of the technologies used, the fundamentals of securing a network still apply. Assess the vulnerabilities, threats and risks to the network and to the resources it supports to determine the level of mitigation required; then balance the cost of that mitigation in cash, manpower and administrative overhead against the benefits.
When you've finally built a secure wireless LAN, the final step is to periodically reassess the policies and technologies being used to secure the network.
In between these two milestones'assessment and reassessment'is a process for creating a secure WLAN that depends on the technological architecture, needs and security profile of each enterprise.Step One: Privacy
The three basic elements of a secure WLAN are privacy, authentication and authorization, said John Dow, vice president of business development for Fortress Technologies Inc. of Oldmar, Fla.
'If you do those three things, you're doing pretty good,' Dow said.
Privacy over WiFi originally was entrusted to Wired Equivalent Privacy, an optional encryption standard so flawed that although security experts said it was better than nothing, it was generally agreed that it was not much better.
The Institute of Electrical and Electronics Engineers last year finalized the 802.11i security standard to replace WEP. It is an encryption standard for WLANs using encryption key protocols such as Temporal Key Integrity Protocol and the Advanced Encryption Standard.
Before the new standard was finalized, the Wi-Fi Alliance, an industry group promoting the use of 802.11 networks, adopted the WiFi Protected Access specification, which incorporated initial elements of the developing standard that could be implemented in software. With finalization of the standard, a second set of specifications, WPA2, came out last year. The Defense Department's wireless policy specifically recommends adopting WPA2-compliant products. But because the advanced encryption WPA2 entails requires hardware co-processing, pre-WPA2 products are not software upgradeable.
'802.11i has been quite satisfactory to all security experts,' said Chandra. 'Now it's a question of getting the hardware to market.'
Most WiFi equipment shipping today is WPA2-enabled and supports strong encryption with AES, said Pej Roshan, a wireless product line manager for Cisco Systems Inc. He said that a two-year refresh cycle is common for notebook computers, so most client devices will be 802.11i-compliant in a fairly short time. But the access points they communicate with are replaced less often. A legacy network would currently require a wholesale upgrade of the access points to get the advanced encryption.
Privacy, or confidentiality, also can be compromised where the access point connects to the wired network. This can be at a switch or a hub. NIST recommends that because hubs generally broadcast all network traffic to all connected devices, agencies should consider connecting access points to switches instead of hubs.Step Two: Authentication
Authentication is the next link in the security chain. The client device and the access point it connects with should each know who they are communicating with, and the access point should be able to vouch for the client's identity to the network. This most often is handled by one of the varieties of the Extensible Authentication Protocol described in IEEE's 802.1x authentication standard.
EAP can use passwords, tokens or smart cards or digital certificates to authenticate users and access points. Many vendors are using some version of EAP. Cisco's Lightweight EAP, one of the most common implementations, uses a password. EAP Fast also uses a password, but is more scalable.
Microsoft's Protected EAP provides two-phase authentication, using a client-side certificate to encrypt the authentication session, which then employs a user name and password for the client to establish an AES-encrypted session. This provides more secure authentication, but adds to the administrative overhead.
EAP Transport Level Security provides strong authentication using certificates on both the client and server with a public-key infrastructure.
'It has a lot of administration associated with it, and is difficult to deploy remotely,' Roshan said.
Virtual private networks also can encrypt communications between a client and an access point and provide some level of authentication. The disadvantage is that mobile VPN users must reauthenticate at each new access point. This is eliminated with 802.1x, which uses dynamic key distribution and re-keying to improve encryption.Step Three: Authorization
Authorization is the process of deciding what a user can access once he has been authenticated on the network.
'It is the easiest part of the solution to implement,' Roshan said. It rests on policy rather than technology.
Enforcement of all policies is a necessary part of any security program, but it becomes more difficult when end points are mobile and are connecting to a network remotely. Ensuring that clients are authorized, properly configured and free from malicious code means examining each device as it is authenticated.
Policy is typically managed centrally, and can be handled at the client end either with an agent or by scanning. Each has its advantages and tradeoffs.
An agent is a piece of software residing on the client that communicates with a policy server, giving the server information about the condition of the client.
'Having an agent-based solution gives maximum functionality,' Roshan said. 'The downside is rolling out and managing that software.'
There also is the threat of an unauthorized client without an agent being completely missed. This can be remedied with a solution that scans connecting devices without requiring client software. The amount of detail returned about the client is typically less than with an agent.
Which should you use? 'That depends on the level of paranoia of the information security group,' Roshan said. 'If you really want to dive into the client machine, you really need an agent.'Step four: Smart deployment
Attention also must be given to the access points that provide gateways into the network. These are the devices that, if improperly deployed, provide the Ethernet port in the parking lot. To stay out of the parking lot, care must be taken to map and limit radio coverage of access points to the areas that are supposed to be covered.
But careful placement and calibration does not provide complete protection. Malicious devices with high-gain antennas can connect with an access point from well beyond its nominal range, and unmanaged rogue access points can provide uncontrolled access.
Wireless intrusion detection systems can help combat these problems by monitoring both traffic on the network and radio activity in the area.
'The challenge is that you have to have some devices that are listening to the air for long periods of time,' Roshan said.
Although access points do monitor their area, they scan through their available channels too quickly to detect malicious activity without affecting throughput. Roshan recommended one dedicated IDS scanning device to every five to 10 access points, depending on the environment.
The standards and technology to adequately secure a WLAN exist today. But in a rapidly evolving field, a primary challenge is tying it all together in an interoperable whole. For the time being, single-vendor solutions may be the simplest way to deploy a secure WLAN without struggling with interoperability issues.
Another option may be to put off deploying WiFi until the evolving standards have produced fully interoperable products. Senforce's Cranny predicted that in five years, mature WiFi technology would produce robust, stable back ends that can work with any end points. But can your agency wait five years?