Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
-
   Home
   Archives
 About Us
   Advertise
 Feedback
 Subscribe

Home > Focus> Full Story

Focus: 802.11b Security

802.11b Update: Stepping Up Your WLAN Security

We revisit the pitfalls of WEP and explore best practices for wireless security using 802.1x and the emerging 802.11i specification, for a safer wireless network. by Seamus Phan

Up till now, everything about wired equivalent privacy (WEP) has been bad news. Using nothing more than a PC laptop and an amplified 802.11b PC adapter, an intruder can—within half an hour or less—retrieve a key from your so-called "secured" wireless LAN, and roam about freely on your WLAN. Even though 802.11b offers tremendous flexibility, convenience and ease of integration into existing corporate networks, the lack of security in the WEP standard is laughable at best.

These security breaches can have implications for WLAN technology, given that it is just reaching maturity. According to Frost & Sullivan, the WLAN's market value will approach US$2 billion by the end of 2001 and approach nearly US$5 billion by 2005. The wired architecture may eventually be relegated to the closet, servicing high-end routers, switches and other back-end infrastructure.

In the November issue, the article Creating Wireless Security Without WEP showed how Unix workstations can be used as base stations for affordable roaming, as well as a NASA hack for enhanced WLAN security. But there are other things we can do during this transitional period where emerging WLAN standards such as 802.11g and 802.11a are about to be ratified and vendors are launching new gear.

WEP2 anyone?
Before we talk about what we should do to secure your current 802.11b WLAN, you should know a little about why WEP is so anemic.

WEP keys are traditionally 40-bit (for example, the Apple AirPort technology runs on 40-bit keys) and can be recovered in less than 15 minutes. And because the key is static, it scales linearly with 128-bit keys, meaning the time to recover 128-bit keys is not exponentially higher.

Already, researchers from the University of Maryland in the US have demonstrated that 128-bit keys can be recovered in roughly the same time as 40-bit keys. Even worse, because the keys are static, when a single key is compromised then the entire WLAN and the connected wired network are also compromised as well.

The IEEE-802.11i Task Group (TGi, www.ieee.org) of the Institute of Electrical and Electronic Engineers has been hard at work defining a second version of WEP (WEP2) that would use a 128-bit key instead of the now widely deployed 40-bit key. But because WEP2 still runs on linear scaling, it will not be a significant improvement.

In addition, since many encryption processes are done using ASIC chips, it will be difficult to upgrade existing base stations and PC cards. It is possible to run patches to enable existing systems to adapt to WEP2, but researchers, such as those from UC Berkeley and University of Maryland—as well as IEEE 802.11 working group members such as Intel—are not optimistic that WEP2 will raise the bar for WLAN security.

Beyond WEP2
The first thing to know is whether WEP, or even WEP2, can work seamlessly with other existing technologies such as SSH (secure shell), IPsec VPNs, as well as Radius authentication and all forms of firewalls. With SSH (www.ssh.com), users use an enhanced form of telnet with cryptography and authentication at Layer 7 (applications layer), to gain entry legitimately into a network.

SSH can be likened to a "lite VPN", and the current version can work with PKIs, smart cards, LDAP and the upcoming Rijndael advanced encryption standard (AES), which will replace

DES. There is also an open source version of SSH, OpenSSH (www.openssh.com), which is available for most Unix platforms, including the BSD Unix-based Mac OS X. The site also has links to SSH clients for various systems including Windows and MacOS. SSH clients replace rlogin and telnet on Unix operating systems, which are known for a variety of exploits.

For more complex networks requiring higher grade security, there are always IPsec VPNs, which form the bulk of today's sophisticated VPN offerings from the likes of Avaya (www.avaya.com), Check Point (www.checkpoint.com), Cisco (www. cisco.com), Enterasys (www.enterasys. com), Nortel (www.nortel.com), SonicWall (www.sonicwall.com), amongst others.

IPsec operates between Layers 3 and 4, several layers lower than SSH at Layer 7, which some believe is more secure. But of course, Layer 7 allows more customization and recognition of different application types, and can be useful for blocking out specific types of applications. For a list of VPN vendors, visit the VPN Consortium or VPNC (www.vpnc.org). Note that VPNC is not a standards body, but is a commercial organization created by different vendors with vested interests, although they do adhere to IETF (Internet Engineering Task Force) standards.

The Final Answer?
Most technologists believe that the real solution is in the IEEE 802.11i, which should be ratified hopefully by the end of 2001. Before that happens, the draft 802.1x specification that the TGi is working on may be the current fix; it will also be an integral part of 802.11i when it is ratified.

802.1x provides a centralized user identification, authentication, dynamic key management, and auditing. It is a port-based authentication mechanism that allows the client to talk through the WLAN access point to a back-end authentication service such as Radius, which provides a key-distribution mechanism and overcomes the static-key nature of WEP.

Besides Radius, 802.1x also works with security protocols like the Extensible Authentication Protocol (EAP). EAP is an IETF standard originally proposed by Cisco, Microsoft and other vendors to the IEEE 802.1x group that allows interoperable wireless clients and server-side security solutions to co-exist together.

Though 802.1x has only recently been standardized, key software and hardware vendors have already endorsed it to secure wireless clients. For example, Microsoft embeds 802.1x in its Windows XP, while hardware vendors such as 3Com, Agere, and Cisco have also integrated 802.1x authentications scheme for their current 802.11b technologies. But 802.1x does require a Radius service and that is not always practical for smaller networks.

The other key component that TGi is working on is in making AES the encryption standard for WLANs. DES has been known to be weak in its encryption due to its short static keys and a stream cipher. On the other hand, AES uses longer keys and a block cipher instead of a stream cipher. Unlike DES used in WEP, AES encapsulates secure message authentication codes as well.

The AES has a variable block length and key length and allows keys of 128-, 192- and 256-bit lengths to encrypt blocks with 128-, 192- or 256-bit lengths. Block length and key length for this algorithm can easily be extended to multiples of 32 bits, and the algorithm works well across different processors, hardware and software. There is also publicly available code for C, C++, Java and even Perl, making AES easy to integrate into enterprise and Internet-centric applications.

802.11a: Hype or Hero?
With 802.11b facing so much flak in terms of security, and with many vendors planning to launch 802.11a products as soon as the standard is ratified by the IEEE, it would appear that corporations may adopt a "wait and see" approach.

However, in a recent report—dated Sep 17, 2001—titled Advent of 802.11a Creates Confusion in Wireless LAN Market, META Group advised against waiting for 802.11a products to arrive, citing a variety of reasons ranging from higher costs to complexity of installation.

With a variety of ready solutions today, and the need for mobile and "anywhere" computing, it may be wiser to dive, or continue to dive into, the world of 802.11b. As for security, you already have more than enough tools to authenticate and secure your users and networks.

Seamus Phan is research director at KnowledgeLabs News Center (www.knowledgelabs.net), an independent technology news bureau and writes for Network Computing-Asian Edition. He can be reached at seamus@knowledgelabs.net. Please send your feedback to editor@networkmagazineindia.com

Secure wireless roaming gets a boost
As users become increasingly nomadic, the threat of wireless security problems continues to plague the airwaves. Fortunately, reports of wireless security breaches have vendors, service providers, and standards organizations looking for ways to combat these invisible threats.

The Wireless Ethernet Compatibility Alliance (WECA) is working to further standards development to enable roaming for users of 802.11b-based wireless LANs (also referred to as Wireless Fidelity, or Wi-Fi). The WECA's members include IBM, Cisco Systems, Intel, Microsoft, Nokia, and Breezecom.

In addition to equipment vendors, the WECA's Wireless Internet Service Provider Roaming (WISPr) group includes wireless ISPs. The group is developing an electronic tag that users can attach to their subscriber name. The tag would let a wireless ISP know when a user requests another provider's service. The request would then be sent to an independent clearinghouse that would orchestrate transactions between the involved parties.

<< >>

- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD