Eye on 802.11i
- 15 March, 2005 10:58
Vendors will tell you that upgrading from the interim security standard Wi-Fi Protected Access to the fully baked 802.11i protocol will be fairly simple, straightforward and worth the effort. But analysts and end users warn that there are lots of wrinkles to an 802.11i upgrade, including the fact that you might have to buy new hardware. After analyzing costs and other issues, some users have decided that WPA is good enough for now.
At the very least, moving to 802.11i means managing firmware upgrades on both access points and clients. That's if you have relatively new hardware. If not, you'll have to swap out your old gear for new access points that can handle Advanced Encryption Standard (AES ) encryption.
Plus, you'll need to install authentication servers and certificate-authority servers (if you don't already have one in place), and add a whole new protocol to the networks. That's because 802.11i manages the encryption part of wireless LAN security, but you also need authentication, which means implementing 802.1X, another relatively new protocol.
"Anyone who tells you it's simple is not telling you the straight story," says Kenneth Dulaney, an analyst at Gartner. "You're adding two encryption methods and one authentication scheme. That's not simple."
WPA uses temporal key integration protocol (TKIP) encryption, while 802.11i uses AES. Because WPA is a subset of the fuller-featured 802.11i, WPA-enabled access points usually can support both encryption methods.
"If you have first-generation access points, you've just inherited a doorstop," says Michael Disabato, networking service director at Burton Group. "That's not the worst thing in the world because there are numerous reasons you want the older stuff to go away if you can afford it. The receivers are better, they have better range. Lots of reasons."
What if you can't afford it? Cost is a major reason why the Boston Public Library is holding off on an 802.11i upgrade, according to Systems Officer Carolyn Coulter.
The library provides free wireless access in its public rooms for patrons and staff, so the network has to be pretty open. "We never know what kind of equipment the public is going to walk in with," Coulter says.
Coulter runs Cisco equipment on both wired and wireless networks, but uses a Bluesocket wireless gateway for access control and encryption, rather than WPA.
"We'd like to be as up-to-the-minute as we can with security. But finances are an issue because we're a public entity," she says. Coulter would like to migrate to 802.11i, or add it to her current security options; but without a pressing reason, she's one of a number of network managers who seem comfortable with their present levels of security.
For example, concrete and building-materials conglomerate RMC Group is in the middle of a migration to VoIP; is updating and standardizing its mail servers; and is updating its routers, switches and hubs, according to Dave Miller, project office manager at RMC in Atlanta.
"We'd like to stay as close as possible to the latest security protocols," he says. "We're using [Wired Equivalent Privacy ], and we do have some security concerns, but we're focused on these other projects and we're undergoing an acquisition [by Cemex], so we're holding off a little for those reasons."
Alternatives to 802.11i
Other security approaches might be easier and more cost-effective, according to Chris Cerny, manager of enterprise networking at Community Health Network and the Indiana Heart Hospital in Indianapolis.
Rather than rely on WPA to supply encryption, every approved device has a VPN client that encrypts traffic, handles routing with a DHCP server, then authenticates the user's device and password to a Cisco authentication server.
"At the time we installed this, security wasn't a done deal for wireless, and apparently it's still not," Cerny says. "We figured, whatever the methodology of the day was, we already had a VPN concentrator, [access control list] and Cisco authenticator, and that all works very nicely. Of course, the doctors don't like it because they have to authenticate several times."
Cerny uses 802.11a access points wherever feasible, and uses 802.11b for VoIP phones; the 802.11b access points use a list that contains all the media access control addresses for every phone in the hospital system. "It's a very long list," Cerny says. "But if you're not on it, you don't get on the network."
The system leaves unregulated hot spots in lobbies and elsewhere, but because no unauthorized machines can access the internal network, Cerny's not concerned. "We don't really care if they use your bandwidth to get on the Internet; they can't get to anything inside our network," she says. "It's a very simple deployment; very few hands in the cookie jar."
The Boston Public Library uses a similar setup with a Bluesocket WLAN gateway for the Wi-Fi connections it offers within its main branch, Coulter says. The Bluesocket server handles encryption and access control using both WPA and IPSec encryption. The Bluesocket gear also handles role-based access lists that define access based on a user's role in the organization, broad-based policy management to let network managers reconfigure WLAN access more easily, and QoS . "We do make people download certificates, but otherwise we have to make it as easy for people as we can," Coulter says.
Look before you LEAP
Interoperability is a potential land mine for users. Dulaney says that while 802.11i encryption protocols are fairly standard, the authentication methods in 802.1X aren't. "The 802.1X spec is not hard and fast, there are interpretations to be made," he says, which means each vendor's version could be slightly different from every other's.
Most vendors use the Extensible Authentication Protocol (EAP) to communicate port-access requests between the client and the access point. But EAP packets only carry the requests; the protocol doesn't include descriptions of how to manage the authentication itself. For that, you have to pick one of several EAP implementations, including Transport Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), any of which are acceptable under the 802.1X framework, but not all of which are interoperable.
Cisco developed Lightweight Extensible Authentication Protocol (LEAP). But testers showed that LEAP could be cracked by a simple dictionary attack, so Cisco is replacing it with a new EAP-FAST (Flexible Authentication via Secure Tunneling).
Yet another twist comes from Microsoft, which developed a Protected EAP (PEAP) with help from Cisco and RSA Security. Unlike EAP-FAST, in which both client and server are issued keys before any communication takes place, PEAP relies on certificates that have to be generated by an authentication server. Microsoft ships PEAP in some versions of Windows XP, providing certificates using its Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) or Cisco's Generic Token Card certificate.
Almost any kind of certificate is allowed under 802.1X as is any authentication protocol, according to Shripati Acharya, director of product management in the wireless networking business unit at Cisco.
The bottom line, according to Dulaney: "Even if you do see 802.11i certification on a product, you probably won't be able to make every product work with every other product. You have to ask vendors what products they're certified for." Certification trepidation
Finally, many end users shy away from using certificate-based systems of any kind, says Jeff Keenan, a principal at integrator Keenan Systems. It's just too complicated to have a certificate server authenticated by an external authority so it can issue certificates, then keep the certificates on servers and mobile clients fully synchronized.
"I only work with two or three companies that have certificates, and at least one has a whole department to manage it. Other companies use RSA, hard tokens or other ways to get around issuing certificates," he says. "It's a big headache even once it's running."
But IT and security professionals realize that they could face even bigger headaches if they don't at some point upgrade to the most advanced wireless security standards.
Disabato says, "There's a lot of regulatory fear out there for people affected by [Health Insurance Portability and Accountability Act], Sarbanes-Oxley, Gramm-Leach Bliley. People are nervous. If you get caught on something under Sarbanes-Oxley, and you have WPA2 running, you can at least say you did the best you could with the technology that was available."