Chapter 14: Setting Up Security

The Promise of 802.1X

Ahh, the confusion of numbers… There is something called 802.1X that relates to Wi-Fi security, and I'd be remiss if I didn't at least try to put it into context, even though it's not (yet) part of the Wi-Fi standard, and not really appropriate for the vast majority of small office and home office wireless networks. It's really a 'big company' technology, so if that's not your realm you can quietly glaze over and flip to the start of the next chapter.

There's a great deal of misunderstanding out and around over what 802.1X is and what it can do. So let's take a closer look. First of all, the 802.1X standard is not a part of 802.11 wireless networking. (One way to tell is that the 'X' is upper case. All of the 802.11 task group letters are in lower case-and at this writing, they're only up to the letter ‘j'.) 802.1X is a separate IEEE standard that specifies a framework for centrally managing network security, particularly user authentication. It can be applied equally well to either wired or wireless networks, and has no intrinsic connection to the 'wirelessness' of Wi-Fi.

802.1X isn't easy to characterize because it's not precisely a protocol, and certainly not a piece of software. It's really a plan for putting together several separate pieces of software and getting them to talk to one another via well-defined protocols in a well-defined way, all in the cause of securing a network.

Much of 802.1X depends upon the Extensible Authentication Protocol (EAP), which defines how different components of an authentication mechanism work together to authenticate network users. Any authentication technology written to understand EAP can work within the 802.1X framework.

In a nutshell, 802.1X works like this: A central authentication server contains information on legitimate users of the network. When a new user desires to log into the network, the user is forced to communicate initially through a controlled port (a relative of the 'captive portal' I've mentioned in earlier chapters) that allows only authentication traffic, and blocks everything else.The authentication server then engages in a tightly controlled challenge-response dialog with the user, to determine if the user is permitted on the network. Only once the user fulfills the requirements of the authentication server (which can use any 802.1X-compliant authentication technology) is the new connection switched to an uncontrolled port that allows all the usual network traffic.

802.1X technology is available now; in fact, Windows XP contains an 802.1X client program to allow Windows XP systems to log into 802.1X managed networks. Its use in 802.11 wireless networks is beginning, but there are some gotchas:

  • The 802.11 wireless networking standard has-as yet-no standard way of incorporating 802.1X authentication. This is what the 802.11i task group is currently working on. Until 802.11i is completed and adopted, different manufacturers will incorporate 802.1X authentication into their products in different-and incompatible-ways. I have some hope that the Wi-Fi Alliance's new Wi-Fi Protected Access specification (an early forerunner of 802.11i) will provide 802.1X compatibility before 802.11i hits the street, though I fear that it will do so in a not-quite-compatible way. But that's borrowing trouble; we won't know until we know.

  • Some serious security flaws have recently turned up in the 802.1X framework. In February 2002, a team at the University of Maryland published an attack on 802.1X that depends on a timing problem called a 'race condition' among several components of the authentication system. Key parts of the 802.1X authentication mechanism are 'stateless,' which means that there is no strictly defined order in which things happen. If certain processes get even a little out of sync, an attacker could hijack an existing and already authenticated session without the authentication server being any the wiser. A fix has been proposed but software will need to be updated and exhaustively tested before the industry is likely to climb on the 802.1X bandwagon.

  • 802.1X is not intended for small office or home office networks. It requires an authentication server program and someone trained to use it, and there are a great many moving parts in the full 802.1X framework. The software is quite expensive right now and as you might expect for bleeding edge technology, few people have learned it. On the other hand, for home networks, 802.1X is extreme overkill. Coming improvements in WEP (see my detailed discussion of 802.11i) should be sufficient to secure home and small office networks against all but the most ambitious attacks.

The key to understanding 802.1X is this: 802.1X is not about making a network secure. It's about making a secure network more manageable and perhaps from that it is a bit more secure and user friendly to workers at a company where security is important. Using an aggressive key-rotation policy, plus any of several secure tunneling protocols, is actually what makes a Wi-Fi network secure. Doing all the work and doing it right, however, is a daunting task, and that's where 802.1X will really shine. Once the 802.11i task group completes its work, the 802.1X framework will be integrated with 802.11 wireless networking in a seamless and industrystandard way. Until then, 802.1X should be considered a single-vendor solution on the wireless side.

I've been asked if a future generation of access points or residential gateways will ever incorporate an integrated 802.1X authentication server. I suppose that's possible, but I don't think it's especially useful. Coming improvements to WEP should suffice for the home user (in fact, I personally think that WEP plus a little common sense is more than enough right now) and business users will always want a separate server for centralized management of a scalable network.

For more on 802.1X and how it affects Wi-Fi networking, see my discussion of 802.11i.



Jeff Duntemann's Drive-By Wi-Fi Guide
Jeff Duntemanns Drive-By Wi-Fi Guide
ISBN: 1932111743
EAN: 2147483647
Year: 2005
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net