Avoid Wireless LAN Security Pitfalls
by Dave Juitt - CTO, Bluesocket Inc. - Friday, 17 January 2003.
With security defined as one of the main roadblocks to WLAN growth, the question is: Does the new 802.1x do enough to enhance the security of wireless LANs and of other mobile products?

Security Basics

Network security, whether wired or wireless, involves five major activities. Particular security standards or technologies can involve one, two or all five, but any user session must pass through at least these five steps in a secure environment. The steps are:

1) Authentication, which can be handled through identification numbers, user names and passwords, or digital certificates.

2) Authorization, which provides permissions that allow access to vary by user, including the types of systems each user can access, as well as setting priorities.

3) Privacy, which focuses on data confidentiality, usually ensured by the use of encryption.

4) Administration, the ability to manage distributed systems from a central point either for regular maintenance or to respond to an emergency or attack.

5) Accessibility, which focuses on defining Class of Service by user, and in the case of wireless, providing secure mobility.

Although a security system typically involves those five major components, 802.1x is a standard that addresses only authentication and key management for networks. Thus it is a standard focused on roughly two parts of a multi-dimensional challenge to implementing and maintaining a secured, functional network. Extensions to the 802.1x framework (EAP) are progressing to provide authorization.

A Perfect Solution?

802.1x is a large step forward for authentication, access and addressing some of the known issues involving wireless LAN security. A comparison of 802.1x and standard 802.11 security is shown in Table 1. As you can see, there are many advantages to 802.1x. However, as with any fledgling technology or standard, the IT professional should also be concerned with potential problems or limitations.

802.1x is a Framework

As a publicly ratified standard, 802.1x does not mandate specific security procedures. Vendors are free to implement authentication only or authentication and encryption together. Make sure you choose a vendor that implements both authentication and encryption. Bottom line: authentication without encryption is not secure.

Several vendors have implemented proprietary security frameworks based on the emerging 802.1x standard. These product implementations require users to single source vendors, choosing only a single vendor's Access Points and PC cards to gain 802.1x security advantages.

As 802.1x becomes built into more and more operating systems, interoperability with all vendors who support the standard will be available. However, at this time 802.1x is only supported in Microsoft's Windows XP. True interoperability with 802.1x will be dependent on the purchase of Microsoft's Windows XP or a future Service Pack update to Windows 2000.

Also, an authentication server is required. Typically, this will be a RADIUS server. Currently, Microsoft Windows 2000 Server, Cisco ACS, Funk RADIUS and Interlink Networks RADIUS all support 802.1x.

All or Nothing Access

Once a user has authenticated, they are granted full access to the network. 802.1x does not provide any granularity to control whom can access particular services or destinations, so it's all or nothing access. This is not a problem if your company does not mind that a guest or contractor can easily access your finance server or that a university student can access the Administration server as easily as the Internet. However, reality dictates that everyone is NOT treated equally on LANs.

In the End, 802.1x Is Still WEP

802.1x provides improvements in privacy by using dynamic, per user, per session keys, a better solution than WEP's fixed keys. However, the underlying WEP mechanism is unchanged. This is still a major concern

summed up by Ron Rivest, who developed the encryption algorithm for WEP, dubbed RC4:


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th