Market Analysis: WLAN Security

The Threats Are Real

Wireless security problems are often hyped by the media--present company excluded, of course. Many journalists struggle to understand the underlying complexity associated with threats and mitigation strategies and simply glom on to statistics, like the fact that eight out of 10 home wireless deployments are wide open to attack. But here's the thing: There's truth in the old saw that just because we're paranoid doesn't mean someone isn't out to get us.

Even the most careful IT manager must accept that, for some wireless threats, there's no defense. A denial-of-service attack using RF jamming, for example, is nearly impossible to combat. The best you can hope to do is minimize exposure by supporting multiband infrastructure and implementing tools and techniques that let you quickly identify the attack source.

Other vulnerabilities can be dealt with more effectively. For example, passive eavesdropping attacks, which can be mounted from considerable physical distance using directional antennas, can be mitigated by implementing encryption at the data link, network or application layer. Although some well-known wireless encryption systems, including WEP (Wired Equivalent Privacy) and Cisco LEAP (Lightweight Extensible Authentication Protocol), have been effectively attacked, more robust alternatives are now widely available.Session-hijacking vulnerabilities lie somewhere in the middle of the defense spectrum. Modern wireless security systems can protect against most man-in-the-middle attacks, but users may still find themselves vulnerable to rogue APs (access points) masquerading as legitimate systems, perhaps by using an 802.11 SSID (Service Set Identifier) identical to one used by the secure wireless network or by implementing a captive-portal Web authentication page that mimics the real system. Worse, OS vendors, in their efforts to make 802.11 accessible to the masses, have made it too easy for users to connect to rogue wireless infrastructures and not know it.

But the most significant vulnerability may be the rogue AP, either an inexpensive WLAN gateway or possibly a soft AP running on a client computer. While modern wireless monitoring systems can effectively detect rogues, containing them is much more challenging, as we learned when we partnered with Joshua Wright of the SANS Institute to assess vendor monitoring technologies.

Of more recent interest are mobile security threats, ranging from viruses to worms to compromised systems introduced by notebooks and other portable devices that connect to the enterprise and to home and public networks. Increasingly, endpoints are a key part of a comprehensive wireless security strategy.

So yes, the threats are real. But so are the defenses.

We've been preaching the need for comprehensive, enforceable and regularly updated security policies for years, but we realize that it's no easy task. Security systems are expensive and complex, prompting some organizations to weigh the risks and take their chances. Beyond the technology obstacles are cultural issues, as many organizations strive for a reasonable balance between strong security and ease of use.Despite the many obstacles, if you're operating any network without a wireless security policy, you're introducing exposure that would not meet even the most basic risk-management standard. And you can't hide behind a no-wireless strategy: You need a policy whether or not you're providing production wireless services. In fact, your risk may be escalated if you don't have a centrally managed wireless system, unless you can accomplish what other IT groups have not--stamp out rogue APs. Without effective wireless security monitoring, it's nearly impossible to eliminate this threat.

Assuming that a no-wireless policy won't work, resign yourself to reality: The most effective method of eliminating rogue wireless deployments is to provide secure, centrally managed Wi-Fi services. Learn what many of us discovered the hard way in the early days of PCs: It's almost impossible to restrain a compelling technology. And Wi-Fi is about as compelling as it gets these days.

Even if you can pat yourself on the back for providing excellent centrally managed wireless, you still need a monitoring system. The only question is whether it should be integrated with your WLAN infrastructure or provided through a separate security monitoring system. Most administrators swear by the integrated method, but we found that dedicated systems provide greater overall functionality, and there's an argument to be made for separating service and security monitoring.

Regardless of whether you install a dedicated monitoring system or take advantage of services offered by your infrastructure provider, you must configure the monitoring system's alarm and alert thresholds properly to match your internal policy. Either that, or live with default settings that often result in waves of false positives and, consequently, high administrative overhead.

Wireless policies must address a range of issues, including purchasing criteria, usage restrictions and monitoring. Policies must include both internal usage rules and rules governing remote use of mobile devices, in the home and on public networks. Your goal must be to protect your enterprise system, network infrastructure and mobile devices.Problems with the original IEEE 802.11 security model include much-publicized attacks on the underlying WEP encryption system. However, though WEP cracking makes for good headlines, we've long asserted that the 802.11 authentication framework was broken way before WEP was successfully attacked. The shared-key architecture didn't scale for enterprise use, and authentication, in the conventional ID/password sense, wasn't even addressed.

Over the past year, great strides have been made in improving Wi-Fi security through the application of technology compatible with 802.11i and related WPA (Wi-Fi Protected Access) and WPA2 certifications offered by the Wi-Fi Alliance. It's theoretically possible to design a robust WLAN security system that passes muster with the security community. But implementing a system that meets the needs of both users and security administrators is still tricky. You'll have to make plenty of choices--and trade-offs--if your environment has some unique characteristics. For example, support for WPA on voice-over-Wi-Fi phones has been slow to emerge, usually forcing administrators to implement additional methods for securing these devices.

If you've chosen an alternate method of securing your Wi-Fi network, perhaps using a VPN concentrator or a captive-portal Web authentication system, consider moving to WPA2. Gone are the requirements for flat wireless VLANs, VPN concentrators or proprietary wireless security gateways. Those tools have served many organizations well and may do so for several years to come. But for new installations and organizations looking to implement best practices, WPA2 is the way to go.

In developing the 802.11i security standard, the IEEE found itself dancing around many delicate issues. First, it felt pressure to develop a framework that would provide security both for wireless systems that incorporate strong, hardware-based AES encryption and for devices manufactured before 2003 that were designed for WEP encryption. Second, the IEEE needed to include provisions that would not only meet the standards of enterprise IT, but also fill the requirements of home and small-office users without imposing excessive complexity. Finally, it had to design a system that would accommodate emerging needs for secure mobility, such as wireless VoIP applications.

The heightened interest in security post-9/11, combined with a strong desire not to repeat the WEP fiasco, drew lots of attention to the 11i working group. In addition to the 802.11 crowd, there was significant involvement from the security community. The subsequent delays prompted the influential Wi-Fi Alliance to jump the gun by introducing its WPA certification program in October 2002, modeled after core elements of the 802.11i draft standard. WPA provides a solid enterprise wireless security framework, and most enterprise equipment vendors, while initially reluctant, submitted products for WPA certification.The IEEE ratified the 802.11i standard in July 2004, but only after punting critical elements involving fast secure roaming to a newly formed 802.11r working group. Until this committee finishes its work, fast secure roaming requires proprietary elements that limit interoperability, something few enterprises will tolerate.

Aside from secure-roaming issues, the 802.11i security framework represents a well-designed approach to WLAN security that will likely be embraced by most enterprises over the next two to three years. Although it doesn't provide full multilayer security, 802.11i addresses the most fundamental WLAN security challenges, including provisions for strong mutual authentication between clients and APs, message confidentiality, and data origin and integrity protection to guard against man-in-the-middle attacks.

Because nearly all enterprise-class WLAN equipment has or will support 802.11i and WPA2 by the end of this year, playing the 802.11i role of "authenticator," there are two basic challenges for wireless network managers. First, you'll need a RADIUS server infrastructure to deliver AAA (authentication, authorization and accounting) services. RADIUS services can be integrated into the WLAN infrastructure, but they are more commonly implemented on a RADIUS server running Windows or Unix/Linux. It's possible to maintain a wireless user directory on the RADIUS server, but most enterprises will tie their servers to existing enterprise directories--Microsoft ADS or some kind of LDAP server, for instance.

Closely related to the choice of RADIUS server is the choice of 802.11i client supplicant. Both must share the same method of handling authentication in the form of a common 802.1X EAP type. For a number of reasons--most of them good ones--the 802.11i committee decided not to specify a standard EAP type. Viewed positively, this allows significant administrative freedom. Viewed cynically, it makes interoperability more challenging unless all major players agree to support the same EAP types. In today's market, many EAP types vie for your attention, including TLS (Transport Layer Security), TTLS (Tunneled TLS), EAP-SIM (EAP-Subscriber Identity Module), LEAP and PEAP (Protected EAP). All have their proponents and detractors, and though it's possible to support multiple concurrent EAP types on the same WLAN, doing so can cause integration problems with back-end directory services. Because of its functionality and relative implementation simplicity, PEAP is likely to emerge as the most common EAP type. PEAP is supported natively by recent versions of Windows, on the Mac, and also on most RADIUS servers, and even though interoperability problems exist between Microsoft's and Cisco's versions of PEAP, these are likely to be resolved soon.

Assuming you have 802.11i supplicants working with a compatible RADIUS server, you've got the foundation for some robust authentication and confidentiality services. Once authentication credentials have been verified, the RADIUS server and AP cooperatively push encryption keys out to authenticated clients, ideally without requiring an explicit wireless authentication process.Although 802.11i provides enterprise-class security services, it does not mitigate all threats. Thus, as with wired networks, you'll need a combination of usage monitoring, intrusion detection and auditing systems to ensure that vulnerabilities don't exist and to track unusual behavior. The major enterprise infrastructure vendors offer basic monitoring services in the form of rogue device detection, but the state of the art in wireless monitoring is found in distributed monitoring systems. We address the capabilities and limitations of these systems in the accompanying review.

Whether you install a dedicated monitoring system or just get by with the services included with your infrastructure depends on your risk tolerance and your budget. Implementing a dedicated system can be expensive, especially in a large, distributed enterprise, not only for initial acquisition but also for ongoing operation. In the end, you may find it's more important to focus on securing the underlying wireless services before focusing your attention on monitoring. The choice is yours. Now get to work.

Dave Molta is a Network Computing senior technology editor. He is also assistant dean for technology at the School of Information Studies and director of the Center for Emerging Network Technologies at Syracuse University. Write to him at [email protected].

As if it weren't challenging enough to develop a security policy and system implementation for internal wireless users, along comes a distinguished visitor to your facility asking for a Wi-Fi connection to the Internet. Should you accommodate him or her?

Guest wireless access stirs much debate between technologists and users. One side asserts that no access should be made available to guests; the other side advocates a wide-open Internet connection for any guest. Although some organizations may be able to choose which side to support, neither is a good fit for the mainstream.Running an unsecured guest hotspot service alongside your secure internal network is relatively easy with a modern WLAN infrastructure. For your secure wireless network, which may or may not broadcast its SSID (Service Set ID), you can have a guest network with a unique SSID logically tied to a termination point in your DMZ, outside normal perimeter defenses. These users are no more a threat to internal systems than typical Internet users. However, despite the minimal risk, there's no clear legal precedent that defines your responsibilities should an individual engage in anonymous illegal activity while connected to your guest network. Providing such a service could be viewed as negligent. The bottom-line requirement for many security administrators is some kind of audit trail for guest users.

If you find yourself in this situation, consider a captive-portal guest-access system that can be easily provisioned by your helpdesk or, even better, by any authorized wireless user. In some organizations, a temporary account may be generated automatically when the guest signs in at a security checkpoint. In sites that lack a central point of control, you'd like to be able to allow the guest's host to provision a temporary guest account. Flexible guest account provisioning has gotten the attention of a few vendors, including SonicWall and Trapeze Networks, but much work remains to be done.

Some network administrators prefer alternate methods for providing guest access. A few organizations have tried partnering with a hotspot service provider, the modern-day equivalent of pay phones, but the fragmented nature of that market means most users would pay high fees for access. Another, longer-term model being explored by some universities involves a federated identity model, where RADIUS servers establish trust relationships with users' "home" RADIUS servers, allowing authenticated guest access and an audit trail.

Trying to keep Wi-Fi out of all but the most locked-down organizations is akin to an IT professional of 20 years ago trying to block adoption of PCs. Good luck. In "Secure Your Airspace," we examine WLAN security today. The threats are all too real, and as with wired network security, you'll never be 100 percent bulletproof. But 802.11i, WPA2 and beefier encryption systems can help.

Key things to remember: Deploy a flexible authentication framework. Encrypt data. Have a comprehensive policy in place--even if your stance is no wireless--and enforce it using the latest monitoring and auditing technologies. That's where the gear we review in "Time To Tighten the Wireless Net" comes in. These distributed wireless security suites from AirDefense, AirMagnet, AirTight Networks, Highwall Technologies and Network Chemistry use an overlay approach to provide rogue device detection, intrusion detection, RF interference detection, user and group traffic monitoring, and performance monitoring in the 2.4-GHz and 5-GHz ranges. We last reviewed these devices 15 months ago, and we're pleased to see that the vendors have made great strides. AirMagnet took our Editor's Choice award by a narrow margin. Network Chemistry impressed us with its innovative sensor design and low cost, earning our Best Value award. We also asked SANS Institute wireless security researcher Joshua Wright to analyze each vendor's containment scheme; find his report here and a rundown of the attacks we threw at the devices.FYI: We Be Jamming?: While it's true that jamming is forbidden under FCC regulations on RF interference, all the systems we tested perform containment against known threats, not random devices. We don't expect the FCC to object to enforcing network access control unless you de-auth a good client or try to enforce a no-wireless policy in a public area. Click here for an interesting overview.

FIY: Cheaper, But Not Easier: You can adopt a no-wireless policy without implementing a pricey distributed wireless monitoring system like those reviewed in Time To Tighten The Wireless Net, but enforcement will be much more labor intensive so you'll pay on the manpower end as staff will need to perform frequent "walkabout" wireless audits with a tool like AirMagnet or NetStumbler.

FYI: Have Wi-Fi Will Travel: By 2008, over 80 percent of all notebook PCs will have Wi-Fi WLAN capabilities. Penetration of professional notebook PCs should reach a similar figure by the end of 2005, according to Gartner.

FYI: Take Five: By 2007, more than 50 percent of enterprises with more than 1,000 employees will exploit at least five wireless networking technologies, according to Gartner.

We polled Network Computing subscribers for their opinions about WLAN security, and 492 of you responded. As expected, most cited security concerns as the top obstacle to enterprise WLAN deployment. After security, the most common responses were uncertainty over future WLAN standards, lack of clear business justification, high cost and technical installation complexity. Only about 10 percent of respondents reported large production WLAN deployments of more than 100 APs. The remaining 90 percent varied in terms of implementation, with around 70 percent anticipating that their organizations would have production WLAN services within 12 months.Overall, respondents were most vehement in their insistence that robust security services should be an integral component of WLAN infrastructure equipment. They're concerned about a wide range of internal and external threats, and don't feel these threats have been hyped by the media. Although respondents embrace the notion that good wireless security policy is as important as good technology, only a minority reported having such policies in place. Respondents want to build their wireless security using standards-based technologies, but they are resigned to trading off ease-of-use and convenience services like guest access in order to maintain acceptable levels of security.

It's no shock that respondents identified unauthorized access to internal network resources, malicious attacks and tampering with confidential data as the top wireless security threats. But respondents also expressed concern for a range of other threats, including ad hoc wireless networks, unsecured home wireless and hotspot networks, and internal rogue AP deployments.

When asked which technologies were most important to their wireless security strategy, wireless intrusion detection was the top response, followed by rogue AP detection, WPA/WPA2, VPN services, ad hoc wireless network detection/mitigation and location tracking.

Most respondents indicated guest wireless access would result in a positive impression on visitors, but a majority expressed concern that the risks might outweigh the rewards and said that providing guest access was inconsistent with internal security policy. There was little interest in partnership arrangements with commercial hotspot providers.

To get a feel for how size of implementation affects attitudes, we sliced our sample into two groups: one with more than 50 APs deployed (N=71) and one with fewer than 50 APs deployed (N=386). As expected, respondents in highly deployed organizations were much less likely to be concerned about lack of user demand and business justification. However, these same respondents were also much more comfortable with available security offerings and less concerned about evolving WLAN standards.With respect to perceived threats, respondents from highly deployed organizations were somewhat more concerned about employee use of rogue APs and less concerned about most other threats, including malicious attacks, external tampering with enterprise data and unauthorized nonbusiness use of wireless by employees. Although concern about threats was high in both groups, it's likely that organizations with large deployments have a better understanding about how to mitigate those threats.

Preference for various security technologies didn't vary much between the two groups. Respondents from highly deployed organizations attributed slightly higher importance to 802.1X, 802.11i and WPA/WPA2, as well as ad hoc node and rogue AP detection. Also, these respondents placed considerably greater importance on TTLS and PEAP authentication types, likely from a firmer understanding of the role these protocols play in the 802.11i security framework.

Respondents from highly deployed organizations were much more likely to receive requests for guest access and considerably more comfortable with the risks of providing such services.