Positive identification in a wireless world. (Software Intelligence).The use of wireless systems for network and Web access is exploding-from wireless LANs to e-mail capable cell phones. It makes network access completely portable, and with systems starting at under $300, very affordable. But widespread wireless use has raised serious new security challenges. How can you be certain the person connecting to your wireless network is a legitimate user and not a hacker sitting in your parking lot? In a recent study, over half of the companies surveyed didn't even use the most basic'encryption and security features of their wireless LAN systems. For those companies who choose to implement security features, solutions include access control appliances or VPNs to protect their wireless systems instead of (or in addition to) wireless encryption to establish a secure session. Once a secure session is initiated, however, security cannot stop there The organization must be confident that users entering the secure sessions are who they say they are--they must be positively identified. Most organizations, unfortunately, choose fixed passwords to identify users, and fixed passwords are inherently weak. Many password attacks exist today-from hacking dictionaries to sniffers, from social engineering to personal information attacks. These tools-like the LOphtCrack brute-force password cracker--are readily available on dozens of Web sites, free to anyone with a Internet access See how to access the Internet. . These attacks can easily compromise fixed passwords, no matter how stringent the organization's password policy A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. . In fact, organizations lose millions of dollars every year due to password breaches. In late 2002, an identity theft ring was exposed is the U.S. that had victimized over 30,000 people; the suspects allegedly stole passwords from credit agencies and banks, accessing credit reports and information, and costing customers over US$2.7 million. Best defense: strong authentication Passwords are easily compromised because there's only one factor to possess: the password. With it, an attacker can access network systems again and again. With strong authentication, there are usually at east two factors. Often, these two factors are something you know, like a personal identification number, and something you have, which can be a hardware token, a digital certificate, a smart card, or other device. An ATM card An ATM card (also known as a bank card, client card, or cash card) is an ISO 7810 card issued by a bank, credit union or building society. Its primary uses are: The user experience: logging on When a strong authentication system The combination of authentication server and authenticator, which may be separate devices or both reside in the same unit such as an access point or network access server. The authentication server contains a database of user names, passwords and policies, and the authenticator physically with hardware tokens is put in place to protect a wireless LAN, a user requests access and is presented with an onscreen on·screen or on-screen adj. & adv. 1. As shown on a movie, television, or display screen. 2. Within public view; in public. dialog box A movable window that is displayed on screen in response to the user selecting a menu option. It provides the current status and available options for a particular feature in the program. or prompt to enter a username and a one-time password (security) One-Time Password - (OTP) A security system that requires a new password every time a user authenticates themselves, thus protecting against an intruder replaying an intercepted password. OTP generates passwords using either the MD4 or MD5 hashing algorithms. . The user activates the hardware token in order to get the one-time password on the token screen, which must be typed in at the prompt in order to gain access to the requested resource. Once a one-time password is used, it can't be re-used to gain access. This eliminates many of the vulnerabilities of fixed passwords, making sniffing, hacker dictionaries, personal information attacks, and other common password attacks useless to hackers. The administrator experience: adding strong authentication There are generally three ways to use strong authentication systems to protect wireless LANS: 1. FAP (language) FAP - The assembly language for Sperry-Rand 1103 and 1103A. [Listed in CACM 2(5):16 (May 1959)]. and 802.1X. Specialized authentication servers can interoperate with strong authentication services using the Extensible Authentication Protocol Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined by RFC 3748. (EAP (Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages, but then carries any number of third-party messages between the client (supplicant) and access control ) and 802.1X infrastructure. This combination is much more secure than competing standards. ZAP and 802.1X are used to control access to network devices, including wireless LANS. These standards have been embraced by a number of leading hardware and software vendors including Cisco, Microsoft, and Hewlett-Packard, and many products, designed for both wireless and wired networks, already implement these standard. Only certain types of EAP protocols, like TTLS TTLS Tunneled Transport Layer Security TTLS Twinkle Twinkle Little Star (song) TTLS Transportable Transponder Landing System TTLS Trivial Transport Layer Security TTLS Tunneling Two-Level System (Tunneled Transport Layer Security) and PEAP See EAP. (Protected EAP), support strong authentication. 2. Wireless access control appliances. Because Web-based authentication is easy to deploy, it is becoming more pervasive. One solution to use Web-based authentication with wireless LANs is called an access control appliance, a firewall-like device that sits between the wireless access point and the rest of the network. These appliances force wireless users to authenticate at the application level (typically from their Web browsers over HTTPS (1) (HyperText Transport Protocol Secure) The protocol for accessing a secure Web server. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. ) before receiving access to the rest of the network. In this setup, anybody can connect to the wireless access point without authentication, but users must authenticate in order to get beyond the local subnet (SUBNETwork) A logical division of a local area network, which is created to improve performance and provide security. To enhance performance, subnets limit the number of nodes that compete for available bandwidth. to organizations' trusted networks. Interoperability with strong authentication systems is often accomplished using the RADIUS protocol. 3. Virtual private networks. VPNs are traditionally used to link internal networks across an insecure network, or for remote access. More and more organizations are using VPNs to wireless LAN connections by connecting the wireless client to an internal network via the VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. gateway through an encrypted tunnel. This ensures the authenticity and secrecy of the information as it is passes across insecure networks. To securely authenticate VPN users (whether wireless or not), strong authentication can be added (often using the common RADIUS protocol) to provide a high level of security recommended by experts'. The device experience: embedded in the BIOS Some organizations prefer an extra layer of security: allowing authorized users only to access protected information from certain computers or workstations. While some authentication systems can recognize and authenticate IP addresses, there is now another way to identify devices. Many BIOS chips can utilize security software that embed security information directly on the BIOS. This information, similar to digital certificates, is recognized by some authentication systems, and ensures that users must access protected networks only from their assigned laptops or other BIOS-based devices. www.infosec.co.uk |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion