Building Secure Enterprise WLANs
Thanks to new and improved security standards and monitoring devices, you can finally build a WLAN that keeps data thieves at bay.
February 27, 2004
Standards Confusion
Wireless security standards are complicated. Some might even call them ugly. In fact, WEP was broken even before it was broken--the underlying inadequacies in first-generation 802.11 security went well beyond the cryptographic deficiencies in WEP's RC4-based algorithm. The simple concept of "authentication" has a different meaning in the 802.11 community than it does in the broader IT market. To implement a basic ID-password scheme on a WLAN, you need yet another protocol--802.1x, which, when combined with the Extensible Authentication Protocol and a range of EAP authentication types, is workable. Confusing enough for you?
There's some good news. The long-awaited 802.11i specification, which sports better AES-based encryption of 802.11 data frames, sophisticated authentication and dynamic key allocation, is almost ready. Expect to see products by year's end. However, 802.11i is no silver bullet. Although it addresses fundamental security, you'll have to make some choices within the 11i framework and face a number of implementation challenges. In addition, critical security issues fall outside the 802.11i model, including intrusion- and rogue-device detection and physical security of APs and their configurations. Finally, the 802.11i committee failed to incorporate "fast handoff" into the standard, even though roaming capabilities are needed with time-sensitive applications such as wireless VoIP.
Still, if you need a secure solution today, several alternatives are available. Last year, the Wi-Fi Alliance added WPA (Wi-Fi Protected Access) to its certification test bed, placing an industry association in the awkward position of defining and certifying products for a wireless standard that lies outside IEEE's domain (see "Setting Standards: WPA and 802.11i,"). Essentially a subset of the emerging 802.11i spec, WPA addresses the known vulnerabilities with WEP encryption while incorporating 802.1x-based authentication and the TKIP encryp- tion mechanism that works with legacy hardware. It doesn't seal every conceivable hole, but it mitigates major risks. WPA2, which is based on the 802.11i standard, will be part of the Wi-Fi Alliance's certification test bed later this year.
If WPA isn't your cup of tea, you can opt for other forms of WLAN security. VPNs, using a standard gateway or one of the many hybrids optimized for wireless, are popular. Other mobile security gateways, while proprietary, offer transparent roaming and session-persistence between WLANs and increasingly ubiquitous 2.5G cellular data networks. More on those later. Like any network security implementation, WLAN security design begins with risk assessment and policy formulation. Some organizations may be comfortable rolling out "dirty" WLANs in their DMZs and treating them like other incoming Internet connections. Others have defined strict "WLANs prohibited" policies. Ironically, these organizations may need to spend big bucks implementing wireless security-monitoring systems to enforce their no-use policies. It's just too tempting for some users to buy a wireless router for less than $100 and install it themselves.Although the no-wireless policy may be appropriate for high-security environments, most organizations feel pressure from users--and often from senior management--to deploy secure production WLANs. In our reader survey, lack of user demand was cited as the least significant barrier to WLAN adoption (see sidebar, "What You Said About WLAN Security,"). Most IT managers we've spoken to see wireless as positive and inevitable. It's not if, but when. Although some continue to wait for the perfect time to get some skin in the game, the smarter play is to deploy a test bed to serve immediate needs and let your technical staff gain experience in locking down your airwaves.
It's Not Like Ethernet
Although WLANs have much in common with Ethernet, including a similar contention-based MAC (Media Access Control) architecture that has led some to refer to them as wireless Ethernet, it's inappropriate to apply the same security policies to both. With Ethernet, you can provide a base level of physical protection by securing the Ethernet medium and isolating traffic using Layer 2 and Layer 3 switches, but that's not possible with WLANs because all devices share a common medium--the airwaves. Although some organizations have employed 802.1x authentication to control access to their Ethernet networks, most provide a much less granular means of security, and they usually do so at Layer 3 and above.
Wireless is different, mainly because the medium is nearly impossible to control physically. Worst case, attackers equipped with high-gain directional antennas access your airwaves from outside your facilities--a trivial undertaking requiring an investment of less than $100. Because of this reality, WLANs require sophisticated, multilayered security. You must find a way to manage the medium, enforce access control at Layer 2 and implement higher-layer security just as you would on a wired LAN.
The main requirements of WLAN security fall into three areas: authentication, privacy and authorization. Managers also should consider physical protection of WLAN infrastructure devices, vulnerability assessment and intrusion detection.The most common method of providing authentication uses a security overlay and wireless access points. Organizations adopting this strategy usually install their WLANs outside the enterprise firewall, often using VLANs if the wireless infrastructure spans multiple buildings, and treat it as a dirty network. Even if an attacker penetrates the WLAN, he or she will gain access rights equivalent to those given to users on the public Internet. Because WLAN users look like Internet users, it's not surprising that IPsec VPNs often are used to secure WLANs--after all, they provide authentication, authorization and privacy (encryption). But VPNs are costly, require VPN clients on all endpoints, don't interoperate well with non-Windows clients, don't scale well in high-traffic environments and provide no protection at Layer 2. Layer 2 protection is more important with WLANs than with other LANs: A variety of management frames, which contain information about your network, are transmitted over the network.
Organizations that don't want to incur the high overhead of VPNs may opt for captive-portal Web authentication used with a dynamically configured firewall. Users associate with APs without providing authentication credentials but are redirected to a captive-portal Web page, where they must log in to gain access rights. Captive-portal authentication is popular in universities and hotspots where service providers cannot make assumptions about the availability of client-authentication software. All you need is a browser-capable device--even a PDA or smartphone--and you can gain secure access.
To facilitate guest use, those without appropriate credentials may be given access to the public Internet but restricted from internal hosts. Web authentication is a reasonable approach to providing authentication and authorization, but it does not provide encryption, except to the degree that the authentication is often protected using SSL.
The IEEE's approach to WLAN authentication is based on 802.1x, which provides port-level authentication (the "port" is defined as the 802.11 association between client and AP) and EAP, which creates a flexible tunnel through which authentication can be passed. This Layer 2 approach, central to both WPA and 802.11i, involves back-end RADIUS servers, usually tied into an existing user database. Mobile devices must be configured with 802.1x clients (supplicants in 802.1x parlance) that support specific EAP authentication types. And there's the rub: Even assuming that 802.1x is supported on your wireless clients--not always the case for PDAs and VoIP phones--there are multiple EAP authentication types to choose from. Unfortunately, there's little reason to expect the industry to standardize on a single EAP type, for both political and technical reasons. We had hoped that PEAP (Protected EAP) would emerge as the de facto standard, but for now, the industry is stuck with incompatible implementations from Cisco and Microsoft. Over the next several years, it's likely that broad support for a range of EAP types will be included in most popular OSs, but today, you'll need to stick with what is there (TLS and MS-PEAP on Win2K and XP) or turn to Funk Software, Meetinghouse Data Communications and other vendors for more flexible 802.1x clients.
In addition to authentication, 802.1x also handles key management, providing a mechanism for unique encryption keys to be distributed to clients when they authenticate. When used in conjunction with 802.11i's AES encryption (which is supported in most new WLAN silicon), this provides strong data privacy.Note that 802.1x is not a WLAN protocol per se. In fact, a number of Ethernet switches now support 802.1x. Although only a small proportion of Ethernet network admins have implemented 802.1x, once organizations implement 802.1x-based WLAN security, they may find it much easier to extend the same services to their Ethernet networks (for a primer on 802.1x, see "The New Face of Authentication,"). Beyond mainstream authentication, authorization and privacy, many WLAN designers are paying attention to physical infrastructure security, vulnerability assessment and intrusion detection. Unlike Ethernet switches, which usually are physically secured in telecommunications closets, WLAN APs typically are installed in corridors and above ceiling tiles, causing concern about equipment theft because the AP configuration files may include sensitive information. This is less of a problem with newer switched infrastructure designs than it is with more conventional smart APs, like those offered by Cisco, because so-called thin APs usually rely on central switches for configuration information, and the devices have minimal monetary value. Cisco is one of the few vendors to design physical security into its boxes, using mounting hardware that can be secured by lock and key.
Based on our reader survey, a small proportion of IT pros are concerned about physical security, but the same can't be said for intrusion detection. In fact, the so-called "parking-lot attack" by a malicious hacker may be a system designer's worst nightmare.
To address these problems, AirDefense, AirMagnet, Network Chemistry and other vendors provide WLAN monitoring systems integrated into infrastructure equipment or layered on top of the infrastructure using dedicated RF sensors. These monitoring systems, which are the focus of our companion review (see "Watching the Waves,"), provide a range of services, including policy enforcement, vulnerability assessment, rogue-device and intrusion detection, and even containment of attackers. When used in conjunction with location-awareness technologies (see "Location, Location, Location,"), these products identify attacks and determine their location. And because they constantly scan the airwaves for security incidents, these systems may also provide performance monitoring and remote troubleshooting. Although most WLAN infrastructure vendors have improved their integrated monitoring capabilities, dedicated monitoring products provide more functionality.
The Security Market
Leading manufacturers of smart APs--including Cisco, Enterasys Networks, Proxim and 3Com--are focused on 802.1x. Cisco, through its SWAN (Structured Wireless-Aware Network) initiative, says it plans to provide a range of security services, but till then you'll have to look to third parties to secure a Cisco WLAN. The new CiscoWorks WLSE (Wireless LAN Solution Engine) management platform provides limited rogue-device and interference detection while enforcing policy through a configuration-management system. For its part, Enterasys has implemented its UPN (User Personalized Networking) on its RoamAbout access points, pushing access policies down to individual APs.Newer wireless switch architectures from Airespace, Aruba Wireless Networks, Symbol Technologies, Trapeze Networks and others have been engineered with security in mind. In fact, these architectures simplify security enforcement by centralizing policy management. Airespace and Aruba offer the most flexible and sophisticated security implementations, including monitoring capabilities not available from competitors.
Other vendors have had an impact on the market. Vendors of enterprise wireless security gateways, such as Bluesocket, ReefEdge Networks and Vernier Networks, make security overlays that work with any 802.11 AP, providing authentication, privacy, access control and even QoS (Quality of Service). The gateway sits between your dirty WLAN and the secure network, enforcing security policies and providing value-added services like secure roaming.
This modular approach has benefits, particularly for sites with large investments in AP infrastructure or that want the flexibility of selecting APs from multiple vendors, but it does add to the cost and management overhead. Many of the features pioneered by these vendors have been implemented in new WLAN switch architectures, which often provide a more fully integrated solution that includes centralized configuration management and dynamic radio control. The gateway vendors are beginning to develop partnerships with AP manufacturers to deliver more comprehensive systems.
Some security overlay vendors offer more focused devices with niche differentiators. For example, Perfigo provides a security gateway with multivendor AP configuration management and client management. Other vendors offer security implementations that rely on proprietary clients to provide enhanced security, secure roaming across multiple wireless network types (WLAN and GPRS, for example) and session persistence. The long list of these vendors includes Columbitech, Cranite Systems, Ecutel Systems, Fortress Technologies, IpUnplugged and NetMotion Wireless. Some of these provide FIPS-compliant products, making them suitable for government and military environments.
Although these gateways and security overlays are effective, they can be costly to acquire and maintain. In addition, large networks, especially those using high-speed WLANs like 802.11g and 802.11a, may find that they introduce bottlenecks.The Future
Today, much of the wireless industry is focused on 802.11i as the solution to its security quandary. The IEEE has done a good job of addressing the vulnerabilities while adding new services. Given the negative press that surrounded the IEEE's Swiss-cheese-like WEP standard, it's understandable that the 802.11i committee needed to be thorough, though when it came time to address the issue of fast handoff to support low-latency secure roaming across IP subnets, the committee punted.
It's likely that 802.11i's most significant impact will be symbolic, however, allaying the fears of zealous security professionals and opening the way for broader deployment of WLANs. Widespread adoption is unlikely anytime soon. It will take some time to stabilize and to verify interoperability among vendor offerings. In addition, 802.11i will still require IT professionals to make basic decisions about which RADIUS server to implement and which EAP authentication types to support.
Given the likely momentum associated with 802.11i, it will be interesting to see whether the market can sustain the wide range of targeted products. This sector is ripe for consolidation, but picking the winners is no easy task. The good news is that two years from now, security will no longer be an obstacle to enterprise WLAN adoption.
DAVE MOLTA is a senior technology editor at NETWORK COMPUTING. He is also assistant dean for technology at the School of Information Studies at Syracuse University and director of the Center for Emerging Network Technologies. Write to him at [email protected]. Post a comment or question on this story.
"Better WLAN Security Requires Layers, Strong Enforcement"If you have yet to implement a WLAN, this could be your year. Prices are dropping, and the flow of alphabet-soup standards has slowed. Still, worries over security linger. In "Wi-Fi vs. Bad Guy," we show you how new security standards, such as WPA, 802.1x, EAP and 802.11i, as well as old standbys like VPNs, can give your users the mobility they crave while keeping your network secure.But building a WLAN is only the first step. Between malicious attackers and Stu in marketing with his $89.95 bargain-basement access point, the monitoring capabilities that came with your WLAN infrastructure devices may not be enough to ensure network security. In "Watching the Waves", we look at what you'll get from Airespace, Aruba and Cisco versus specialized overlay products. In our Real-World Labs' at Syracuse University, we pitted overlay devices from AirDefense, AirMagnet, Network Chemistry, Network Instruments, Newbury Networks and WildPackets against an arsenal of attacks, rogue and fake access points, and Bluetooth-generated RF interference. AirMagnet's alluring Distributed device took our Editor's Choice, while Network Chemistry's WIPS snagged our Best Value award. Reports of WLAN security flaws are all too familiar, and vendors have reacted: The WLAN market burned through $1.8 billion in capital and at least $600 million in advertising over the past three years, and more than 150 companies have staked claims to future Wi-Fi revenue. Nonetheless, the adoption rate for WLANs remains sluggish. A 2003 Meta Group study showed that 33 percent of enterprises have at least one production WLAN, yet WLANs comprise less than 5 percent of the total LAN ports in use. A recent Consumer Electronics Association study revealed only 11 percent, or 7 million, U.S. households with wireless networks. The same study found that half of the users without WLANs are interested in the technology. This points to a huge growth potential, but a major sticking point still remains: Are WLANs secure enough?
The steps to securing a wireless network have been documented extensively. Much work has gone into enhancing standards, simplifying deployment and management, and educating users. The good news: It's possible to deliver a highly secure WLAN. The bad news: Enterprise IT remains apprehensive, with adoption of IEEE 802.11i and the introduction of AES encryption and how they will affect installed products leading the list of concerns. The proliferation of architectures and vendors hasn't helped IT managers sleep any easier, either. In fact, vendor and product viability also has caused procurement delays. IT administrators are discovering they need a comprehensive approach to securing their mobile devices, and it doesn't stop just with data. Voice over IP is increasingly part of the mix, and the proposed standards fail to secure this real-time traffic.
Beyond security, management is the soft white underbelly of the Wi-Fi dragon. Smart organizations realize that the cost of running the network is much higher than the cost of buying the equipment. Capital expenses account for less than 25 percent of the total cost of ownership of an enterprise wireless system. Before IT organizations can be expected to make the leap to wireless, vendors must supply solutions that offer the availability and reliability of the wired network, with no compromises. --Chris Kozup, program director for infrastructure strategies at Meta GroupTo gauge the WLAN security concerns of information professionals, we polled readers who are involved with wireless deployments. Of the 628 survey respondents, 18 percent said they have large-scale WLAN deployments, indicating that our sample is ahead of the mainstream when it comes to wireless implementation. A majority—more than 60 percent—said their organizations are conducting WLAN trials or have small-scale overlay deployments.
When we asked respondents to rate barriers to WLAN adoption, security came out on top, followed by uncertainty over standards and budget constraints. The least significant barriers are complexity of implementation, long-term vendor viability and lack of user demand.
Not surprising, the top security concern is the possibility of attackers gaining unauthorized access to network resources. On our seven-point scale (with one meaning not important and seven meaning very important), access security scored an average of 6.1, followed by tampering with confidential data (5.8), malicious hacker attacks (5.6), and rogue access points (5.6). Least worrisome are ad hoc peer-to-peer networks (4.3), damage to corporate image through publicized war-driving attacks (4.4) and theft of access points (4.5).When asked to rate the importance of alternative WLAN security strategies for their sites, our respondents said the technologies of greatest importance are VPN/IPsec and firewall segmentation (both 5.4). The least important technology is Cisco’s LEAP (3.4). The remaining technologies—802.11i, 802.1x, WEP and WPA—all received scores between 4.5 and 4.6. This tells us that though there is interest in emerging wireless security standards, the majority is most comfortable with tried-and-true security systems.
We also asked respondents to rate the importance of seven 802.1x authentication protocols, including EAP-FAST, EAP-MD5, EAP-TLS, EAP-TTLS, LEAP and PEAP. All the choices received average ratings between 4.0 and 4.1—which we interpret as meaning most respondents know EAP is important but don’t really have a clear understating or strong opinion on the alternative authentication types. Although EAP was designed to support alternative authentication, the existence of so many options causes confusion. This supports our hunch that it’ll be some time before 802.1x is widely implemented.
To assess readers’ hot buttons, we asked respondents to express their level of agreement with a range of somewhat provocative statements about WLAN security. There was strong disagreement with our suggestions that WLAN security is no different than wired LAN security; that the seriousness of wireless LAN security problems has been exaggerated by the media; and that an organization should be willing to trade off a little security for the benefits of WLANs. The highest level of agreement–by far—was expressed for our statement that robust security should be an integral element of WLAN infrastructure and shouldn’t require third-party systems. Readers also agree that sometimes you have to deploy proprietary features to achieve security and that politics has stalled the security standards process.
Finally, we found it interesting that more than 57 percent of respondents have received a request from a visitor to their facility for wireless network access. Guest access is clearly a growing need and carries with it a requirement for granular security controls.
Read more about:
2004You May Also Like