Advanced Wireless Security

User Authentication

User authentication packages for use with wireless access points are still in the immature stages of evolution. Only showing up on the scene a few years ago, these mechanisms usually require some form of client be installed on the device that has a wireless network card installed in it. In this scenario the wireless device attaches to the wireless network, then sends an encrypted packet that has a user name /password combination in it. This is checked against a username and password database. This database can be local for smaller wireless networks, or it can authenticate against a Novell NDS server, Microsoft Active Directory, a RADIUS (Remote Access Dial In User Service) server, or any LDAP-compliant database that supports basic authentication.

Since social engineering can be the weakest point of any network security plan, this must be considered when building a secure wireless network. Providing users with too many passwords can become cumbersome, so it is agreed a "single sign on" (SSO) solution could help the organization enforce its security mechanisms, policies, and procedures. However, making users maintain a different password for logging into the wireless network can be considered an added layer of security. If a user were to use the same password for the VPN and internal resources, the scope of a compromised password is greater. If one password was compromised, an attacker would not only have access to the wireless network but also to all resources that are available to that username and password combination. If users create different passwords for internal resources than for the VPN or other remote access, a miscreant that obtains one password would not be able to easily use it without the other. The best bet is to follow through with your existing authentication policy or consider augmenting it with a token-based security scheme ( two-factor authentication).

Currently, there are no standards that all vendors are following 100 percent. Different manufacturers are using and maintaining different packages that do the same thing. It would be expected there may be some difficulties or multiple vendor implementations with authentication software until security standards are set by the IEEE and manufacturers decide to follow those set standards.

The following list provides examples of authentication packages by different vendors:

Recently, hot spots are popping up all over the United States. This convenient idea allows all types of users to conduct business via the Internet. Typically, users buy time on these hot spots either by the hour , day, or month. A logon screen is used to ask the user to enter username and password combination to validate who the user is. The Shmoo group has a software package named Airsnarf (http://airsnarf.shmoo.com) that allows an attacker to spoof a hot spot's own legitimate wireless access point, thereby becoming a rogue access point. This allows the attacker to do almost anything with the traffic flowing through his system, masquerading as the legitimate access point, as users connect to his rogue setup.

These are all very dangerous situations as unsuspecting users think their connections are secure, at least until they get to the Internet.

802.11i and EAP

802.11i is the successor to WEP in the IEEE standards with a deeper focus on security. Key management with 802.11i is greatly improved over WEP. Instead of using a static encryption key, 802.11i allows administrators to effectively deploy dynamic keys. Extensible Authentication Protocol (EAP) is used to provide a secure authentication and encryption mechanism for 802.11i. EAP has successfully avoided some of the exploits with WEP and has even had some prior applications. It started as a protocol that could authenticate dial-in users. EAP has been running across other 802.11-compliant LANs for a number of years. If EAP is currently deployed on an organization's wired network, EAP can be extended and provide the security needed for wireless networks.

The fact is, nothing in the WEP standard truly verifies the identity of the users connecting. WEP uses a shared key, meaning everyone uses the same "secret." EAP, on the other hand, can use a number of authentication schemes to verify the identity of each wireless user; examples are Kerberos, EAP-LEAP, EAP-MDS, EAP-PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM.

Key management has to be addressed in whatever security mechanism ultimately replaces WEP, assuming it will use a secret key scheme. Any time a static technology is used in this day and age (such as shared secrets in WEP that are not changed often), the service using the static technology becomes a sitting duck. At a high level, one should make it as difficult as possible for an attacker to find the environment; then by the time it is found, the administrator should have changed all the rules (such as frequently changed passwords, dynamic keys, and so on). This is what 802.11i is able to accomplish. Key generation and management, safe delivery of the key, and use of multiple rotating keys are all features 802.11i uses to keep secrets secret.

Miscellaneous Security Software

In addition to the items previously discussed, there are several software packages available both commercially and open source to bolster your wireless environment. One package worth mentioning will analyze the RF profile of a connecting device and determine its physical location with respect to wireless access points. If it is determined the new client is on the outside of a predetermined perimeter, access will be denied . For more information on this product, we recommend you explore Newbury Networks (http://www.newburynetworks.com). Computer Associates (http://www.ca.com) has developed a similar product and we're sure that by the time this book hits the bookshelves, there will be several more.

Airwave (http://www.airewave.com) has vendor- agnostic wireless access point management software, allowing administrators to build a self-healing wireless network by having wireless access points adjust power levels if one fails. It will also empower some wireless access points to monitor for rogue access points.

While these are just a few of the many available software packages, our intent is to provide some ideas on other features now becoming available for wireless infrastructure to assist in its security.