Appendix A: Wireless Policy Essentials

A.1 Wireless Position Statement

Over the last two years , articles have appeared in the press discussing security problems discovered in the WEP encryption scheme used on many 802.11b wireless networks. Although we are using a form of WEP on our wireless network, the security solution we are implementing uses Cisco technology that mitigates the flaws described in the press to a fairly significant extent.

Normal WEP encryption uses a single encryption key for all wireless transmissions. Current attacks on wireless security involve brute force hacking to obtain that key. Our system provides users with individual encryption keys that change each time they log into the wireless network. This means there is no one single key to hack, and because the keys are not static, the system is much harder to attack.

It is important to remember that WEP is not intended to be the only security used in a wireless network. WEP stands for Wired Equivalent Privacy and was just meant to try to make a wireless connection as hard to "sniff" as that of a wired network. In reality, the Cisco solution that we have deployed at ABC Inc. provides significantly more data privacy than a normal wired network connection.

As with the traditional wire-based network, additional security such as the use of encrypted Web pages using SSL and secure remote logins and file transfers using SSH should still be used for high-valued data transactions. The wireless encryption system only protects your data while it travels over the airwaves. As soon as your data hits the local wireless access point in your building, it flows over the building's standard wired network and is no longer protected by the wireless encryption system.

Two new wireless security solutions will be available over the next year and a half. The new solution, called WiFi Protected Access (WPA), is a subset of the still unfinished IEEE 802.11i security specification and will be usable by both home and enterprise wireless networks. Task Group I is working on 802.11i, and it is still on a path to be complete about this time next year with a fully ratified standard.

WPA will work with the majority of 802.11-based products out today once they've gone through a firmware/software upgrade. WPA is forward compatible with 802.11i. By the time 11i is ratified around September of next year, WPA version 2.0 is expected with full 802.11i support. Eventually, the Alliance expects to require WiFi products to shop with WPA turned on as a default. The way WPA will work in the enterprise is similar to the setup of any 802.1X authentication system. The clients and access points must have WPA enabled for encryption to and from an 802.1X with Extensible Authentication Protocol (EAP) authentication server of some sort , such as a RADIUS server, with centralized access management. A Short Technical Overview of the new Wireless Security Solutions to be Deployed in the ABC Inc. Environment when they are available WiFi Protected Access had several design goals:

• Be a strong security solution

• Interoperable

• Security replacement for WEP

• Be software ungradable to existing WiFi certified products

• Be applicable for both home and enterprise users and be available immediately

WiFi Protected Access was constructed to provide an improved data encryption, which was weak in WEP, and to provide user authentication, which was largely missing in WEP. To improve data encryption, WiFi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a rekeying mechanism. Through these enhancements, TKIP addresses all WEP's known vulnerabilities. Enterprise-level User Authentication via 802.1x and EAP WEP has almost no user authentication mechanism. To strengthen user authentication, WiFi Protected Access implements 802.1x and the Extensible Authentication Protocol (EAP). Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs "mutual authentication" so that the wireless user doesn't accidentally join a rogue network that might steal its network credentials.

WiFi Protected Access will be forward-compatible with the IEEE 802.11i security specification currently under development by the IEEE. WiFi Protected Access is a subset of the current 802.11i draft, taking certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of 802.1x and TKIP. These features can also be enabled on most existing WiFi certified products as a software upgrade. The main pieces of the 802.11i draft that are not included in WiFi Protected Access are secure IBSS, secure fast handoff , secure deauthentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement. The IEEE 802.11i specification is expected to be published at the end of 2003.

WiFi Protected Access effectively addresses the WLAN security requirements for the enterprise and provides a strong encryption and authentication solution before the ratification of the IEEE 802.11i standard. In an enterprise with IT resources, WiFi Protected Access should be used in conjunction with an authentication server such as RADIUS to provide centralized access control and management. With this implementation in place, the need for add-on solutions such as VPNs may be eliminated, at least for the express purpose of securing the wireless link in a network.