based on the 802.11 architecture have consistently proved
insecure. Is 802.1x the answer to your 802.11 WLAN security
troubles? by Seamus Phan
wired equivalent privacy (WEP) encryption scheme on
802.11 WLANs has consistently proved insecure, often
unable to block out even novice hackers.
WLAN, however, is moving steadfastly ahead, with enterprises
believing that a viable security scheme can be found
to plug the loopholes.
One technology that is seen as WLAN's security white
knight is the IEEE 802.1x, a port-based network access
protocol recently proposed by IEEE and several vendors
for imposing security on WLANs. Does it fit the bill?
A key premise of 802.1x is its infrastructural independence.
Unlike other authentication and network access protocol,
802.1x authenticates users to a physical network regardless
of the networking protocols the user is connecting from.
802.1x is a simple mechanism, which deals with only,
simple low-level information such as authentication
and not high-level protocols such as SMTP, POP, HTTP
and other client-side applications. This theoretically
ensures higher security for connections between wired
and wireless clients to a server.
The client connects to the server or access point, and
issues a challenge, which the authentication server
verifies against a predetermined algorithm. Once authenticated,
the port restriction is lifted, and the client can utilize
all the higher protocols such as HTTP, SMTP and POP.
Specifically, the client sends an Extensible Authentication
Protocol (EAP) start message to the access point, which
in turn requests an ID from the client. The access point
then forwards the details to an authentication server,
which consequently sends back an accept or reject message.
Once accepted, the access point validates the client's
authorized state, and admits that beyond the access
To solve the compatibility issues with legacy and other
platforms, there are vendors hard at work in helping
to launch add-on utilities that allow older and alternative
platforms to use the 802.1x protocol.
For example, Meetinghouse
Data Communications (www.mtghouse.com) launched its
commercial 802.1x SecureSupplicant authentication software
for Windows 98 and ME, as well as NT, 2000 and even
Linux. The SecureSupplicant software was jointly developed
with Hewlett-Packard (HP).
Another company that launched an add-on 802.1x client
software is Funk Software (www.funk.com). Its Odyssey
software spots a few innovations, and is compatible
with Windows 98, ME, 2000 and XP.
The Odyssey software can be used instead of the built-in
XP 802.1x client because it does not require each user
to possess a certificate, thereby reducing administrative
workload in large organizations. For users with more
than one PC, the Odyssey software reduces administration
headaches to users without requiring them to either
transfer personal certificates and private keys to each
of the PCs used or to acquire separate personal certificates
for each PC they use.
The old boy of networking, Cisco Systems (www.cisco.com),
has made its Aironet hardware compatible with 802.1x
and supports not only Windows, but also Linux and Mac
For believers of the open source
movement, Open1x (www.open1x.org) has open1x.authenticator,
the open source version of an authenticating access
point, and Xsupplicant, the open source version of the
and coming: AES
another security front, IEEE is also considering
the use of Advanced Encryption Standard (AES),
the security standard sponsored and endorsed by
the National Institute of Standards and Technology
(NIST). Already, Mac OS X has built-in 128-bit
AES encryption, and currently users can encrypt
disk images using AES. With built-in support,
it is relatively easy to allow applications to
use the AES encryption for all data files.
AES is a Federal Information Processing Standard
(FIPS Publication 197), approved by the Secretary
of Commerce as an official Government standard,
effective May 26, 2002.
The encryption algorithm is slated to be used
by US Government organizations to protect sensitive
unclassified documents, and is allowed for use
by commercial entities, institutions and individuals
in the USA, and selected domains outside the USA.
AES was developed by Belgian cryptographers Dr
Joan Daemen (of Proton World International) and
Dr Vincent Rijmen (postdoctoral researcher in
the Electrical Engineering Department of Katholieke
AES is a CPU-intensive algorithm, and it is advised
that an encryption co-processor be used to offload
the encryption. It is certainly possible for modern
computers (including notebooks) to process the
AES encryption in deference to a dedicated co-processor,
since modern computer processors have reached
near-supercomputer performance. At the same time,
current crop of WLAN adapters cannot be retrofitted
with AES, and it would imply that new adapters
have to be manufactured with AES embedded. The
standard is expected to be commercially available
in the first quarter of 2003.
Is 802.1x ready for prime time? The answer would be
no-not until it becomes more widespread and has its
kinks ironed out.
Presently, 802.1x is built into Microsoft Windows XP.
But with many corporations delaying their adoption of
Windows XP, and many more still running legacy Windows
such as 95, 98 or NT, this may or may not be good news
for the early adopters of 802.1x.
Another group who would have no access to 802.1x authentication
yet are Mac users (OS 9 and OS X). They must rely on
more traditional VPN (Virtual Private Network) and RADIUS
(Remote Authentication Dial-In User Service) authentication.
In terms of the robustness of 802.1x's present feature
sets, there is still some work to be done for this new
technology. University of Maryland researchers Professor
William Arbaugh and graduate assistant Arunesh Mishra
demonstrated in Feb 2002, two scenarios that nullify
the benefits of the 802.1x authentication standard and
leave WLANs open to more attacks. The study was funded
by the National Institute of Standards and Technology
(NIST, www.nist.gov) in
Professor Arbaugh and Mishra demonstrated session hijacking
and "man-in-the-middle" intrusion attacks,
both common methods of network intrusion for wired LANs.
In the case of session hijacking, Professor Arbaugh
and Mishra demonstrated that because the client and
the access point are not synchronized, there is a lapse
where the intruder can force the client away while tricking
the access point to think that the client is still there,
and thereby assuming the identity of the client.
In the case of "man-in-the-middle", they demonstrated
that because 802.1x uses only one-way authentication,
where the client's port is always authenticated, the
client can also be tricked to think that the intruder
is the access point, giving the details away to the
intruder. This can be demonstrated by using fake EAP
packets from the intruder to the client.
What can you do now?
For early adopters, 802.1x is perhaps at best an interim
or intermediate solution, where it can play a part in
the entire security platform for WLANs. But it should
not be the only security system for enterprises.
Most security experts still advocate that WLANs have
to be located outside the corporate network, as part
of the demilitarized zone (DMZ). To access the corporate
resources within the network, WLAN users will have to
tunnel through VPNs.
For now, IPsec VPN remains the most widely implemented
platform to authenticate and provide secure access for
wired and wireless clients and remote hosts. 802.1x,on
the other hand, has a foggy outlook
This is not helped by the uncertainty surrounding the
802.11 technology, in particular, the 802.11i protocol.
With 802.1x, the best advice will be to watch and wait.
Seamus Phan is research director at KnowledgeLabs
News Center (www.knowledgelabs.net), an independent
technology news bureau and writes for Network Computing-The
Asian Edition. He can be reached at firstname.lastname@example.org