Security in the Air
by Dave Juitt, Chief Technology Officer, Bluesocket Inc.
802.1x and what it means for your wireless LAN
When mobile worker think of wireless LANs (WLANs), words such as "untethered" and "simply connected" come to mind. Studies show that wireless workers are more productive, less pressured and save businesses money.
At least a dozen organizations are now trying to quantify the advantages of wireless networking. Research firm Gartner finds wireless LANS to be nearly $1000 cheaper to install than wired LANs, especially for small organizations.
Gartner analyst Phil Redman says support costs will stay stable over three years. However the widespread publication of holes within the Wired Equivalent Privacy standard (WEP) has also meant IT professionals equate WLANs with "security nightmares." Security remains the biggest stumbling block to deployment and the hardest to control on costs.
Why isn't every LAN a WLAN?
The amazing thing is how quickly word has spread about the advantages - and disadvantages - of WLANs:
* Although some negative WEP press appeared in 2000, Fluhrer, Mantin and Shamir first described the Rapid Passive Attack in July 2001.
* By early August, the AT&T Labs team had successfully implemented the attack and concluded that WEP is "totally insecure".
* On August 17, 2001, the Airsnort (www.airsnort.com) program is released to script free, thus enabling anyone to penetrate WEP weaknesses in virtually any unwired network anywhere.
* Netstumbler.com launches as a free site that has grown to track over 8,000 access points, including MAC addresses, performance variables, and other information making it simpler to crack into wireless networks.
* From London to Boston to Silicon Valley, publications surf the airwaves of cities and report hundreds of accessible sites and information easily pulled from the air. * In June 2001, the IEEE standards body defining WEP released its specification for the 802.1x standard, which defines how various wireless technologies can increase the number of secure key exchanges between devices and servers. Frequent rekeying makes it more difficult to have unauthorized access to wireless networks. * Microsoft Corporation incorporates 802.1x into its Windows XP operating system. Soon, many major wireless vendors are touting 802.1x support.
With security defined as one of the main roadblocks to WLAN growth, the question is: Does 802.1x do enough to enhance the security of wireless LANs and of other mobile products?
Network security, whether wired or wireless, involves five major activities. Particular security standards or technologies can involve one, two or all five, but any user session must pass through at least these five steps in a secure environment. The steps are:
* Identification numbers (IDs) verified by LDAP, RADIUS and other security mechanisms
* Passwords (system and revolving)
* Hardware IDs/digital certificates
* Permissions for access vary by user, the types of systems each user can access when online, time of day, type of function (e.g. FTP, video streaming, etc) * Priorities (i.e. who gets preference, the president or a tech rep in the field?)
* Data confidentiality, usually ensured by the use of encryption.
o Encryption varies widely in "strength"
o Is processor-intensive -- so will vary by application or data moved
* Ability to manage distributed wireless AP's and devices from a central point
o For regular maintenance
o In a state of emergency or attack
* Logging/tracking, which is critical to ongoing security defense policies
* Support of multi-vendor, multi-protocol, multi-version control environments
* COS = Class of Service by user
* Volume of users and desired bit rates
* Secure roaming
Although a security system typically involves the five major components just mentioned, 802.1x is a standard that addresses only authentication and key management for networks. Thus it is a standard focused on roughly two parts of a multi-dimensional challenge to implementing and maintaining a secured, functional network.
802.1x Two of Five
It is important to note that although most of the press has focused on 802.1x application in WLANs, the standard can also be used in the traditional wired network. The 802.1x standard uses the Extensible Authentication Protocol (EAP) as its framework. This keeps the standard open to future authentication methods as back end authentication services develop.
To further explain how the standard can work, lets walk through a typical implementation at a high level:
1. Wireless client associates with an Access Point (AP)
2. AP blocks all network access except for 802.1x traffic
3. User performs network logon
4. The AP relays this information to an authentication server (typically a RADIUS server)
5. The wireless client and authentication server perform mutual authentication and derive a per user/ per session WEP standards key
6. Wireless client and AP then activate WEP and use the key for encryption of data and allow AP network access to client (assuming authentication was successful)
7. WEP key timeout settings allow re-keying throughout the session (keeping the key fresh).
A Perfect Solution?
802.1x is a large step forward for authentication, access and addressing some of the known issues involving wireless LAN security. A comparison of 802.1x and standard 802.11 security is shown in Table 1. As you can see, there are many advantages to 802.1x. However, as with any fledgling technology or standard, the IT professional should also be concerned with potential problems or limitations.
802.1x is a Framework
As a publicly ratified standard, 802.1x does not mandate specific security procedures. Vendors are free to implement authentication only or authentication and encryption together. Make sure you choose a vendor that implements both authentication and encryption.
Multi-Vendor Support is Difficult
Several vendors have implemented proprietary security frameworks based on the emerging 802.1x standard. These product implementations require users to single source vendors, choosing only a single vendor's APs and PC cards to gain 802.1x security advantages.
As 802.1x becomes built into the operating system, interoperability with all vendors who support the standard will be available. However, at this time 802.1x is only supported in Microsoft's Windows XP. True interoperability with 802.1x will be dependent on the purchase of Microsoft's Windows XP or a future Service Pack update to Windows 2000.
Also, an authentication server is required. Typically, this will be a RADIUS server. Currently, Microsoft Windows 2000 Server, Cisco ACS, Funk RADIUS and Interlink Networks RADIUS all support EAP.
Microsoft's PocketPC 2002 release does not support EAP. Today, it relies on embedded PPTP for encryption and non-EAP supported access to a RADIUS server. So, for many PDAs deployed today, 802.1x does not apply.
All or Nothing Access Once a user has authenticated, they are granted access to the network. 802.1x does not provide any granularity to control whom can access particular services or destinations, so it's all or nothing access. This is not a problem if your company does not mind that a guest or contractor can easily access your finance server or that a university student can access the Administration server as easily as the Internet. However, reality dictates that everyone is NOT treated equally on LANs.
In the End, 802.1x Is Still WEP 802.1x provides improvements in privacy by using dynamic, per user, per session keys. However, the underlying WEP mechanism is unchanged. This is still a major concern summed up by Ron Rivest, who developed the RC4 cipher:
"Those who are using the RC4-based WEP or WEP2 protocols to provide confidentiality of their 802.11 communications should consider these protocols to be broken," Rivest says, "and plan remedial actions as necessary to mitigate the attendant risks. Actions to be considered should include using encryption at higher protocol layers and upgrading to improved 802.11 standards when these become available."
Standards bodies are investigating the use of the Advanced Encryption Standard (AES) as a possible alternative to RC4 in future versions of 802.11 security. AES is a replacement for DES (Data Encryption Standard) and uses the Rijndael algorithm, which was selected by the US Government to protect sensitive information. As standards continue to develop, many security experts recommend that the Internet Protocol Security or IPSec standard that has been deployed in global networks for over five years be considered an alternative for any data that should not be viewed, utilized or corrupted by a non-trusted party.
How Deep Should You Go?
Phil Belanger, past chairman and current marketing director of the Wireless Ethernet Compatibility Alliance (WECA) stated, "We've always said that if privacy is a concern, you need to be using end-to-end security mechanisms, like VPNs, based on IPSec along with the WLAN. Even if WEP wasn't compromised, you ought to be doing that."
For environments where the highest layer of security is required, it is best to use a layered approach. 802.1x is a Layer 2 protocol and can be enhanced by introducing a virtual private network (VPN), which operates at Layer 3. VPNs use Internet Protocol Security (IPSec) to create virtual tunnels from the end user to a terminating device. They are already widely deployed to allow stationary employees access to the corporate network via the Internet without allowing anyone else to view what is inside the tunnel.
However, once a tunnel is open, the device and user are assumed to be OK. In wireless, you need to continue to view the user as mobile and literally connecting to your network via the air. Thus, it is important to implement procedures that allow you to decrypt each packet before it comes into your trusted network.
What about PDAs?
IT managers are faced with the rapid proliferation of PDAs and other hand-held devices. With them comes the crucial issue of how to grant them access to the network. As we examined earlier, using the 802.1x standard would be a good first step, but the many operating systems now widely deployed (Microsoft PocketPC 2002) do not support the standard. Further, unlike PCs, there is limited support for even a vendor specific implementation of an 802.1x-like solution.
Currently, the only way to reach an acceptable security level is to implement a VPN approach. This can be accomplished using the built in Point to Point Tunnel Protocol (PPTP) or by using a proprietary VPN client.
Having a standard like 802.1x will help insulate users from the complexities of roaming, especially on public networks.
However, 802.1x requires additional management features to "sense" when a user has logged-out of a session. For example, if a user has a prepaid session or is paying by amount of time used, the meter keeps running on usage even if they power down. When an access server is part of the network infrastructure, a "stop packet" is sent to the authentication server, ensuring that as a session ends, so too does the bill to the end user.
When users roam, de-association and re-association of the session is not directly supported in 802.1x Layer 2 implementations. A Layer 3 solution aids in securely managing users who roam between subnets while doing ftp file downloads, video streaming, or voice calls over 802.11 networks.
The Requirement for "Access Servers"
Microsoft and other companies are recommending deployment of an access server to fill in the areas of security not managed easily, e.g. support for multiple AP's, PDA operating systems and applications, authentication systems and so on.
For those using 802.1x security, an access server passes EAP authentication requests from AP to authentication server seamlessly. This is a requirement in any network that may have a mixed environment of multiple vendor AP's, NIC cards and devices as well as environments that may only be partially 802.1x enabled for some time to come.
Bottom Line Recommendations for 802.1x and Beyond
IT managers are faced with many issues surrounding the implementation of WLANs. The following are recommendations for good practices when purchasing and deploying a complete solution:
* For small, tough to manage locations, turn WEP on using 128bit keys.
* Purchase equipment that supports the 802.1x standard, including using Microsoft Windows XP as the operating system where cost effective and available.
* Where Windows XP is not an option, use vendors who support the 802.1x framework even if it means proprietary PC cards and APs. Try to select vendors whose solution will be interoperable when 802.1x will be built into future operating systems.
* Make sure your vendor supports 802.1x authentication and encryption. Both. Now.
* Where security is of the utmost concern, use VPNs to provide a layered, robust and manageable approach.
* If using PDAs, use VPN tunneling technology to provide security or other security, such a PPTP, as available.
* Implement an access server technology. Such a server allows you to tie together all of the various standards and non-standard-based equipment. In addition, you can centrally manage and enforce far-ranging business rules dealing with CoS, user/group based management granularity and VPN compatibility.
About the author
Dave Juitt is CTO at Bluesocket Inc of Burlington, Mass. (www.bluesocket.com) He was previously chief information security officer for Redwood Investment Systems of Boston and department head for GTE Laboratories' secure systems research. Prior to GTE, he spent nine years at Digital Equipment and was on the technical staff at MITRE Corporation.