For any corporate wireless infrastructure to remain secure, using 802.1X for authentication is a must - after all, it provides much more granular control of authentication credentials and can provide accounting for wireless LAN usage. Setting everything up can be a complex process fraught with choosing the right EAP type that both your clients and your RADIUS server supports in addition to putting in place the PKI infrastructure that some EAP types require. During this whole process one thing can often be overlooked - the security of the RADIUS server itself.
Unfortunately, this is a very important aspect of any secure WLAN deployment since the RADIUS server is the key to the whole operation. The RADIUS server (and its data store or authentication backend) is what controls access to the network and additionally supplies the keys used by the AP and wireless client to encrypt a given station's traffic.
The first place to start is to secure the system being used for the RADIUS server. There are various techniques to use for this, but at the most basic level you should dedicate a single server to the task. This limits the exposure of the RADIUS server and insures that vulnerabilities in other services running on the system do not lead to the RADIUS server being compromised. Accounts that are allowed to login to the server should be limited too.
The next thing to be done is to limit what can communicate with your RADIUS server. In order to operate, the RADIUS server needs to be able to communicate with your authentication backend (e.g., an LDAP or SQL server) and each of your Network Access Servers (NAS), which in the case of a wireless network are your APs. So with this in mind, firewall rules should be put in place to enforce this requirement and ensure that no other systems can communicate with your RADIUS server, save systems on your management LAN.
Additionally you'll want to protect the communications between your RADIUS server, authentication backend, and APs with encryption. For the connection between your RADIUS server and authentication backend this will likely mean either SSL or IPsec. For instance if you're using an LDAP directory to store authentication information, you can easily use SSL to encrypt traffic to and from it. If you're using a backend that isn't so easily amenable to using SSL then you can use IPsec (ESP w/3DES or AES ciphers). Similarly, you should encrypt communications between your APs with IPsec as well.
Last, but not least in importance is your RADIUS shared secret. This is used by the RADIUS server and the NAS devices to secure the traffic between them. If you're able to use IPsec between the server and the APs, then this is just an extra layer of defense. However, if you're not able to do that then it's crucial that you choose unique shared secrets for each of your APs and make sure that you use strong passwords that include letters, numbers, and symbols. In addition you should use a password that is the maximum length allowed by your RADIUS server and APs.
Using any one of these methods will increase the security of your RADIUS server and by extension your wireless LAN deployment, but taken together as a layered approach they are much stronger.
Andrew Lockhart is lead security analyst at Network Chemistry, author of O'Reilly Media's Network Security Hacks, and author of Snort-Wireless, an open source project adding wireless intrusion detection to Snort. He is also an editorial board member of the WVE.
- +
Strategies for Dealing With IT Complexity 24/12/2007 10:30:47
Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business. - +
Ticked Off at Tick the Box Mentality 04/02/2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
ComOps Deploys Corporate Performance Reporting Solution For Healthcare Test Manufacturer 2008-12-02 10:09:00+11
Mornington Peninsula Shire implements Objective to manage knowledge and deliver service excellence 2008-12-02 09:56:00+11
Virtual magic: HR specialist throws out 40 servers, adds 8TB SAN and saves $100,000 for disaster recovery 2008-12-01 15:28:00+11
Sybiz adds up for SMEs in downturn 2008-12-01 14:27:00+11
EXCOM scores back-to-back award trifecta 2008-12-01 10:46:00+11
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
Hyperion surveyed 163 companies to understand BI and EPM requirements, evaluation processes, and extent of adoption. Top areas of current and future investment for emerging businesses include budgeting and planning as well as management reporting solutions. Read on to discover more.
Buying Guides
Latest Products
