Safer wireless

Are companies putting their security out on a limb by building wireless elements into the enterprise network? Or are security vendors over-stating the threat posed by the security vulnerabilities inherent in wireless technology?

  • E-Mail
By  Simon Duddy Published  February 27, 2005

|~|Rabih_HR_m.jpg|~|“The security manager should know his wireless network and understand and assess the sources of risk.” - Rabih Itani, network and security manager at the American University.|~|Just when wireless networking technology was beginning to gain broader acceptance in the enterprise, another wireless security horror story has cropped up, this time the evil twin scam. The scam targets public hot spots and corporates by fooling wireless network users into logging on to rogue access points (APs) set up to emulate legitimate wireless LAN equipment. The rogue AP spoofs the Service Set Identifier (SSID) of a victim AP, thus misdirecting users to connect to it instead. The users are then logged on to web pages that are crafted to look like the web page the user typically interfaces with. Once hackers have conned a user into logging on, they can harvest data from the victim’s machine. The implications of this kind of attack are clearly much more serious when the victim AP is owned by a corporate as the users might be giving away information that is critical to the enterprise. This kind of problem casts doubt on whether or not the wireless network will ever be as secure as or enjoy the same level of confidence as the wired network. “Much of the danger lies in the original IEEE 802.11 security standard and its lack of security features,” says Wael Fakharany, regional manager, 3Com Middle East. “There are only a few mechanisms built into 802.11 such as open system authentication, shared key authentication, and configuring the AP to only accept selected addresses and these are no longer sufficient,” he adds. Furthermore, wireless networks provide unseen and often unmonitored access to company systems, information and services. “All Wireless network connections should be screened via a firewall, and must be used in conjunction with a virtual private networks (VPN) and robust encryption to be considered safe,” says Ivor Rankin, senior technical engineer, Symantec Middle East & Africa. Standards bodies and vendors have placed a lot of effort into shoring up 802.11 though, with the 802.11i standard recently making life more difficult for the hackers. The 802.11i standard was ratified in July 2004 by the Institute of Electrical and Electronics Engineers (IEEE) and offers improved encryption for 802.11 standard wireless products. As a core feature, 802.11i includes 802.1x authentication, which provides a framework that allows users to be authenticated by a central authority. At the same time, the authentication process is pushed to the edge of the network where intrusions are likely to first appear. “From a good practices perspective, the major advantage of 802.1x is that it provisions the framework to authenticate users at the network entry points,” says Rabih Itani, network and security manager at the American University of Beirut. “Without 802.1x, enforcing access control on network services would be similar to placing physical security on the third floor of a building rather than at the main entrance,” he explains. As well as providing authentication, 802.1x allows every connection to be identified with its own wired equivalent privacy (WEP) key. Before, all users would have the same key, which could be in circulation for months. With each key separate and able to be changed as often as the network manager wants, a significant window of opportunity for hackers has been closed. With each user having a key, it also doubles up as a monitoring tool for network staff. “The benefit of 802.1x is that it can be used to authenticate both the user and the machine to make sure that users only access the corporate network on trusted machines,” says Fakharany. “With 802.1x, users are not tied to using only one laptop, and the system does not duplicate corporate security systems. Users also don’t need virtual private networks (VPNs) in the office when they are using 802.1x,” he adds. The big problem with 802.11i is that it won’t support pre-802.11i kit, which means that for the enterprise with large amounts of legacy kit, taking advantage means an expensive and probably unfeasible upgrade. Therefore 802.11i is a technology that will only have incremental benefits to the enterprise as new kit is bought and new deployments created. Wi-Fi Protected Access (WPA) on the other hand, is compatible with today’s network kit and represents the minimum security that should be deployed by the enterprise. WPA, expressed as a formula, looks like this: WPA = {802.1X + EAP + TKIP + MIC + (RADIUS)} WPA uses existing technology such as 802.1x, Extensible Authentication Protocol (EAP), Temporal Key Integrity Protocol (TKIP) and Remote Authentication Dial-In User Service (RADIUS). EAP lets you use a variety of algorithms for authenticating the client with a RADIUS server. The most robust version of WPA is Enterprise mode, which uses a key hierarchy to derive pair and group keys for authentication. “WPA has an advantage in that it employs TKIP, which rotates user keys more often for enhanced security, and uses a message-integrity-check function that helps to prevent malicious packets getting through the router,” says Fakharany. Many network vendors are working hard in this area of authentication, with security technology that regulates who should be admitted to the network and with what privileges, coming to the fore. Cisco, working with Trend Micro on the antivirus side, was a pioneer with its Network Admissions Control (NAC) approach. Nortel is also working in a similar vein with security firm Symantec. As well as more robust protocols, it is important for the enterprise to consider the integrity of the radio frequency (RF) plane. This concerns the transmission of information over the airwaves. The enterprise needs to closely monitor this layer to locate users and sources of trouble in real time and be capable of controlling coverage to ensure it does not bleed to unwanted areas. Moreover, security in the RF layer should be capable of detecting and avoiding interference sources as well as detecting and stopping rogue APs. “The wireless network should also be smart enough to identify RF types of intrusions,” says Itani. “Such RF capabilities, when automated, provide a strong first line of defence and eliminate a high percentage of threats,” he adds. With the increased security brought by advanced protocols and improved RF monitoring, there is inevitable pay-off in terms of performance. If the technology, which can be especially slow on legacy equipment, grinds the wireless network to standstill the benefits are lost. The enterprise must bear in mind that the best policy is to arrive at a healthy and workable balance between tight security and adequately performing and user-friendly networks. While these new security technologies make wireless a more robust proposition, many commentators feel that there is too much attention on front-end interface solutions and not enough focus on sturdy and flexible back-end technology. The enterprise has limited control over users trying to wirelessly access the network and cannot guarantee that clients are using 802.11i compatible kit. In fact, most of the client-side chipsets sold prior to 2004 cannot support many of the new security protocols. “As a result of this network managers need to make a decision,” says Mike Campbell, general manager of NexTech. “Do they only allow network access to client devices that can support the latest protocols or do they increase security provisions in the back end by creating VLANs for guest or weak authentication clients?” he adds. The dilemmas brought by technology are nothing new. As ever, investing in the latest and greatest technology often brings compatibility and installation headaches. These can be minimised, however, by looking closely at the security procedures and processes used by the enterprise and tailoring them to make most efficient use of company resources. The business processes that govern the management of devices as well as how people use the wireless network should be given at least the same amount of attention as the technology itself. “As the next generation of products roll out there will be a need and requirement to tie traditional corporate security policies and applications into both the wired and wireless worlds. Encrypting data, user and device level authentication and zone-level access controls are all key,” says Steven Brown, director of operations for hotspot management firm Single Digits. “However, these are not independent decisions made by the IT department, they are corporate decisions that involve much more than just IT decision makers and input from all parties needs to be taken into consideration,” he adds. Even with technology in place, the human element is often the weakest link and it is often wise to put guidelines on wireless network access in place for employees and guests to adhere to. These policies can be enforced with penalties if necessary and awareness campaigns can be conducted. “The security manager should know his wireless network and understand and assess the sources of risk. This knowledge is vital in establishing a defence strategy and keeping resources focused,” says Itani. “The implementation plan and user experience have the most effect on the success or failure of the security system,” he adds. It is also imperative that the enterprises make sure that authentication and encryption tools are doing their job by monitoring the wireless network continuously and if necessary adapting its security stance as threats develop. “Use of advanced network inventory and access monitoring systems are important. These systems can identify unusual changes and usage of the network and alert network administrators to take action,” says Dino Bakakis, sales director at Redline Communications. Equally important is to take control of any deployments at the implementation stage. It is at this stage that decisions such as what topology to use will be made and security as well as performance issues should be kept in mind. One of the key questions to answer at this stage is whether to opt for thin or fat APs. Fat APs contain a lot of technology and intelligence while thin APs do little more than relay a signal and rely on intelligence concentrated in wireless switches in the wiring closet. There are advantages and disadvantages to both systems in terms of security. On the fat AP side, one advantage is that having this intelligence at the edge helps with efficient authentication. The fat AP has to relay less information to and from the central authentication area. When using 802.1x, thin APs pass the authentication packets to the switch without examining them. More powerful APs handle the protocol interchange, although in both cases the user’s credentials must be sent through the wired network to a RADIUS server for verification. On the downside, if fat APs are stolen, it can be an important issue as they contain critical network information, which can be manipulated against the enterprise if it falls into the wrong hands. On the other hand, thin models don’t present this threat. Whatever technology or topology decisions are decided upon, it’s vital that the end user stays in control of the implementation. “The design can be reviewed, audited or even developed by consultants but it is important for any network manager to be on top of all the blueprint details,” says Itani. Security has traditionally been the standout weakness that has prevented wireless networking playing a bigger role in the enterprise. Technology advances and greater experience in dealing with wireless, however, promises to broaden penetration. The enterprise that adopts a multi-layer security system has the best chance of protecting its data and the integrity of its wireless network. The business that uses point solutions may be able to rectify an immediate security issue but if it doesn’t fit into a coherent system, the network could still be exposed. A holistic system should take a multi-faceted approach with the RF plane, authentication, monitoring and security policy all considered well in advance of implementation.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code