Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
-
Issue of July 2002 
[an error occurred while processing this directive]
-
  -  
 
 Home > Focus
 Print Friendly Page ||  Email this story

Focus: WLAN Security
Patching Wireless Holes

WLANs based on the 802.11 architecture have consistently proved insecure. Is 802.1x the answer to your 802.11 WLAN security troubles? by Seamus Phan

The wired equivalent privacy (WEP) encryption scheme on 802.11 WLANs has consistently proved insecure, often unable to block out even novice hackers.

WLAN, however, is moving steadfastly ahead, with enterprises believing that a viable security scheme can be found to plug the loopholes.

One technology that is seen as WLAN's security white knight is the IEEE 802.1x, a port-based network access protocol recently proposed by IEEE and several vendors for imposing security on WLANs. Does it fit the bill?

Port-based
A key premise of 802.1x is its infrastructural independence. Unlike other authentication and network access protocol, 802.1x authenticates users to a physical network regardless of the networking protocols the user is connecting from.

802.1x is a simple mechanism, which deals with only, simple low-level information such as authentication and not high-level protocols such as SMTP, POP, HTTP and other client-side applications. This theoretically ensures higher security for connections between wired and wireless clients to a server.

The client connects to the server or access point, and issues a challenge, which the authentication server verifies against a predetermined algorithm. Once authenticated, the port restriction is lifted, and the client can utilize all the higher protocols such as HTTP, SMTP and POP.

Specifically, the client sends an Extensible Authentication Protocol (EAP) start message to the access point, which in turn requests an ID from the client. The access point then forwards the details to an authentication server, which consequently sends back an accept or reject message. Once accepted, the access point validates the client's authorized state, and admits that beyond the access point.

To solve the compatibility issues with legacy and other platforms, there are vendors hard at work in helping to launch add-on utilities that allow older and alternative platforms to use the 802.1x protocol.

For example, Meetinghouse Data Communications (www.mtghouse.com) launched its commercial 802.1x SecureSupplicant authentication software for Windows 98 and ME, as well as NT, 2000 and even Linux. The SecureSupplicant software was jointly developed with Hewlett-Packard (HP).

Another company that launched an add-on 802.1x client software is Funk Software (www.funk.com). Its Odyssey software spots a few innovations, and is compatible with Windows 98, ME, 2000 and XP.

The Odyssey software can be used instead of the built-in XP 802.1x client because it does not require each user to possess a certificate, thereby reducing administrative workload in large organizations. For users with more than one PC, the Odyssey software reduces administration headaches to users without requiring them to either transfer personal certificates and private keys to each of the PCs used or to acquire separate personal certificates for each PC they use.

The old boy of networking, Cisco Systems (www.cisco.com), has made its Aironet hardware compatible with 802.1x and supports not only Windows, but also Linux and Mac OS.

For believers of the open source movement, Open1x (www.open1x.org) has open1x.authenticator, the open source version of an authenticating access point, and Xsupplicant, the open source version of the 802.1x client.

Up and coming: AES
On another security front, IEEE is also considering the use of Advanced Encryption Standard (AES), the security standard sponsored and endorsed by the National Institute of Standards and Technology (NIST). Already, Mac OS X has built-in 128-bit AES encryption, and currently users can encrypt disk images using AES. With built-in support, it is relatively easy to allow applications to use the AES encryption for all data files.

AES is a Federal Information Processing Standard (FIPS Publication 197), approved by the Secretary of Commerce as an official Government standard, effective May 26, 2002.

The encryption algorithm is slated to be used by US Government organizations to protect sensitive unclassified documents, and is allowed for use by commercial entities, institutions and individuals in the USA, and selected domains outside the USA. AES was developed by Belgian cryptographers Dr Joan Daemen (of Proton World International) and Dr Vincent Rijmen (postdoctoral researcher in the Electrical Engineering Department of Katholieke Universiteit Leuven).

AES is a CPU-intensive algorithm, and it is advised that an encryption co-processor be used to offload the encryption. It is certainly possible for modern computers (including notebooks) to process the AES encryption in deference to a dedicated co-processor, since modern computer processors have reached near-supercomputer performance. At the same time, current crop of WLAN adapters cannot be retrofitted with AES, and it would imply that new adapters have to be manufactured with AES embedded. The standard is expected to be commercially available in the first quarter of 2003.

Too early?
Is 802.1x ready for prime time? The answer would be no-not until it becomes more widespread and has its kinks ironed out.

Presently, 802.1x is built into Microsoft Windows XP. But with many corporations delaying their adoption of Windows XP, and many more still running legacy Windows such as 95, 98 or NT, this may or may not be good news for the early adopters of 802.1x.

Another group who would have no access to 802.1x authentication yet are Mac users (OS 9 and OS X). They must rely on more traditional VPN (Virtual Private Network) and RADIUS (Remote Authentication Dial-In User Service) authentication.

In terms of the robustness of 802.1x's present feature sets, there is still some work to be done for this new technology. University of Maryland researchers Professor William Arbaugh and graduate assistant Arunesh Mishra demonstrated in Feb 2002, two scenarios that nullify the benefits of the 802.1x authentication standard and leave WLANs open to more attacks. The study was funded by the National Institute of Standards and Technology (NIST, www.nist.gov) in the USA.

Professor Arbaugh and Mishra demonstrated session hijacking and "man-in-the-middle" intrusion attacks, both common methods of network intrusion for wired LANs.

In the case of session hijacking, Professor Arbaugh and Mishra demonstrated that because the client and the access point are not synchronized, there is a lapse where the intruder can force the client away while tricking the access point to think that the client is still there, and thereby assuming the identity of the client.

In the case of "man-in-the-middle", they demonstrated that because 802.1x uses only one-way authentication, where the client's port is always authenticated, the client can also be tricked to think that the intruder is the access point, giving the details away to the intruder. This can be demonstrated by using fake EAP packets from the intruder to the client.

What can you do now?
For early adopters, 802.1x is perhaps at best an interim or intermediate solution, where it can play a part in the entire security platform for WLANs. But it should not be the only security system for enterprises.

Most security experts still advocate that WLANs have to be located outside the corporate network, as part of the demilitarized zone (DMZ). To access the corporate resources within the network, WLAN users will have to tunnel through VPNs.

For now, IPsec VPN remains the most widely implemented platform to authenticate and provide secure access for wired and wireless clients and remote hosts. 802.1x,on the other hand, has a foggy outlook at best.

This is not helped by the uncertainty surrounding the 802.11 technology, in particular, the 802.11i protocol. With 802.1x, the best advice will be to watch and wait.

Seamus Phan is research director at KnowledgeLabs News Center (www.knowledgelabs.net), an independent technology news bureau and writes for Network Computing-The Asian Edition. He can be reached at seamus@knowledgelabs.net

 
     
- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD