> Focus> Full Story
Update: Stepping Up Your WLAN Security
revisit the pitfalls of WEP and explore best practices for
wireless security using 802.1x and the emerging 802.11i
specification, for a safer wireless network. by Seamus
till now, everything about wired equivalent privacy (WEP)
has been bad news. Using nothing more than a PC laptop and
an amplified 802.11b PC adapter, an intruder canwithin
half an hour or lessretrieve a key from your so-called
"secured" wireless LAN, and roam about freely
on your WLAN. Even though 802.11b offers tremendous flexibility,
convenience and ease of integration into existing corporate
networks, the lack of security in the WEP standard is laughable
These security breaches can have implications for WLAN technology,
given that it is just reaching maturity. According to Frost
& Sullivan, the WLAN's market value will approach US$2
billion by the end of 2001 and approach nearly US$5 billion
by 2005. The wired architecture may eventually be relegated
to the closet, servicing high-end routers, switches and
other back-end infrastructure.
In the November issue, the article Creating Wireless Security
Without WEP showed how Unix workstations can be used as
base stations for affordable roaming, as well as a NASA
hack for enhanced WLAN security. But there are other things
we can do during this transitional period where emerging
WLAN standards such as 802.11g and 802.11a are about to
be ratified and vendors are launching new gear.
Before we talk about what we should do to secure your current
802.11b WLAN, you should know a little about why WEP is
WEP keys are traditionally 40-bit (for example, the Apple
AirPort technology runs on 40-bit keys) and can be recovered
in less than 15 minutes. And because the key is static,
it scales linearly with 128-bit keys, meaning the time to
recover 128-bit keys is not exponentially higher.
Already, researchers from the University of Maryland in
the US have demonstrated that 128-bit keys can be recovered
in roughly the same time as 40-bit keys. Even worse, because
the keys are static, when a single key is compromised then
the entire WLAN and the connected wired network are also
compromised as well.
The IEEE-802.11i Task Group (TGi, www.ieee.org) of the Institute
of Electrical and Electronic Engineers has been hard at
work defining a second version of WEP (WEP2) that would
use a 128-bit key instead of the now widely deployed 40-bit
key. But because WEP2 still runs on linear scaling, it will
not be a significant improvement.
In addition, since many encryption processes are done using
ASIC chips, it will be difficult to upgrade existing base
stations and PC cards. It is possible to run patches to
enable existing systems to adapt to WEP2, but researchers,
such as those from UC Berkeley and University of Marylandas
well as IEEE 802.11 working group members such as Intelare
not optimistic that WEP2 will raise the bar for WLAN security.
first thing to know is whether WEP, or even WEP2, can work
seamlessly with other existing technologies such as SSH
(secure shell), IPsec VPNs, as well as Radius authentication
and all forms of firewalls. With SSH (www.ssh.com), users
use an enhanced form of telnet with cryptography and authentication
at Layer 7 (applications layer), to gain entry legitimately
into a network.
SSH can be likened to a "lite VPN", and the current
version can work with PKIs, smart cards, LDAP and the upcoming
Rijndael advanced encryption standard (AES), which will
DES. There is also an open source version of SSH, OpenSSH
(www.openssh.com), which is available for most Unix platforms,
including the BSD Unix-based Mac OS X. The site also has
links to SSH clients for various systems including Windows
and MacOS. SSH clients replace rlogin and telnet on Unix
operating systems, which are known for a variety of exploits.
For more complex networks requiring higher grade security,
there are always IPsec VPNs, which form the bulk of today's
sophisticated VPN offerings from the likes of Avaya (www.avaya.com),
Check Point (www.checkpoint.com), Cisco (www. cisco.com),
Enterasys (www.enterasys. com), Nortel (www.nortel.com),
SonicWall (www.sonicwall.com), amongst others.
IPsec operates between Layers 3 and 4, several layers lower
than SSH at Layer 7, which some believe is more secure.
But of course, Layer 7 allows more customization and recognition
of different application types, and can be useful for blocking
out specific types of applications. For a list of VPN vendors,
visit the VPN Consortium or VPNC (www.vpnc.org). Note that
VPNC is not a standards body, but is a commercial organization
created by different vendors with vested interests, although
they do adhere to IETF (Internet Engineering Task Force)
The Final Answer?
technologists believe that the real solution is in the IEEE
802.11i, which should be ratified hopefully by the end of
2001. Before that happens, the draft 802.1x specification
that the TGi is working on may be the current fix; it will
also be an integral part of 802.11i when it is ratified.
802.1x provides a centralized user identification, authentication,
dynamic key management, and auditing. It is a port-based
authentication mechanism that allows the client to talk
through the WLAN access point to a back-end authentication
service such as Radius, which provides a key-distribution
mechanism and overcomes the static-key nature of WEP.
Besides Radius, 802.1x also works with security protocols
like the Extensible Authentication Protocol (EAP). EAP is
an IETF standard originally proposed by Cisco, Microsoft
and other vendors to the IEEE 802.1x group that allows interoperable
wireless clients and server-side security solutions to co-exist
Though 802.1x has only recently been standardized, key software
and hardware vendors have already endorsed it to secure
wireless clients. For example, Microsoft embeds 802.1x in
its Windows XP, while hardware vendors such as 3Com, Agere,
and Cisco have also integrated 802.1x authentications scheme
for their current 802.11b technologies. But 802.1x does
require a Radius service and that is not always practical
for smaller networks.
The other key component that TGi is working on is in making
AES the encryption standard for WLANs. DES has been known
to be weak in its encryption due to its short static keys
and a stream cipher. On the other hand, AES uses longer
keys and a block cipher instead of a stream cipher. Unlike
DES used in WEP, AES encapsulates secure message authentication
codes as well.
The AES has a variable block length and key length and allows
keys of 128-, 192- and 256-bit lengths to encrypt blocks
with 128-, 192- or 256-bit lengths. Block length and key
length for this algorithm can easily be extended to multiples
of 32 bits, and the algorithm works well across different
processors, hardware and software. There is also publicly
available code for C, C++, Java and even Perl, making AES
easy to integrate into enterprise and Internet-centric applications.
802.11a: Hype or Hero?
802.11b facing so much flak in terms of security, and with
many vendors planning to launch 802.11a products as soon
as the standard is ratified by the IEEE, it would appear
that corporations may adopt a "wait and see" approach.
However, in a recent reportdated Sep 17, 2001titled
Advent of 802.11a Creates Confusion in Wireless LAN Market,
META Group advised against waiting for 802.11a products
to arrive, citing a variety of reasons ranging from higher
costs to complexity of installation.
With a variety of ready solutions today, and the need for
mobile and "anywhere" computing, it may be wiser
to dive, or continue to dive into, the world of 802.11b.
As for security, you already have more than enough tools
to authenticate and secure your users and networks.
Seamus Phan is research director at KnowledgeLabs News Center
(www.knowledgelabs.net), an independent technology news
bureau and writes for Network Computing-Asian Edition. He
can be reached at firstname.lastname@example.org. Please send
your feedback to email@example.com
wireless roaming gets a boost
users become increasingly nomadic, the threat of wireless
security problems continues to plague the airwaves. Fortunately,
reports of wireless security breaches have vendors, service
providers, and standards organizations looking for ways
to combat these invisible threats.
The Wireless Ethernet Compatibility Alliance (WECA) is working
to further standards development to enable roaming for users
of 802.11b-based wireless LANs (also referred to as Wireless
Fidelity, or Wi-Fi). The WECA's members include IBM, Cisco
Systems, Intel, Microsoft, Nokia, and Breezecom.
In addition to equipment vendors, the WECA's Wireless Internet
Service Provider Roaming (WISPr) group includes wireless
ISPs. The group is developing an electronic tag that users
can attach to their subscriber name. The tag would let a
wireless ISP know when a user requests another provider's
service. The request would then be sent to an independent
clearinghouse that would orchestrate transactions between
the involved parties.