Practical Security Aspects
|
|
Some WLAN managers view the 802.11 service set ID (SSID) as an element of their security implementations.[56] Each 802.11 WLAN AP must be assigned an SSID, and WLAN clients use the SSID when they associate with the AP. This mechanism does not provide much security, however, because most APs broadcast their SSIDs. Hence, any WLAN client that can be configured to scan for SSIDs will recognize the availability of APs and often present the available systems to the network interface card (NIC) looking to associate in a pick list. Some APs can be configured to suppress the broadcast of SSIDs. On systems configured in this manner, only clients that know the SSID will be able to associate with that AP. (Table 4-1 provides a summary of the various techniques discussed herewith.)
| Technique | Quality | Description |
|---|---|---|
| EAP | Good | EAP is an extension of PPP defined in RFC 2284. EAP is a general authentication protocol that supports multiple authentication methods, including traditional passwords, token cards, Kerberos, digital certificates, and public-key authentication. |
| 802.11i | Good | IEEE 802.11 Task Group I is responsible for enhancing the existing 802.11 MAC standard to provide improved security. This eventually will include strong encryption and standards-based authentication. |
| 802.1X | Good | This IEEE standard can be used as a basis for authentication on all 802 networks, including Ethernet, Token Ring, and WLANs. IEEE 802.1X specifies how EAP information should be encapsulated in frames. To be useful in enabling WLAN security, 802.1X must be supported by WLAN infrastructure equipment as well as mobile-device operating |
| MAC ACLs | Medium | These ACLs are implemented based on the MAC address of a device, which is normally set in read-only memory (ROM) by the manufacturer. Many 802.11 product manufacturers provide capabilities for restricting access to the WLAN based on a table of MAC addresses stored on the AP. Some vendors provide management utilities that let these MAC ACLs be distributed to multiple APs within an organization. |
| SSID | Low | SSID is a unique identifier that wireless APs and wireless nodes use to communicate with each other. The SSID is contained within the header of all packets exchanged within a defined WLAN basic service set (BSS). A device cannot be permitted to join the BSS unless it can provide the unique SSID. However, because most APs broadcast their SSIDs and the SSID is contained in plain text in all packets (even if WEP encryption is used), there is no effective way to secure SSIDs. |
| VPN | Good to excellent | A VPN provides access to secure information over insecure networks using one of a variety of tunneling protocols, including the Point-to-Point Tunneling Protocol (PPTP), the Layer Two Tunneling Protocol (L2TP), and IPsec. A VPN gateway is a device that acts as the interface between secure and insecure networks. To gain access to resources, network devices must support the appropriate tunneling and authentication protocols. VPNs have traditionally been deployed to securely interconnect sites using the public Internet instead of leased lines or Frame Relay and to provide secure dial-up access to secure systems over the public Internet. |
| WEP | Medium to low | WEP is an optional encryption standard defined by the IEEE 802.11 committee and is implemented in most WLAN products. To gain Wireless Fidelity (WiFi) certification by the Wireless Ethernet Compatibility Alliance (WECA), products must support 40-bit WEP. Most vendors also support 128-bit WEP. WEP was designed to provide the security equivalent to a wired LAN and was not originally envisioned as a bulletproof security architecture. WEP's architecture has been shown to be flawed, and tools are available that can effectively break WEP encryption through passive hacking. |
| Source: D. Molta, School of Information Studies at Syracuse University. | ||
Some network managers take advantage of access-control lists (ACLs) based on MAC addresses, a feature supported in most APs. This is an effective solution for small networks, but it has several problems. First, hackers can spoof MAC addresses, thereby overcoming the access-control restrictions. Second, the number of MAC address entries that any given AP can support usually has limits, a potential problem in environments with thousands of wireless nodes. Finally, in multiple access-point environments, you need to have a system in place to automatically distribute all MAC address entries to all APs.
WEP provides a base level of data encryption. Although WEP's encryption system has been shown to be vulnerable, some vendors are now shipping enhanced versions that inhibit the use of 'easily guessable' WEP keys. Even if one is comfortable depending on WEP for privacy, key distribution can be a challenge. If the network includes more than 100 clients, maintaining WEP keys on APs and clients will likely be a significant administrative burden.
The lack of advanced, standards-based security solutions coming from the IEEE, coupled with the acknowledged weaknesses of the existing WEP encryption mechanism, has led some vendors to recommend physical or logical separation of wired and wireless nodes. This will be done through the use of either a dedicated wireless backbone or a virtual LAN (VLAN) running on an existing wired network infrastructure. Wireless nodes have Internet access as well as access to low-security intranet applications, but a VPN gateway controls access to secure applications and data. Like a remote-access VPN, a WLAN implementation requires that VPN client software is installed on all WLAN clients and used to gain authenticated access to secure resources.
Since VLANs and VPNs are standards based, no proprietary elements are included in this solution, enabling a planner to implement a multivendor WLAN environment and still provide standards-based secure access. This solution provides access control, privacy based on strong encryption, and, in some cases, device- and subnet-based access control. This is a reasonable solution that provides the option of selecting best-of-breed solutions both for wireless infrastructure as well as for VPN-based security. VPN implementations, however, are not simply a plug-and-play solution, and they are not inexpensive.
If the planner wants to avoid maintaining yet another authentication database, the planner will need to find an appropriate method of interfacing the VPN system with an external directory server. VPN software must be installed and configured on all the client devices. For some operating systems, the VPN client is included, so this is a relatively simple configuration and support challenge, but for other devices, such as PDAs, one may need to rely on third-party providers for VPN client software. Finally, if the plan- ner chooses to deploy a single VLAN that provides enterprise coverage, the planner must make sure that the Ethernet switching infrastructure and VLAN implementation are secure. Also, because the VLAN is a single IP subnet with APs acting as MAC-layer bridges, one needs to monitor levels of broadcast traffic.
Several of the leading WLAN vendors[57] have developed security framework solutions for their WLAN implementations. These products are based on standard protocols; however, each is proprietary to the extent that it relies on client software available only for that vendor's wireless NICs.
By way of illustration, Cisco's wireless security solution provides mutual authentication of wireless clients and APs using proprietary extensions to the Internet-standard EAP (RFC 2284), which Cisco calls Lightweight EAP (LEAP). LEAP requires the use of either the Cisco Secure Access Control Server (ACS) or a compatible RADIUS server. Cisco Secure ACS has hooks into external directory services, including Microsoft ADS and Novell NDS. With 802.1X and EAP, wireless clients and a remote authentication dial-in user server on the wired LAN perform mutual authentication through APs using one of several supported authentication methods. Once authentication is complete, the RADIUS server sends a unique per-session WEP key for data-stream encryption. Third-party solutions have also emerged to address the issue; these include both software and hardware systems. According to observers, there is cause for optimism that more mature security systems based on interoperable standards should be available in 2002.
[56]R. Rivest and S. Dusse, 'The MD5 Message-Digest Algorithm,' RFC1321, MIT Laboratory for Computer Science, RSA Data Security Inc., April 1992.
[57]This means the implementation discards the packet without further processing. The implementation should provide the capability of logging the error, including the contents of the silently discarded packet, and should record the event in a statistics counter.
|
|
EAN: N/A
Pages: 88