Building Secure Enterprise WLANs

Standards Confusion

Wireless security standards are complicated. Some might even call them ugly. In fact, WEP was broken even before it was broken--the underlying inadequacies in first-generation 802.11 security went well beyond the cryptographic deficiencies in WEP's RC4-based algorithm. The simple concept of "authentication" has a different meaning in the 802.11 community than it does in the broader IT market. To implement a basic ID-password scheme on a WLAN, you need yet another protocol--802.1x, which, when combined with the Extensible Authentication Protocol and a range of EAP authentication types, is workable. Confusing enough for you?

There's some good news. The long-awaited 802.11i specification, which sports better AES-based encryption of 802.11 data frames, sophisticated authentication and dynamic key allocation, is almost ready. Expect to see products by year's end. However, 802.11i is no silver bullet. Although it addresses fundamental security, you'll have to make some choices within the 11i framework and face a number of implementation challenges. In addition, critical security issues fall outside the 802.11i model, including intrusion- and rogue-device detection and physical security of APs and their configurations. Finally, the 802.11i committee failed to incorporate "fast handoff" into the standard, even though roaming capabilities are needed with time-sensitive applications such as wireless VoIP.

Still, if you need a secure solution today, several alternatives are available. Last year, the Wi-Fi Alliance added WPA (Wi-Fi Protected Access) to its certification test bed, placing an industry association in the awkward position of defining and certifying products for a wireless standard that lies outside IEEE's domain (see "Setting Standards: WPA and 802.11i,"). Essentially a subset of the emerging 802.11i spec, WPA addresses the known vulnerabilities with WEP encryption while incorporating 802.1x-based authentication and the TKIP encryp- tion mechanism that works with legacy hardware. It doesn't seal every conceivable hole, but it mitigates major risks. WPA2, which is based on the 802.11i standard, will be part of the Wi-Fi Alliance's certification test bed later this year.

If WPA isn't your cup of tea, you can opt for other forms of WLAN security. VPNs, using a standard gateway or one of the many hybrids optimized for wireless, are popular. Other mobile security gateways, while proprietary, offer transparent roaming and session-persistence between WLANs and increasingly ubiquitous 2.5G cellular data networks. More on those later. Like any network security implementation, WLAN security design begins with risk assessment and policy formulation. Some organizations may be comfortable rolling out "dirty" WLANs in their DMZs and treating them like other incoming Internet connections. Others have defined strict "WLANs prohibited" policies. Ironically, these organizations may need to spend big bucks implementing wireless security-monitoring systems to enforce their no-use policies. It's just too tempting for some users to buy a wireless router for less than $100 and install it themselves.Although the no-wireless policy may be appropriate for high-security environments, most organizations feel pressure from users--and often from senior management--to deploy secure production WLANs. In our reader survey, lack of user demand was cited as the least significant barrier to WLAN adoption (see sidebar, "What You Said About WLAN Security,"). Most IT managers we've spoken to see wireless as positive and inevitable. It's not if, but when. Although some continue to wait for the perfect time to get some skin in the game, the smarter play is to deploy a test bed to serve immediate needs and let your technical staff gain experience in locking down your airwaves.

It's Not Like Ethernet

Although WLANs have much in common with Ethernet, including a similar contention-based MAC (Media Access Control) architecture that has led some to refer to them as wireless Ethernet, it's inappropriate to apply the same security policies to both. With Ethernet, you can provide a base level of physical protection by securing the Ethernet medium and isolating traffic using Layer 2 and Layer 3 switches, but that's not possible with WLANs because all devices share a common medium--the airwaves. Although some organizations have employed 802.1x authentication to control access to their Ethernet networks, most provide a much less granular means of security, and they usually do so at Layer 3 and above.

Wireless is different, mainly because the medium is nearly impossible to control physically. Worst case, attackers equipped with high-gain directional antennas access your airwaves from outside your facilities--a trivial undertaking requiring an investment of less than $100. Because of this reality, WLANs require sophisticated, multilayered security. You must find a way to manage the medium, enforce access control at Layer 2 and implement higher-layer security just as you would on a wired LAN.

The main requirements of WLAN security fall into three areas: authentication, privacy and authorization. Managers also should consider physical protection of WLAN infrastructure devices, vulnerability assessment and intrusion detection.The most common method of providing authentication uses a security overlay and wireless access points. Organizations adopting this strategy usually install their WLANs outside the enterprise firewall, often using VLANs if the wireless infrastructure spans multiple buildings, and treat it as a dirty network. Even if an attacker penetrates the WLAN, he or she will gain access rights equivalent to those given to users on the public Internet. Because WLAN users look like Internet users, it's not surprising that IPsec VPNs often are used to secure WLANs--after all, they provide authentication, authorization and privacy (encryption). But VPNs are costly, require VPN clients on all endpoints, don't interoperate well with non-Windows clients, don't scale well in high-traffic environments and provide no protection at Layer 2. Layer 2 protection is more important with WLANs than with other LANs: A variety of management frames, which contain information about your network, are transmitted over the network.

Organizations that don't want to incur the high overhead of VPNs may opt for captive-portal Web authentication used with a dynamically configured firewall. Users associate with APs without providing authentication credentials but are redirected to a captive-portal Web page, where they must log in to gain access rights. Captive-portal authentication is popular in universities and hotspots where service providers cannot make assumptions about the availability of client-authentication software. All you need is a browser-capable device--even a PDA or smartphone--and you can gain secure access.

To facilitate guest use, those without appropriate credentials may be given access to the public Internet but restricted from internal hosts. Web authentication is a reasonable approach to providing authentication and authorization, but it does not provide encryption, except to the degree that the authentication is often protected using SSL.

The IEEE's approach to WLAN authentication is based on 802.1x, which provides port-level authentication (the "port" is defined as the 802.11 association between client and AP) and EAP, which creates a flexible tunnel through which authentication can be passed. This Layer 2 approach, central to both WPA and 802.11i, involves back-end RADIUS servers, usually tied into an existing user database. Mobile devices must be configured with 802.1x clients (supplicants in 802.1x parlance) that support specific EAP authentication types. And there's the rub: Even assuming that 802.1x is supported on your wireless clients--not always the case for PDAs and VoIP phones--there are multiple EAP authentication types to choose from. Unfortunately, there's little reason to expect the industry to standardize on a single EAP type, for both political and technical reasons. We had hoped that PEAP (Protected EAP) would emerge as the de facto standard, but for now, the industry is stuck with incompatible implementations from Cisco and Microsoft. Over the next several years, it's likely that broad support for a range of EAP types will be included in most popular OSs, but today, you'll need to stick with what is there (TLS and MS-PEAP on Win2K and XP) or turn to Funk Software, Meetinghouse Data Communications and other vendors for more flexible 802.1x clients.

In addition to authentication, 802.1x also handles key management, providing a mechanism for unique encryption keys to be distributed to clients when they authenticate. When used in conjunction with 802.11i's AES encryption (which is supported in most new WLAN silicon), this provides strong data privacy.Note that 802.1x is not a WLAN protocol per se. In fact, a number of Ethernet switches now support 802.1x. Although only a small proportion of Ethernet network admins have implemented 802.1x, once organizations implement 802.1x-based WLAN security, they may find it much easier to extend the same services to their Ethernet networks (for a primer on 802.1x, see "The New Face of Authentication,"). Beyond mainstream authentication, authorization and privacy, many WLAN designers are paying attention to physical infrastructure security, vulnerability assessment and intrusion detection. Unlike Ethernet switches, which usually are physically secured in telecommunications closets, WLAN APs typically are installed in corridors and above ceiling tiles, causing concern about equipment theft because the AP configuration files may include sensitive information. This is less of a problem with newer switched infrastructure designs than it is with more conventional smart APs, like those offered by Cisco, because so-called thin APs usually rely on central switches for configuration information, and the devices have minimal monetary value. Cisco is one of the few vendors to design physical security into its boxes, using mounting hardware that can be secured by lock and key.

Based on our reader survey, a small proportion of IT pros are concerned about physical security, but the same can't be said for intrusion detection. In fact, the so-called "parking-lot attack" by a malicious hacker may be a system designer's worst nightmare.

To address these problems, AirDefense, AirMagnet, Network Chemistry and other vendors provide WLAN monitoring systems integrated into infrastructure equipment or layered on top of the infrastructure using dedicated RF sensors. These monitoring systems, which are the focus of our companion review (see "Watching the Waves,"), provide a range of services, including policy enforcement, vulnerability assessment, rogue-device and intrusion detection, and even containment of attackers. When used in conjunction with location-awareness technologies (see "Location, Location, Location,"), these products identify attacks and determine their location. And because they constantly scan the airwaves for security incidents, these systems may also provide performance monitoring and remote troubleshooting. Although most WLAN infrastructure vendors have improved their integrated monitoring capabilities, dedicated monitoring products provide more functionality.

The Security Market

Leading manufacturers of smart APs--including Cisco, Enterasys Networks, Proxim and 3Com--are focused on 802.1x. Cisco, through its SWAN (Structured Wireless-Aware Network) initiative, says it plans to provide a range of security services, but till then you'll have to look to third parties to secure a Cisco WLAN. The new CiscoWorks WLSE (Wireless LAN Solution Engine) management platform provides limited rogue-device and interference detection while enforcing policy through a configuration-management system. For its part, Enterasys has implemented its UPN (User Personalized Networking) on its RoamAbout access points, pushing access policies down to individual APs.Newer wireless switch architectures from Airespace, Aruba Wireless Networks, Symbol Technologies, Trapeze Networks and others have been engineered with security in mind. In fact, these architectures simplify security enforcement by centralizing policy management. Airespace and Aruba offer the most flexible and sophisticated security implementations, including monitoring capabilities not available from competitors.

Other vendors have had an impact on the market. Vendors of enterprise wireless security gateways, such as Bluesocket, ReefEdge Networks and Vernier Networks, make security overlays that work with any 802.11 AP, providing authentication, privacy, access control and even QoS (Quality of Service). The gateway sits between your dirty WLAN and the secure network, enforcing security policies and providing value-added services like secure roaming.

This modular approach has benefits, particularly for sites with large investments in AP infrastructure or that want the flexibility of selecting APs from multiple vendors, but it does add to the cost and management overhead. Many of the features pioneered by these vendors have been implemented in new WLAN switch architectures, which often provide a more fully integrated solution that includes centralized configuration management and dynamic radio control. The gateway vendors are beginning to develop partnerships with AP manufacturers to deliver more comprehensive systems.

Some security overlay vendors offer more focused devices with niche differentiators. For example, Perfigo provides a security gateway with multivendor AP configuration management and client management. Other vendors offer security implementations that rely on proprietary clients to provide enhanced security, secure roaming across multiple wireless network types (WLAN and GPRS, for example) and session persistence. The long list of these vendors includes Columbitech, Cranite Systems, Ecutel Systems, Fortress Technologies, IpUnplugged and NetMotion Wireless. Some of these provide FIPS-compliant products, making them suitable for government and military environments.

Although these gateways and security overlays are effective, they can be costly to acquire and maintain. In addition, large networks, especially those using high-speed WLANs like 802.11g and 802.11a, may find that they introduce bottlenecks.The Future

Today, much of the wireless industry is focused on 802.11i as the solution to its security quandary. The IEEE has done a good job of addressing the vulnerabilities while adding new services. Given the negative press that surrounded the IEEE's Swiss-cheese-like WEP standard, it's understandable that the 802.11i committee needed to be thorough, though when it came time to address the issue of fast handoff to support low-latency secure roaming across IP subnets, the committee punted.

It's likely that 802.11i's most significant impact will be symbolic, however, allaying the fears of zealous security professionals and opening the way for broader deployment of WLANs. Widespread adoption is unlikely anytime soon. It will take some time to stabilize and to verify interoperability among vendor offerings. In addition, 802.11i will still require IT professionals to make basic decisions about which RADIUS server to implement and which EAP authentication types to support.

Given the likely momentum associated with 802.11i, it will be interesting to see whether the market can sustain the wide range of targeted products. This sector is ripe for consolidation, but picking the winners is no easy task. The good news is that two years from now, security will no longer be an obstacle to enterprise WLAN adoption.

DAVE MOLTA is a senior technology editor at NETWORK COMPUTING. He is also assistant dean for technology at the School of Information Studies at Syracuse University and director of the Center for Emerging Network Technologies. Write to him at [email protected]. Post a comment or question on this story.