Making wireless networks secure. (Security).Organisations are eager to migrate to wireless LANs (WLANs). The demand for WLAN See wireless LAN. WLAN - wireless local area network access in the USA has surged dramatically over the past year. Users are clamouring Noun 1. clamouring - loud and persistent outcry from many people; "he ignored the clamor of the crowd" clamoring, clamour, hue and cry, clamor cry, outcry, shout, vociferation, yell, call - a loud utterance; often in protest or opposition; "the speaker was for WLAN access because it allows them to access their network and the Internet from anywhere in the workplace, without having to "plug in". Administrators are attracted to WLANs because they're easier to install (no cable to pull through walls and ceilings), they're flexible (they can be installed in places that wired LANs cannot, and do not require rewiring when seating or office plans change), and, in part owing to owing to prep. Because of; on account of: I couldn't attend, owing to illness. owing to prep → debido a, por causa de this flexibility, they're less expensive to maintain over the long-term. For these reasons, experts predict the WLAN market to grow steadily, even in the face of an economic downturn. Cahners projects that WLAN revenues will grow to $4.6 billion by 2005. WLANs have already made significant penetration into the education, hospitality, healthcare and financial industries, and continually decreasing equipment prices should help drive ado ption in other industries. Even owners of public meeting places-now known in the industry as hotspots-are trying to get into the act. Coffee shops, airline lounges, and libraries are just a few of the venues offering WLAN access to their patrons, enabling their customers to make better use of what used to be mandatory unconnected time. WLAN Architecture and Security Challenges As with any technology shift, migrating users to WLANs has its drawbacks. The initial investment in hardware may be significant and somewhat irksome. Organisations will have to deploy multiple wireless access points, and outfit every user with wireless network cards, when most will already have perfectly good NIC (1) (Network Interface Card) See network adapter. See also InterNIC. (2) (New Internet Computer) An earlier Linux-based computer from The New Internet Computer Company (NICC), Palo Alto, CA. cards for the wired LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. . However, the chief concern in migrating to WLAN access is security. Physical wires turn out to be one of the primary obstacles to attackers looking to hack their way onto a LAN. It's unlikely that a stranger plugging into a corporate network would go unchallenged, either by the network security that's already in place, or by surrounding workers. On a WLAN this obstacle disappears. Instead, user credentials and data are broadcast from both the client and the wireless access point (AP) in a radius, which may reach 300 feet or more. The fact that data is being broadcast via radio waves Radio waves Electromagnetic energy of the frequency range corresponding to that used in radio communications, usually 10,000 cycles per second to 300 billion cycles per second. rather than transmitted over a wire introduces security challenges, namely: How can you prevent user credentials from being hijacked during authentication negotiation? Once authentication is complete, how can you protect the privacy of the data being transmitted between client and access point? How can you make sure the authorised user connects to the right network? Early WLAN Implementations The first WLAN implementations designed primarily for home use-did little to address these security issues. 802.11b, published in 1999, was the first IEEE (Institute of Electrical and Electronics Engineers, New York, www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. draft outlining specifications and protocols for WLAN connections with LAN-equivalent speed and security. More popularly known as Wi-Fi (wireless fidelity See Wi-Fi. ), 802.1lb provides for wireless transmission rates of 11 Mbps. In 802.1lb WLAN solutions, user authentication See authentication. happened in the clear, via the WLAN device's unique Media Access Control (MAC) address. Each AP contained a database of each authorised client's MAC address., if the client's MAC address was present in the AP's database, the user was granted access to the network. This left a user's MAC address exposed: anyone sniffing the network could see a valid MAC address being broadcast (and re- set his own device to that address). Also, if the user's client device were stolen, the thief would have all the credentials he or she needed to easily access the network (without having to know or guess a username and password). In addition to the security problems this method introduced, it also didn't scale well. The MAC address for each user must be stored on each AP on the wireless LAN, creating a cumbersome management scenario and increasing the possibility of security breaches due to administrative oversight. Data privacy was provided via a sub-protocol called wired equivalent privacy Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. , or WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. , intended to provide the same level of security found in a wired LAN. As it turned out, first-generation implementations of WEP did not provide this level of security. In fact, numerous published reports, the latest prepared by AT&T, demonstrated convincingly that WEP was easily cracked seriously breaching the privacy of any wireless data transmission. The 802.1X Solution 802.1X is a next-generation draft of IEEE WLAN specifications and protocols written to address the security and management pitfalls of 802.11b. The 802.1X protocol provides sub protocols and methods for better protecting authentication and data transmission, including: An authentication process-such as a RADIUS server or access point-based authentication-to manage WLAN user authentication, connection attributes, and other matters related to setting up and securing the WLAN connection. While the 802.1X protocol does not recommend one authentication process over another, the market has overwhelmingly adopted RADIUS as the preferred authentication process on WLANs for several reasons: With RADIUS, authentication is user-based rather than device- based, so, for example, a stolen laptop does not necessarily imply a serious security breach. RADIUS eliminates the need to store and manage authentication data on every AP on the WLAN, making security considerably easier to manage and scale. RADIUS has already been wide ly deployed for other types of authentication on the network Extensible Authentication Protocol Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined by RFC 3748. _(EAP (Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages, but then carries any number of third-party messages between the client (supplicant) and access control ), and EAPOL See EAP. (EAP over LAN)-EAPOL is the transport protocol used to negotiate the WLAN user's secure connection to the network. Security is handled by vendor-developed "EAP authentication types", which may protect credentials, data privacy, or both. EAP Authentication Types Because WLAN security is essential-and EAP authenti cation cation (kăt'ī`ən), atom or group of atoms carrying a positive charge. The charge results because there are more protons than electrons in the cation. types provide the means of securing the WLAN connection-vendors are rapidly developing and adding EAP authentication types to their WLAN access points. Some of the commonly deployed EAP authentication types include: EAP-TLS See EAP. (Transport Layer Security). EAP-TLS-the security method used in the 802.1 X client in Windows XP-provides for certificate- based, mutual authentication Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both of the client and the network. It relies on client-side and server-side certificates to perform authentication, dynamically generated user and session-based WEP keys are distributed to secure the connection. Windows XP The previous client version of Windows. XP was a major upgrade to the client version of Windows 2000 with numerous changes to the user interface. XP improved support for gaming, digital photography, instant messaging, wireless networking and sharing connections to the Internet. includes an EAP-TLS client. EAP-TTLS See EAP. . Funk Software and Certicom have jointly developed EAP- TTLS TTLS Tunneled Transport Layer Security TTLS Twinkle Twinkle Little Star (song) TTLS Transportable Transponder Landing System TTLS Trivial Transport Layer Security TTLS Tunneling Two-Level System (Tunnelled Transport Layer Security). EAP-TTLS is an extension of EAP-TLS, which provides for certificate-based, mutual authentication of the client and network. Unlike EAP-TLS, however, EAP-TTLS requires only server-side certificates, eliminating the need to configure certificates for each WLAN client. In addition, it supports legacy password protocols, so you can deploy it against your existing authentication system The combination of authentication server and authenticator, which may be separate devices or both reside in the same unit such as an access point or network access server. The authentication server contains a database of user names, passwords and policies, and the authenticator physically (such as tokens or Active Directories). It securely tunnels client authentication within TLS (1) (Transport Layer Security) A security protocol from the IETF that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape. TLS uses digital certificates to authenticate the user as well as authenticate the network (in a wireless records, ensuring that the user remains anonymous to eavesdroppers on the wireless link and the entire network to the RADIUS server. EAP-Cisco Wireless also called LEAP (Lightweight Extensible Authentication Protocol The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). ), this EAP authentication type is used primarily in Cisco WLAN APs, including the Aironet Series. It encrypts data transmission using dynamically generated WEP keys, and supports mutual authentication. EAP-MD-5 Challenge. The earliest EAP authentication type, this essentially duplicates CHAP password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP support among 802.1 X devices. It is likely that this list of EAP authentication types will grow as more and more vendors enter the WLAN security market, and until the market chooses a standard. In general, you may wish to evaluate any EAP authentication type you're considering deploying based on the following functionality: Does it provide adequate credential security? Does it permit mutual authentication of the client and the network? Does it require dynamic encryption keys? Does it support re-keying? Is it easy to manage? Can you easily implement it on your network? How RADIUS Works in the 802.IX Environment In the most common 802.IX WLAN environments, the APs defer to the RADIUS server to authenticate users and to support particular EAP authentication types. The RADIUS server handles these functions, and provides authentication and data protection capabilities according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the requirements of the EAP authentication type in use. Because the RADIUS server plays such as central role in WLAN security-brokering client and AP authentication, and providing and enforcing any other security measures specified by the EAP authentication type-organisations looking to maximise the return on their WLAN investment should seek a RADIUS server that. Supports all existing EAP authentication types Supports multiple vendors' equipment, on a single WLAN, so that the organisation can grow its WLAN by adding whatever equipment meets its requirements (instead of being tied to solutions provided by a particular vendor). Offers the performance and transaction capacity to support large-scale migration to WLAN, as well as increased transactions that accompany additional security techniques such as reauthentication. A significant development has been the recent introduction of end-to-end 802.1 X security solutions that let users securely connect to WLANs and can be easily and widely deployed across the enterprise. For example, one such product developed by Funk Software secures the authentication and connection of WLAN users, ensuring that only authorised users can connect, that connection credentials will not be compromised, and that data privacy will be maintained. This feature has been written as part of a series of articles for Enterprise Wireless Technology, Olympia, London Oct 2nd-3rd 2002. www.enterprisewireless.co.uk |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion