Avoid Wireless LAN Security Pitfalls
by Dave Juitt - CTO, Bluesocket Inc. - Friday, 17 January 2003.
"Those who are using the RC4-based WEP or WEP2 protocols to provide confidentiality of their 802.11 communications should consider these protocols to be broken," Rivest says, "and plan remedial actions as necessary to mitigate the attendant risks. Actions to be considered should include using encryption at higher protocol layers and upgrading to improved 802.11 standards when these become available."

Better encryption is on the way. A new security algorithm called Temporal Key Integrity Protocol (TKIP) offers a rapid re-keying protocol that changes the encryption key about every 10,000 packets in order to address the vulnerabilities of WEP. Standards bodies are also investigating the use of the Advanced Encryption Standard (AES) as a possible alternative to RC4 in future versions of 802.11 security. AES is a replacement for DES (Data Encryption Standard) and uses the Rijndael algorithm, which was selected (after several years of analysis) by the US Government to protect sensitive information.

But you don't have to wait for better encryption. Many security experts recommend the adoption of Internet Protocol Security or IPSec standard that has been deployed in global networks for over five years to protect data from being viewed, utilized or corrupted by a non-trusted party.

Phil Belanger, past chairman and current marketing director of the Wireless Ethernet Compatibility Alliance (WECA) agrees. "We've always said that if privacy is a concern, you need to be using end-to-end security mechanisms, like VPNs, based on IPSec along with the WLAN. Even if WEP wasn't compromised, you ought to be doing that."

However, once a tunnel is open, the device and user are assumed to be OK. In wireless, you need to continue to view the user as mobile and literally connecting to your network via the air. Thus, it makes sense to implement procedures that allow you to decrypt each packet as it enters your trusted network to enforce your authorization policies.

What about PDAs?

IT managers are faced with the rapid proliferation of PDAs and other hand-held devices. With them comes the crucial issue of how to grant them access to the network. As we examined earlier, using the 802.1x standard would be a good first step, but the many mobile operating systems now widely deployed, such as Microsoft PocketPC 2002, do not support the standard. Further, unlike PCs, there is limited support for even a vendor specific implementation of an 802.1x-like solution.

Currently, the only way to reach an acceptable security level is to implement an IPsec approach. This can be accomplished using the built in Point to Point Tunnel Protocol (PPTP) or by using a proprietary IPSec client.

The Requirement for "Access Servers"

Microsoft and other companies are recommending deployment of an access server to fill in the areas of security not managed easily, e.g. support for multiple Access Points, PDA operating systems and applications, authentication systems and so on.

For those using 802.1x security, an access server passes authentication requests from the Access Point to the authentication server seamlessly. This is a requirement in any network that may have a mixed environment of multiple vendor Access Points, NIC cards and devices as well as environments that may only be partially 802.1x enabled for some time to come.

Bottom Line Recommendations for 802.1x and Beyond

IT professionals are faced with many issues surrounding the implementation of WLANs. The following are recommendations for good practices when purchasing and deploying a complete solution:


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th