Wireless equipment vendors and enterprise IT departments have made several
attempts to address some of these security concerns. However, these solutions do
not address all of the security requirements of an enterprise wireless LAN
deployment. Moreover, these approaches significantly increase the overall cost of
the wireless LAN system. They require the purchase of multiple system components,
which are expensive to configure, deploy, administer, and maintain. Finally, many of
these approaches introduce proprietary or non-interoperable extensions to the
802.11b standard.
Dynamic WEP
To improve the security provided by WEP, many access point vendors have
introduced mechanisms for dynamically assigning WEP keys to clients when they
start communicating with an access point; some implementations will eventually
support periodically changing the WEP key while the device is using the wireless
LAN. These Dynamic WEP solutions eliminate the need for distributing and
managing a global WEP key at every client. By changing the WEP key frequently,
Dynamic WEP reduces the amount of traffic that is transmitted with a particular WEP
key and therefore limits the amount of data available to an intruder launching a cipher
attack.
However, Dynamic WEP does not address the underlying security problems with the
WEP standard—namely, that given enough encrypted traffic (approximately
ix
1,000,000 packets
), an attacker can crack the key. Therefore, with WEP, the
situation is simply a race between how quickly the attackers can break the WEP keys
and how quickly the network manager changes them. Current recommendations call
for WEP key regeneration after every 10,000 packets, which, even with normal
network use, can easily occur within 30 seconds. As additional WEP vulnerabilities
are exposed and as client processing power increase, the WEP key change rate
must increase in lockstep.
Today, Dynamic WEP solutions introduce other problems for network managers.
First, most of these solutions rely on proprietary mechanisms, therefore requiring that
client hardware, access points, and authentication services come from a single
vendor. Consequently, the solution is not cost-effective, limits future expansion of the
wireless deployment, and is impractical to maintain. With the emergence of
interoperable 802.11b equipment, enterprises are looking to select system
components based on price and feature comparisons; single vendor solutions can be
more expensive and can block access to the most advanced equipment on the
market. Furthermore, as manufacturers begin to embed 802.11b into laptops, PCs,
and PDAs, enterprises cannot guarantee that a single-vendor environment will
prevail. Similarly, guest users cannot be forced into using client hardware from a
particular manufacturer.
Second, Dynamic WEP does not address the security and management issues that
emerge in an enterprise using multiple short-range radio technologies. A recent
Mobile Insights poll of Fortune 500 IT executives revealed that 36% planned to
x
support at least two radio technologies and an additional 21% were undecided.
To
protect their wireless LAN investment, enterprises must deploy infrastructure that can
easily extend to 802.11a, 802.11g, HiperLAN2, Bluetooth, 802.15, and other wireless
standards as they emerge. The infrastructure must even enable integration with
wide-area wireless access.
802.1x, EAP, and LEAP
Dynamic WEP solutions are usually combined with an implementation of the IEEE
802.1x standard, which provides for user authentication before granting network
access. The user authentication process uses the Extensible Authentication Protocol
xi
(EAP),
which enables a wide variety of actual authentication mechanisms. Cisco
has developed a proprietary form of EAP, known as Lightweight Extensible
Authentication Protocol (LEAP), that combines user authentication and Dynamic
WEP key generation.
When the client first connects to a wireless LAN access point that supports 802.1x,
the access point sends to the client a challenge. The client identifies itself, and,
through the exchange of EAP messages, the access point brokers an authentication
handshake (typically transmitting a user name and password) between the client and
an external authentication server. Once the authentication server signals a
successful authentication, the access point grants network access to the client. With
Cisco’s LEAP, the authentication server generates a WEP key for the session and
delivers it to both the access point and the client.
The 802.1x authentication addresses enterprises’ need to identify wireless LAN users
instead of relying solely on the client’s MAC address, as is required in today’s
802.11b networks. It also provides a mechanism, enforced at the access points, for
only granting authorized users access to the wireless LAN.
However, 802.1x does not address most of the enterprise security
requirements: The 802.1x system only supports an “all-or-none” model of access control.
Having authenticated successfully, a user gets full access to the network. The
system cannot accommodate guest users (who might get limited network access)
or recognize different classes of contractors, vendors, partners, or employees. Because they are tied to proprietary Dynamic WEP implementations, current
802.1x systems inherit the same interoperability issues. Many 802.1x systems do not work efficiently with client mobility. Typically, as a
user moves between access points, these schemes require a new authentication
handshake. Besides creating additional load on the authentication server and
therefore reducing the scalability of the system, this authentication step can
reduce the perceived system performance for mobile users.
Firewalls and Encrypted Tunnels
Having concluded that wireless LANs are as insecure as the Internet at large, many
enterprises have simply chosen to formally treat them that way. The resulting
network architecture—“the Internet inside the intranet”—adopts Internet remote
access technologies to control wireless LAN access to the wired LAN.
In such a system, an extra firewall separates the wireless LAN access points from the
wired LAN; the access points are connected to the firewall either by a direct cable
connection or by means of a VLAN. The firewall supports packet filtering and can be
used as a point of control for detecting network attacks. This firewall includes Virtual
xii xiii
Private Network (VPN) software, implementing protocols such as IPSec
, L2F ,
xiv xv
PPTP , or L2TP . To access the corporate LAN, the client “logs in” to the firewall
and establishes a VPN tunnel. The VPN encrypts all wireless LAN data traffic using
standard, well-studied algorithms.
Though it is an effective approach to wireless LAN security, the firewall/VPN solution
poses several challenges.
First, the firewall/VPN introduces a significant scalability bottleneck, because all
wireless traffic must pass through it. The firewall must have adequate network
connectivity to support the data flow, possibly requiring a gigabit Ethernet backbone
in even modest wireless LAN installations. VPN encryption requires considerable
computational cycles, often demanding special hardware to provide cryptographic
acceleration. Few VPN systems are designed to scale to levels capable of
supporting a full enterprise user population.
Second, the firewall/VPN solution is expensive. As we have seen, the VPN software
requires an expensive server with a cryptographic accelerator. The firewall and VPN,
typically purchased to support only a limited percentage of enterprise users, must be
scaled to support the entire enterprise. Furthermore, because the firewall/VPN is a
single point of failure, the network manager must plan for rapid fail-over capability,
with duplicate hardware and software configurations.
Third, the solution introduces deployment challenges. VPN software is notorious for
its interoperability problems; in many cases, the VPN server is only compatible with a
particular VPN client. VPN software may not be available for all wireless clients,
particularly handheld devices.
Fourth, the firewall/VPN limits the flexibility of the wireless LAN. All users must
authenticate to the firewall, and all wireless communication must be encrypted
through the VPN. This is particularly problematic for guests, contractors, and other
temporary network users who might not have the required VPN client software
installed on their devices, and managing these users’ registration on the VPN server
represents a substantial management burden for the enterprise. In addition, it
imposes encryption on traffic—such as Internet traffic—that need not be protected;
this introduces additional load on the firewall server while unnecessarily complicating
use of the wireless LAN for simple Internet access.
Finally, the VPN solution requires that end users be actively involved in enforcing
data security. Users must be trained to launch the VPN client when accessing the
wireless LAN, and they must remember to do so. Users must be trained to use the
VPN client. Unless proprietary key management techniques are used with the VPN
software, the enterprise must administer and disseminate shared secret keys to all
users. This complexity increases the chances of mistakes or, worse, the likelihood
that users will actively attempt to avoid the security measures that are in place.
Subscribe to:
Post Comments (Atom)
0 comments
Post a Comment