The proliferation of WLANs has exposed wireless security's shortcomings. Embedding security protocols seems instinctive, but the shifting sands of WLANs' fluid security standards landscape makes it far from easy.
By Paul DeBeasi
Security has been wireless networking's Achille's heel from the first day it emerged in corporate computing. The growing push toward WLANs has exposed wireless' security shortcomings even more starkly. Most organizations entrust their sensitive information to wired LANs, but won't do the same for a WLAN. This stance maintains a company's IT security, but also robs them of WLANs' economy and versatility.
The IEEE is working to close the security gap, and expects to have a new wireless security standard in place by the end of 2004. Many organizations don't want to wait that long, but are wary of investing in an interim security technology destined for near-term obsolescence. The current standard security protocol, WEP, isn't up to securing sensitive information from malicious attackers. A transitional standard called WPA closes most of the gaps in WEP, but it's just that a transitional standard. IEEE 802.11i is the next generation of bulletproof wireless security, but it won't be finished for months. So what's a company to do when it wants good WLAN security now, yet doesn't want to junk it just a few months down the line?
Although WEP, WPA, and 802.11i seem separated by gaps, they are actually a continuum that organizations can follow to gain strong wireless security. First, however, they must understand the security landscape. Then they can realize the economy and versatility of WLANs without giving up control over their vital information.
Making the Leap
The fundamental question facing network managers in organizations considering WLANs is whether to wait for 802.11i or employ WPA. With 802.11i following close behind WPA, could it be worth going through a WPA deployment?
The short answer is yes. The potential losses from security attacks against WLANs are too high to justify waiting for 802.11i to crystallize and for vendors to release supporting products. There is also a well-defined migration path from WPA to 802.11i. 802.11i will be backwards compatible with WPA. All WPA hardware and software will continue to work with 802.11i hardware.
802.11i is slated for final standardization by the end of 2004, and 802.11i products will appear soon after. For most enterprises, the answer is that WPA really is good enough to deploy now. WPA addresses all known issues with WEP, including the attacks implemented in free software like AirSnort and WEPCrack. If a business wants to deploy security-critical applications over wireless LAN, WPA is a viable choice and should remain so even after 802.11i debuts.
Why the Conundrum?
The question of whether to wait for 802.11i arises because WEP, today's most widely available WLAN security protocol, is wholly inadequate for securing wireless LANs. However, if WPA support is not yet available in your wireless equipment then should WEP be used? The answer is that WEP, if properly used, can make you a less tempting target to potential intruders.
The 802.11 standard created the WEP algorithm to protect wireless communications from eavesdropping. Its secondary function is to prevent unauthorized access to a wireless network.
On a WEP-enabled network, all users employ a shared secret key shared between the mobile client and an access point. All packets are encrypted with the shared secret key. An adversary who tried to access the network, or so the thinking goes, cannot decrypt the packets without that shared secret key. Unfortunately, the WEP mechanism has flaws. Perhaps the most significant is that many access points are shipped with WEP turned off by default. It is very common for access points to be deployed using default factory settings which results in an enormous security hole.
Even when WEP is turned on and new shared secrets are set, the mechanism has major flaws. For encrypting data, WEP uses an algorithm called RC4. While RC4 is a secure algorithm if used properly, WEP opens it up to significant attack. The problem is that WEP key usage is vulnerable. Applications such as AirSnort and WEPCrack can decrypt WEP-protected networks in seconds after sniffing as little as 100 MB of traffic. On a busy wireless network, an attacker can gain a free hand on the wireless LAN in minutes. In addition, WEP uses a CRC for maintaining data integrity. CRC is easy for an adversary to fool by flipping bits in the packets and thereby corrupting data integrity.
Another major problem with WEP is that it addresses confidentiality, but not authentication. In other words, WEP does not provide a way to ensure that a user is really who they say they are. Anyone who knows the WEP shared key and network SSID (service set identifier) can access the network. There is no way for administrators to selectively confirm or deny access based on who is connecting. In addition, if the shared key is guessed or lost, all stations on the network must be re-keyed manually. This can be a major administrative headache, as well as a security risk if the key is lost but no one notices.
Still, despite its shortcomings, WEP is better than nothing until your company gets on the WPA to 802.11i continuum. As your company weighs whether to go ahead with WPA, there are best practices for making optimal use of WEP.
First, make sure it's turned on. All Wi-Fi Alliance certified 802.11a, 802.11b, and 802.11g access points and wireless NICs support WEP. On isn't necessarily the default. This defeats accidental intruders, such as passersby with laptops in public places.
Many urban businesses have reported problems when passing laptops simply found and automatically associated with their network. Eliminating such basic, but not always obvious, "nuisance" problems leaves more time to watch out for serious attacks.
Periodically, organizations should change the default SSID and shared key. It is easy to write programs that automatically scan for factory default SSIDs and default keys. Changing the SSID and key even if just by setting the organization with the new values will no longer present the organization as a "target of opportunity." Note, however, that the SSID is easy to sniff from the airwaves, so an adversary targeting the organization will not be stopped.
Implement MAC address filtering. Configure the access points and routers to accept packets only from known MAC addresses. Then even if someone discovers the correct SSID and key, the attacker can't get to the rest of the network. Again, this countermeasure is not perfect it is easy to spoof MAC addresses.
Ultimately though, organizations vulnerable to damage from unauthorized access to business information should not consider WEP a credible security mechanism. While WEP is better than nothing at all, software such as AirSnort and WEPCrack make it an easy target for adversaries. Something more is needed for sending confidential data over wireless networks.
Beyond WEP Interim and Fixed
02.11i is targeted to seal the WEP security holes by the end of 2004. Unfortunately, most organizations need wireless security today. Recognizing the need for an interim solution between WEP and 802.11i, the Wi-Fi Alliance released WPA as an early "snapshot" of the 802.11i standard. WPA:
fixes the major security problems with WEP, in particular the use of shared keys;
adds user-level authentication, specifically 802.1x; and
works with some legacy 802.11b access points and NICs with minimal firmware and software upgrades.
WPA's TKIP and Michael
WPA also addresses the flaws in WEP encryption and integrity with new algorithms called TKIP and Michael (see MIC). TKIP was designed to take advantage of hardware acceleration for the RC4 algorithm that exists in some traditional access points, while avoiding the flaws of WEP. The primary advantage of TKIP over WEP is key rotation. TKIP changes the keys used for RC4 with every packet and doubles the size of the IV for even greater protection. With WEP, the combination of a short and predictable IV with static keys opened the way to attack; in TKIP, these problems are fixed.
Michael is a MIC algorithm to maintain data integrity. A MIC is a cryptographic digest, that prevent attackers from altering data. The Michael algorithm allows WPA systems to detect whether an attacker has modified a packet to fool the system. A special problem is that many 802.11b NICs and access points have low computational power. Therefore, Michael was specifically designed with the computational limitations of existing 802.11b NICs and access points in mind.
Because of its design for devices with low CPU power, Michael provides less security than would ordinarily be expected from an integrity-checking algorithm in its class, though far more security than the CRC used by WEP. In response, WPA mandates special "Michael countermeasures." Whenever an access point detects two packets that have failed the Michael algorithm on a particular shared key, it drops the connection, re-keys, and then waits for one minute before creating a new association.
However, unfortunately these countermeasures make it possible for an adversary to mount a denial of service attack. By sending packets purposely to fail the Michael algorithm, an adversary can cause an access point to drop its association with a user. By repeating the attack, an adversary can keep an access point offline for as long as it likes. Nevertheless, the Michael algorithm is still better than no security at all. Although attackers can shut down individual access points, Michael prevents them from getting inside the network, where they can do far more harm.
Peeling Back WPA's Protocol Layers
WPA also makes up for WEP's lack of authentication between the user and the network. WPA uses the 802.1x standard for user authentication. It defines an EAP between two endpoints and an encapsulation protocol called EAP over LAN (EAPOL). The protocol allows users to authenticate themselves to the network.
EAP, however, was originally designed for wired networks, so it is vulnerable to eavesdropping because it assumes that the link between the network and the end point is physically secure. In WLANs, the endpoint-network link needs cryptographic protection. The EAP over the TLS (EAP-TLS) and PEAP tunneling protocols provide the needed cryptographic protection.
EAP over TLS (EAP-TLS) leverages the existing IETF standard for TLS. TLS is the direct descendant of the Secure Sockets Layer (SSL) protocol used by Web servers to protect information. EAP-TLS uses digital certificates on both user and server side to perform authentication.
PEAP specifies a means of combining an administrator-specified authentication and confidentiality protocol with EAP. This allows network administrators to use protocols not specifically developed for EAP.
Although WEP will hand off to WPA in most cases, the two cannot exist together. WPA hardware will simply revert to WEP when presented with a non-WPA access point or NIC card. Allowing WEP clients on a network opens the network to all of WEP's vulnerabilities. It is critical that all users have upgraded to WPA. WPA has a mode of operation that allows for both WPA and WEP to use the same broadcast keys. IT staff should configure WPA in this fashion. This will prevent the simultaneous operation of both WPA and WEP.
Managing the Transition
After an organization threads the protocol thicket, it's time to face the WEP-to-WPA-to-802.11i hardware and software issues. As of the third quarter of 2003, new 802.11b hardware must support WPA in order to obtain Wi-Fi Alliance certification. Current 802.11 hardware vendors were required to support WPA in new products submitted for Wi-Fi Alliance certification testing after Aug. 31, 2003.
WPA was designed to work with legacy access points and NICs given only firmware and software upgrades, so theoretically almost all legacy hardware can be upgraded to WPA. In practice this is not always the case. Regardless of whether an organization's access points are software upgradeable, they may need more end points because WPA's algorithms take more CPU power than WEP's, which causes performance degradation. This is generally unacceptable on WLANs carrying important traffic, so they'll have to upgrade hardware in order to run WPA.
Software The Critical Ingredient
On the software side, organizations need operating system support for WPA. This support allows the operating system to format packets properly for WPA-aware devices. It also enables the OS to pass 802.1x authentication information between the user and the NIC. Users on a WPA-enabled network will also need client software for 802.1x authentication. Such software provides an interface for configuring and managing 802.1x credentials, such as digital certificates or passwords. Once users can configure their 802.1x credentials, they need a RADIUS server on the network to complete authentication. When using WPA, this server needs to support the EAP and EAPOL standards.
Not Easy, But Easier Than it Sounds
Designing, deploying and maintaining a secure WLAN can be somewhat more complicated than operating a wired LAN. However organizations that focus on security and understand its greater importance in WLANs can strike the necessary balance between security, performance and economy. The transition from WEP to WPA will result in WLANs that are secure today and ready for 802.11i in the future.
Paul DeBeasi brings more than 20 years of experience in the computer networking industry and a comprehensive understanding of networking technologies and markets to Legra Systems. Before joining Legra, DeBeasi was the VP of Marketing at TranSwitch where he was responsible for strategic marketing and marketing communications. Prior to working at TranSwitch, he was the VP of Marketing and Product Planning at ONEX Communications, IPHighway, and NetSuite Development. He was a Principal Engineer at Chipcom Corporation and Prime Computer. DeBeasi holds a B.S. in Systems Engineering from Boston University and an M.S. in Electrical Engineering from Cornell University. DeBeasi has presented on topics related to wireless security at several industry conferences, including Wi-Fi Planet, Supercomm and Internet Telephony.
Glossary of Acronyms
CPU - Central Processing Unit
CRC - Cyclic Redundancy Check
EAP - Extensible Authentication Protocol
IEEE - Institute of Electrical and Electronics Engineers
IT - Information Technology
IETF - Internet Engineering Task Force
IV - Initialization Vector
MAC - Media Access Code
MIC - Message Integrity Code
NIC - Network Interface Card
OS - Operating System
PEAP - Protected EAP
SSID - Service Set Identifier
SSL - Secure Socket Layer
TKIP - Temporal Key Integrity Protocol
TLS - Transport Level Security
WEP - Wired Equivalent Privacy
WLAN - Wireless Local Area Network
WPA - Wi-Fi Protected Access