Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Vendor Newsfeed

More Vendor Newsfeed »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Column - Security Watch
C O L U M N  
The WLAN's Weakest Link

  March 5, 2003
  By Robert Moskowitz


TOC Issue TOC
Printer Print full article
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author

After two years of rousing debate, the body responsible for the Wi-Fi standard is finally putting the finishing touches on its new security standard, IEEE 802.11i. Although this standard's Robust Security Network feature will deliver the level of security the wireless world is clamoring for, don't be fooled: Your wireless network won't be secure until your transition to RSN is complete.

RSN defines two security methodologies--one for legacy hardware based on RC4 and one for new hardware based on AES. The standard also provides the flexibility to add new methodologies if the need arises. RSN uses the IEEE 802.1x port-authentication standard to authenticate wireless devices to the network and to provide the dynamic keys it requires. The task group does not specify any authentication method over 802.1x; it just defines the features such a method must provide. The idea here is to "future-proof" the RSN authentication process.


Talk About an Oxymoron

Discuss Join other NWC readers in discussing this article.
Throughout the process, the 802.11i Task Group remained painfully aware that the transition from old station hardware would be slow because of the installed base of wireless networking cards that conform to the Wi-Fi standard. RSN does provide for both RC4 and AES encryption, though it will take new Wi-Fi adapters or fast stations to support the AES encryption. But the principal concession to the RSN migration effort is the inclusion of Transition Security Network (TSN), which is defined only to facilitate migration to an RSN, according to the standard. "A TSN is insecure, since the pre-RSN equipment can compromise the larger network," the standard says. The contradiction of an insecure security network comes from the ways broadcast and multicast traffic are (and aren't) protected and from the inclusion of preshared (manually configured) keys in RSN.

An access point sends broadcast and multicast frames encrypted with the weakest configured security method: WEP (Wired Equivalent Privacy), TKIP (RSN with RC4) or CCMP (RSN with AES). If the AP is configured for TSN, the WEP-encrypted broadcast frames will easily yield the WEP key, exposing all broadcast traffic even if no associated station is using WEP. And if RSN is being deployed with preshared keys because setting up RADIUS and choosing a trustworthy authentication method are too difficult, chances are the same key is being used for WEP and preshared-key RSN! So much for robust security.

Sure, every security system has its weakest link. And RSN does address all three aspects of a security system--authentication, key distribution and data confidentiality. But it provides only legacy approaches to them all, and the legacy 802.11 Wi-Fi standard has shared keys for authentication; it has no key distribution and only weak data confidentiality. Using any of these legacy features in an RSN leaves the network compromised.

He Who Hesitates ...

The task group will be working hard on RSN at its next meeting, which starts March 9 in Dallas. But don't wait until RSN is a done deal to start your transition.

Remove the risk of preshared keys in RSN by deploying RADIUS immediately. Many WEP-keyed products already support 802.1x and RADIUS, and several good authentication options are available. EAP-TLS (draft-ietf-pppext-eap-ttls-02.txt) is getting most of the attention lately, but EAP-AKA (draft-arkko-pppext-eap-aka-08.txt) is a viable alternative based on per-station shared secrets, and Wi-Fi Protected Access is an interim version of RSN based on a mid-2002 draft of 802.11i. Use any one of them to get your transition going. As long as legacy wireless stations are in your network, robust wireless security will remain out of reach.

Post a comment or question on this story.

--Robert Moskowitz, rgm@htt-consult.com

Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

  Sponsored Links

Premium Content

Next Generation Data Center, Delivered, November 17th
NWC


Salary

Video

View All Videos

Most Popular

Stories Blogs

More Stories »

Whitepapers

More »

BlogRoll