Access all areas

Worldwide WLAN penetration is on the up despite security concerns surrounding the technology. The arrival of the new 802.11i wireless standard is set to increase uptake yet further.

  • E-Mail
By  Anna Karhammar Published  February 8, 2004

|~|wlan_M.jpg|~|Businessmen access the internet wirelessly in New York's central park. [Getty Images]|~|Wireless security is a sensitive area for corporate IT managers and network administrators, who have a stake in the stability and security of networks and the devices that run on them. Their role — and the service providers’ corresponding abilities to address their concerns over security — is a major factor influencing the adoption rate of public WLAN services among corporates, because opening up the wired network to wireless could seriously compromise security. And if security is compromised, the IT manager’s position could likewise be so. Perhaps a reason why In-Stat/MDR estimates that wireless security could be worth US$8.4 Billion by 2008. “Security administrators have to ensure that only approved devices are used on the WLAN and only authorised personnel are allowed to use those devices. WLAN security is also not independent from overall enterprise security, so it is crucial to authenticate both the device and the user before being granted access to the network,” says Abdul Karim Riyaz, director security business partner operations, Computer Associates Middle East. Hackers can either intercept and steal user credentials — typically their id and password — and establish a session after the legitimate user has logged off, or piggyback on a legitimate open connection by impersonating the device of the valid user. “Rogue access points, if undetected, can be an open door to sensitive information on the enterprise network, so WLAN security administrators must have proper measures in place to detect and prevent the use of rogue access points in the enterprise,” explains Riyaz. The problem has so far been that out-of-the-box security measures built into current wireless standards such as 802.11a/b/x tend to be very weak — and so it has become commonplace for companies to deploy additional security layers, such as security gateways, wireless Intrusion Detection Systems and increased encryption. IT managers have also implemented WLANs as part of an end-to-end remote access strategy using VPN tunnels and IPSec encryption. “Current IEEE 802.11 specifications do not provide adequate encryption. Most organisations don’t even use the WEP encryption available in the specification because it’s difficult to manage the encryption keys and has only limited effectiveness when it is being used,” says Graham Titterington, principal analyst Ovum. “Several enterprises have solved the encryption problem by adopting proprietary products that implement procedures equivalent to the IPSec Public Key Encryption process on top of the 802.11 infrastructure. However these incur substantial processing overheads, effectively reducing the available bandwidth,” he continues. As WEP was cracked within the first two months of use, the emphasis shifted to securing the connection between the client device and an authentication server, through a more advanced TKIP-integrated WiFi protected access (WPA). “The realisation was that encryption was an important process, not just authentication, and 802.11i takes care of this, as encryption comprises dynamic key management – which means a different encoding key per packet,” says 3Com’s technical manager, Stanislas de Boisset. The imminent 802.11i standard is set to finally address all the security, privacy and data integration issues itself, so no-one listens in and modifies the data. “This is why most vendors are pushing for .11i to come out as soon as possible, to get rid of all proprietary implementations out there that might or might not be sufficient solutions,” says Yarob Sakhnini, regional technical manager, Foundry Networks. ||**||Moving forward|~|stan_M.jpg|~|ENEMY AT THE GATE: Integrated access points can do dynamic key management, and with an authorisation server you can do QoS checks to determine how much of the network a user gains access to, further raising security levels, explains 3Com’s Stanislas de Boisset.|~|802.11i has yet to be ratified, though this is expected to occur sometime this quarter. The layer on top is thus a temporary measure until WPA extends the functionality of WEP, thereby not requiring users to commit to one specific vendor’s proprietary product. Broadly, the new spec improves the encryption level due to adoption of TKIP encryption algorithms which dynamically change the encryption on the data; while also adding 802.1x network authentication based on the Extensible Authentication Protocol (EAP) model, which was overlooked by the WEP standard. EAP requires users to be pre-registered on a central authentication server, so it is suitable for a larger enterprise. The device on the wireless network uses SSID to first hook up to the access point (AP), where the AP blocks the connection and asks for login and password using EAP (RC4.1) either in the software or a window prompt. If the AP is known by the server it sends an encrypted check to see if it matches.Once authenticated, a secure link is created between the device and the server. “What 802.1x network authentication does, after the user has been authenticated, is to either create a unique ‘pair-wise’ or master key, for the session. This pair-wise key is then sent to the client and AP where unique encryption keys are dynamically generated to encrypt the data packets being transmitted during that session. TKIP changes the single, static 40-bit WEP security key into multiple, dynamic 128-bit security keys, strengthening the basic framework of WEP into a much more complex, secure form of encryption. So essentially TKIP replaces the single, repeatedly used WEP key with around 500 trillion other possible keys that could potentially be used for each data packet and that will never be used more than once,” explains Tony Field, US Robotics’s product manager EMEA. Another advantage of the 802.11x is it allows for classes of service and different network access privileges. “When a session starts, if the server is an ISP they would start billing, but if in an enterprise, the authorisation server would start QoS checks for the relevant access level, say QoS 4, or a higher one 6 if it was a more important person gaining access to more of the network. Plus, it enables VLAN assignments, so for guests just using the internet, they would have a less access to the corporate network. Also, if a company wants real mobility within the campus then AP talks to another AP saying it recognises the user and so the user won’t have to re-log every time,” says de Boisset. For larger organisations the implementation of 802.1x is generally not considered such an overhead. It also provides an additional level of security for coping with laptop or device theft since the ‘new owner’ does not know the password to get into the network — an important consideration of wireless deployment that is often forgotten. On the other hand, for smaller companies MAC address authentication could be sufficient, which essentially controls which PCs have access to the network. “For small organisations, such as a 10-50 person business or a school, one of the best and simplest techniques is to use MAC address authentication on top of the encryption. The advantage of MAC address authentication compared to 802.1x is that it’s easy to setup and maintain. All the user has to do is to enter in to the APs the MAC addresses of the wireless cards that are allowed. This is now becoming the favoured technique for small organisations,” says Field. However, there is also the counter-argument that “MAC authentication can be an inadequate security measure, because they can be forged, or a network interface card may be lost or stolen,” as commented by Sandor Fulop, professional services manager, Online Distribution. There are ways around this issue, however, and US Robotics for one are due to launch a software tool to manage MAC address authentication on APs. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code