Closing The RADIUS Security Gap

Since it was ratified in June, wireless administrators and vendors have hailed the IEEE 802.11i wireless security standard as the holy grail of secure wireless computing. However, wireless administrators were reminded last week that security standards aren't a replacement for implementing best practices. Last week Aruba Wireless Networks brought to light a serious vulnerability related to how both wireless and wired networks access the RADIUS servers used by many enterprises for authentication. The insinuation was that the recently ratified IEEE 802.11i standard had an Achilles heel. This week the company offered a paper to the IETF's RADIUS Extensions Workgroup that describes in detail the vulnerability and how it might be exploited.

For its efforts, Aruba has been criticized by the press, other wireless vendors, and even wireless administrators for using this security flaw in a self-serving way to highlight their architecture. Whether or not that's true, this is a potentially significant issue that every enterprise that uses a RADIUS server should look into.

The RADIUS exploit that Aruba documented requires gaining access to a RADIUS packet exchange between the NAS (Network Access Server) and RADIUS server. The NAS for most traditional wireless networks is the access point " for those who use a wireless switch or appliance, it's usually the switch itself.

Because most RADIUS secrets are weak (simple words and/or 8 octet or shorter strings) and are hashed using MD5 (a one-way operation that transforms a string into a unique shorter, fixed-length value), they can be recovered relatively quickly offline using a dictionary attack. If a stronger secret with 8 octets was implemented, hackers will have to try all permutations, which means that key retrieval will take about 17 days, on average.

"RADIUS is more difficult to capture the hash (than LEAP), but slightly easier to crack," said Joshua Wright, co-author of the RFC (Request For Comments) and the researcher who implemented the 'asleap' attack on Cisco's LEAP security protocol. In the case of wireless traffic, the RADIUS secret can be used to eventually retrieve session encryption keys and reveal the plain-text version of the data communication.But this exploit is best not framed as a wireless versus wireline exploit, but rather as a network exploit.

"It has nothing to do with wireless," according to Mike Klein, CEO of Interlink, a company known for their carrier-class RADIUS servers. The result of this exploit, though, makes RADIUS-based authentication systems, wireless and dial-up RAS alike, vulnerable to spoofed authentication and data sniffing.

The concern about this exploit centers on wired LAN configuration and how much trust should be given to its implementation. A simple wireless network is likely to use the same virtual (or wired, for that matter) network as other production computers. That enables any employee to sniff for RADIUS traffic, directly if the wireless access point it attached to the same shared-media hub as the employee, or indirectly with ARP (Address Resolution Protocol, used to identify the hardware address based on the IP address) poisoning, using tools such as Arpoison, Cain & Abel, dsniff, and Ettercap. If the network does separate the end-users from the wireless network, only a Layer 3 attack can be performed, but this is still possible using proxy ARP or ICMP (Internet Control Message Protocol) redirects.

Most of these problems can be mitigated if the access point uses a different VLAN for the management traffic (including RADIUS authentication) than the client or data traffic. Even if those best practices are applied, however, the cables themselves are still vulnerable to tapping if someone has access to the wiring closet or has access to more advanced technology such as tapping the copper cable without splicing into it. Whatever the method, the attacker will either need to take extreme measures to gain physical access, using social engineering techniques to get a rogue access point on the right network, or work as an insider.

This all begs the question, of course: If the intruders have physical or network access, why go after the RADIUS keys when there are likely more interesting things to be obtained? Why would hackers be "looking at pebbles, not boulders?" said Mike Klein concerning the issue.Aruba highlighted an architectural challenge that most "fat" AP vendors such as Cisco have: Every access point is also the NAS in the RADIUS authentication scheme, leaving every one of those links vulnerable to ARP attacks. Wireless infrastructure switch vendors such as Airespace, Trapeze, and Chantry, as well as Aruba, have the advantage that the RADIUS key exchanges are centralized and occur between their wireless switch or appliance, usually located in a wiring closet or control room, and their RADIUS server.

Aruba's premise is that the RADIUS communications between wireless switches and the RADIUS server are more likely to be secure because there are less of them and more likely to go over the management network as opposed to data network.

Cisco's traditional access point deployment without at WDS would have had each AP function as a NAS device, vulnerable to the attacks laid out by Aruba. However, Cisco's new WLSM (Wireless LAN Services Module), or more affectionately called "Screaming Eagle", avoids this issue because of its centralized architecture, confirmed by Cisco in a statement. Cisco also states that the report submitted to the IETF has "no new or useful findings that help the industry better address these known issues", and follows up their statement with some best practices.

The remaining question lingering on the minds of some wireless administrators is what this means for 802.11i. By extension, the same question should be asked about any device -- wired or wireless -- that depends on RADIUS.

The answer is to secure the link between the RADIUS server and the NAS, either via encryption or network isolation. That relates to the first point " how much do you trust your physical security: Ethernet ports, wiring closets, and cabling?Whether Aruba's actions were altruistic, self-interested or a combination, it has done us one important favor: It has reminded us that every chain is only as strong as the weakest link.

Frank Bulk is a technology associate with the Center for Emerging Network Technologies at Syracuse University. Write to him at [email protected].