Modernizing Authentication — What It Takes to Transform Secure Access
At the recent Boston 802.11 Planet Conference and Expo, the aisles and booths were bustling with activity, giving ample proof that Wi-Fi (Wireless Fidelity, or more properly, wireless networking) has finally come of age. The hardware gear venders – switch, carriers, integrators, chip manufacturers, and antenna – were all there in force, of course. However, the big news was that the show was dominated by vendors addressing network security, with new solutions from the network, software, and hardware perspectives.
Security has long been the Achilles heel of the wireless industry. Set aside the security issues, though, and the case for wireless networking is overwhelmingly compelling — it's cheap, easy, and portable. Now that the industry is addressing the problem head-on with new solutions for manageable and acceptable network security, Wi-Fi may well be a choice that enterprises should be considering (or reconsidering).
According to an article in the April 26 issue of Barrons, a one-hour cruise in lower Manhattan last March revealed 622 Wi-Fi networks, with two-thirds of them wide open to unauthorized use. And don't think just because you are located in a suburban office park you can escape — this problem is not limited to dense urban areas. Wi-Fi networks in multi-tenant office parks and employees’ residences can easily spill over into adjacent areas inside the same building, or into or across public thoroughfares.
Even more than with traditional hardwired LANs, network security is an essential complement to IEEE 802.11 network connectivity. After all, you are broadcasting your traffic over the air and have no direct control over who is listening or transmitting. Do you really want anyone with some inexpensive equipment and a criminal intent to be hacking your network? You cannot just assume that the PCs on the network are really the ones they claim to be, or that they are acting the way they are supposed to.
There are two major components to the security problem for Wi-Fi. One is assuring the privacy of the data transmitted over the network against eavesdroppers. The other is protecting the network itself against intrusion. Unauthorized PCs may attempt to piggyback on your network, stealing bandwidth that you are paying for. Even worse, unauthorized Access Points can be used to mount a variety of other nastier attacks, including listening to, diverting, or interrupting network traffic.
Because mobility is an essential aspect of Wi-Fi networks, old techniques that rely on stable, hardwired connections between switch ports and hosts (and other systems) are no longer sufficient to assure proper access control. Wi-Fi networks are orders of magnitude more vulnerable to MAC (Media Access Control) address spoofing than wired LANs.
The rising use of Wi-Fi for home networks may raise security concerns for organizations. With the increase in telecommuting and consulting, IT managers need to be alert to the possibility that employees are transmitting sensitive data over unsecured networks. As a result, the employee’s home needs to be at least as secure as his or her office environment.
Wireless Networking Security Solutions
Most industries are dominated by a few innovative players and a large number of copycats who hope to capitalize on technological breakthroughs. Wi-Fi security is no exception; many venders are selling variations on a few basic themes and approaches. One is the need for intrusion detection systems, while another is network management and integration with some type of back-end access control technology, most often RADIUS (Remote Authentication Dial-In User Service).
While the bad news about Wi-Fi is that intruders have greater opportunity to break into the network, the good news is that compared with wireline Ethernet, it is easier and less expensive to observe and collect information about nefarious Wi-Fi network traffic. Instead of having to monitor individual switches and their ports, one need only listen promiscuously to packets as they cross the air.
Real-time monitoring displays for Wi-Fi traffic dotted the show floor at the 802.11 Expo. Packets were analyzed and Wi-Fi hosts and access points were tracked on maps while windows and panes scrolled. As eye-catching or cluttered as the demonstrations might have been, these products addressed the separate problems of real-time detection of intruders and post-incident analysis of traffic.
There was comparatively less discussion of integrating real-time Wi-Fi monitoring with most companies’ installed bases of existing network management systems. Having a monitoring system that is integrated into your existing infrastructure would be infinitely more useful than yet another display for troubleshooting an incident after the fact.
Because the wireless network’s composition and topology is flexible and inconstant, the monitoring equipment’s footprint must adequately cover all of a Wi-Fi network’s potential airspace. Several vendors offered hand-held meters to detect and measure Wi-Fi availability. Typically, these meters would be employed inside a company or used by a systems integrator to troubleshoot or check for adequate network coverage.
However, they can also be put to another more insidious use — drive-by detection of other people’s networks. Most people who are doing it view it as a nerdy idea of a fun sport, but there are those who are practicing intrusion with more criminal motives. According to Special Agent Nenette Day of the FBI Boston Cybercrime Unit, it is not even clear that intrusion over an unprotected wireless network is officially a crime yet.
The Ideal, Integrated Security Solution
For Wi-Fi to be successful, access control must be easy to implement with minimal operations impact, capital outlay, and labor expenses. Vendors who highlighted access control often stressed the need for integrated enterprise network management of Wi-Fi and wired technologies. RADIUS is the most popular back-end technology in these vendors’ architectures, although not the only one.
Many vendors also address the need for scalability. Because Wi-Fi hosts are mobile, the access control systems perform more transactions per Wi-Fi host than an equivalent wired host. In addition, mobility highlights issues that are not usually factors in wired networks, such as controlling access based on physical location and network loading rather than just identity.
Unfortunately, the standards for wireless LAN security are in a state of flux. The original 802.11 standard includes a mechanism called “Wired Equivalent Privacy” (WEP) as an option. While WEP does address the encryption of keys, it doesn't address key distribution, a major weakness. Various other criticisms have been leveled at the WEP architecture design as well, and as a result, the IEEE has gone back to the drawing board.
The IEEE 802.11i task group has been working on a new standard for MAC Enhancements for Enhanced Security. Draft 4.0 was circulated for votes in June. In the meantime, some vendors have extended or altered the implementation of WEP in their products. To add to the confusion, Cisco has introduced its own proprietary standard (LEAP), and the Wi-Fi Alliance has promoted the use of Wi-Fi Protected Access (WPA) for pre-802.11i equipment.
Should you invest in wireless technology or wait for the industry to mature a bit more? The wireless industry is still young; with so many start-ups, industry consolidation is inevitable. Some vendors will be acquired, while others simply will not survive. Since there is no way to be certain what will happen to your equipment’s vendor, buying standards-based products is a form of life insurance for your capital investment in Wi-Fi.
It's good to see that the industry is finally putting security front and center. With the IEEE task force working on additional security enhancements, the quality of wireless product security will only improve. Still, unless you have very strong security requirements, today’s wireless security will be “good enough” to meet your needs. Just make sure you purchase products that comply with the latest 802.11 standards — and for goodness sake, do not forget to properly configure and enable the security features!
IEEE P802.11 – The Working Group for Wireless LANs (follow links for 802.11i information)
Wi-Fi Alliance’s Wi-Fi Protected Access (WPA) Site
Jupiterevents (for upcoming 802.11 Planet events)
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields, including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.
Debbie Deutsch is a principal of Beech Tree Associates, a data networking and information assurance consultancy. She is a data networking industry veteran with 25 years experience as a technologist, product manager, and consultant, including contributing to the development of the X.500 series of standards and managing certificate-signing and certificate management system products. Her expertise spans wired and wireless technologies for Enterprise, Carrier, and DoD markets.