Making the Most of Wi-Fi SecurityBy Steven Vaughan-Nichols | Posted 2004-07-27 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Wireless security problems here, wireless security holes there. What's an integrator to do? Here's a guide to making the most of the wireless security tools that are available.
Wi-Fi is everywhere. Many laptops now come with 802.11g and 802.11b-compliant wireless hardware as standard equipment, but wireless security is almost an oxymoron.
That's going to change. Wai Sing Lee, an analyst with market research firm Frost & Sullivan, sees a huge jump coming for wireless security and, in turn, vendors, value-added resellers and integrators who can provide it.
You've seen the problem: Your customers set up a wireless AP (access point) for their office, but they leave it wide open, not even setting up WEP (Wired Equivalent Privacy) to provide minimal protection.
Worse still, your client does set up state-of-the-art security with the recently ratified 802.11i protocol and guess what? Mere weeks later, Aruba Wireless Networks Inc. announces that their researchers have found a RADIUS (Remote Authentication Dial-In User Service) server security hack that can be used to pry open any wireless security infrastructure that keeps encryption keys in access points instead of a central switch.
Even if it is true that the 802.11i crack really is more of an attack on its wired RADIUS server than on 802.11i itself, the bottom line is that it now appears some 802.11i Wi-Fi connections are attackable.
Think you're safe because you're using Cisco's proprietary Lightweight Extensible Authentication Protocol, aka LEAP? Think again.
In his paper "LEAP: A Looming Disaster in Enterprise Wireless LANs," George Ou, a network and information systems architect, points out that LEAP hasn't been real-world secure for more than a year now, and a cracker program named asleap eats most LEAP passwords for lunch.
Is a truly secure wireless network possible today? You're not going to like the answer, but for many customers, the answer is no.
First, chances are your customer's Wi-Fi equipment can't handle 802.11i in the first place, even if you are using a centralized switch set up for it. 802.11i requires the use of AES (Advanced Encryption Standard) and AES is not backwards compatible with legacy WEP-compliant equipment.
Of course, it would be great—not to mention more secure—if you could get your customers to upgrade their wireless infrastructure, but as many companies have Wi-Fi equipment that is only a year or two old, that will be a tough, tough sale.
Instead, what you can do is increase the practical, if not the absolute, security of your customers' sites by simply making sure that they reliably use the security tools that they already have in place.
Using the security at hand
First, make sure that your customer's wireless network has had childproofing security. That is to say, make sure the APs no longer are using their default SSIDs (Service Set Identifier) and administration logins and passwords.
For that matter, do you really need to advertise to the world "wireless network here!" by broadcasting SSID with the AP beacon message? Yes, a cracker can pick up an SSID even if you've turned this broadcast off since the SSID is sent in the clear when a network interface card connects to an AP, but you can at least turn away casual war drivers looking for a free way on to the Internet.
Before even looking at specific wireless security techniques, you should consider using existing security systems to protect your wireless users. For example, why not use a VPN?
Your customers may already have one installed. If they don't, you might be able to get them to buy a complete wireless security system, such as SonicWall Inc.'s Distributed Wireless Solution, which includes VPN capacity, or a service such as iPass Inc.'s Policy Orchestration, which enables remote users to connect via a VPN to the corporate network even over public hot spots. Even if your customers don't have and aren't willing to invest in deploying a VPN, they can at least use WEP.
Yes, we all know that WEP has real security problems, but all modern Wi-Fi devices support it and, properly deployed, it will stop casual crackers
In order to make using WEP worthwhile, you need to change the encryption key frequently. Simply resetting your WEP keys isn't enough, though; you can make WEP a tad more secure by avoiding patterns. For example, if your client's WEP software asks for a seed word or string to generate a key, don't use an SSID, company name, domain name, or other easy-to-guess alphanumeric strings.
On the other hand, if the device requires you to manually enter a key in hexadecimal numbers, again, don't simply hit the "3" key over and over again, or use a simple pattern such as 1,2,3, and so on.
If you do this, and change your key frequently, you can maximize WEP's minimal protection. Good security? Heck, no! But, it's far better than nothing.
Unfortunately, when they built WEP, they didn't build in network key management. With almost all wireless LAN NICs and APs, you have to manually reset WEP to the new IV (initialization vector) on each device. Can you say tedious?
Many vendors, however, offer proprietary dynamic WEP key management tools. Frequently these use EAP or one of its many variants, such as EAP-TLS (Transport Level Security). If your equipment manufacturer offers such services, deploy them.
Another WEP Band-Aid is TKIP (Temporal Key Integrity Protocol). By changing the key every 10,000 packets, TKIP avoids WEP's biggest problem of using a static key that can be easily cracked. This makes it much harder for an electronic eavesdropper.
TKIP uses a 128-bit "temporal key" that's shared among clients and access points. It then combines this key with the device's MAC (media access control) address with IV numbers, which creates the encryption key. The algorithm itself is still the breakable RC4 encryption that WEP has always used.
Still, since TKIP automatically changes the key, and you can often add it to Wi-Fi equipment with a simple firmware update, it should be considered a fine, albeit temporary, fix.
Another option is to use WPA (Wi-Fi Protected Access). Again, it's not perfect, but with some work, it can provide reasonable protection.
WPA is an improvement over WEP in two ways: While it also uses TKIP to change its key, in WPA the key is changed with every packet; WPA also improves on WEP's RC4 encryption by increasing the IV from 24 bits to 48 bits.
WPA can use a preshared key, which is pretty much WEP's static default key, or it can use EAP and RADIUS to set its keys. If you think the latter sounds a lot like 802.11i, you're right: It does. WPA was a stopgap standard brought out by the Wi-Fi Alliance as the vendors hashed out the 802.11i standard.
Then again, chances are much better that your client's existing wireless infrastructure supports WPA.
If you're lucky, you may be able to upgrade your WPA-compliant equipment to support 802.11i. Check with your card and AP's OEMs to see if there is a firmware patch for your equipment.
One thing you really don't want to do with WPA is use it and WEP in the same network. Yes, WPA is backwards compatible with WEP, but it must downshift to WEP. A security system is only as strong as its weakest link, and you lose most of your security advantage from moving to WPA if you use it with WEP-only equipment.
Even the best of these solutions have flaws, but any of them will go a long way towards protecting your client's network for a minimal investment of time and money.
Look at this way: A burglar can break into anyone's house, but is he more likely to break into the one with the door unlocked or the one with a locked door and a security company sticker on the window? Any security is better than no security. At least, that is, until better wireless security systems are available and your customers are willing to pay for them.