Feature: Fast-tracking WLAN security
- 14 March, 2002 09:00
Like an alarm bell sounding in the firehouse, the WLAN (wireless LAN) industry scrambled when the Fluher, Mantin, and Shamir paper "Weaknesses in the Key Scheduling Algorithm of RC4" revealed how easy it was to crack IEEE 802.11 wireless Ethernet (WLAN) security.
A lot was at stake for WLAN vendors: Any legitimate threat to the integrity of the network could put a major hold on its growing corporate and government business.
In fact, the U.S. Army halted its CAISI (Combat Service Support Automated Information System Interface) project, which was about to deploy 11,000 access points with 85,000 users for battlefield logistics support. When the news emerged about the WEP (Wired Equivalent Privacy) key being broken, the Army had no choice but to issue a directive, says Pete Johnson, CIO of the Program Executive Office of Enterprise Information Systems in Virginia.
"Last November we became aware that WEP had been exploited. The Army issued a policy that said anybody using WLANs had to shut them down," Johnson explains.
Because of 802.11 WLAN vulnerabilities, several recommendations and specifications for greater security from Task Force I, the IEEE's 802.11 subcommittee comprised of vendors, cryptographers, and security organizations, were put on the fast-track to ratification.
The first recommendation is 802.1x, ratified by the full committee in July. It takes authentication out of a less robust AP (access point) and places it in the authentication server, such as Radius or Kerberos, on the back end. The 802.1x standard allows for the use of dynamically generated WEP keys on a per-session, per-user basis in place of a static WEP key placed in the AP.
Unfortunately, hardware vendors began building to the 802.1x spec before it was ratified, which will likely lead to product interoperability problems because each vendor interprets the spec differently. The products will be useful, but early adopters of 802.1x will be tied to a single vendor, says John Pescatore, research director of Internet security at Gartner Inc. in Stamford, Conn.
On the software side, Windows XP is the only major OS vendor supporting 802.1x. The Microsoft Corp. version uses EA-TLS protocol, which requires a PKI (public key infrastructure) and does not support directory services for password-level security.
Pescatore favors the use of PKI as a long-term solution; however, he notes that the requirement to create a certificate authority rather than using directory services for authentication might be a problem, especially for smaller companies.
Task Force I's next task is replacing WEP with the TKIP (Temporal Key Integrity Protocol). TKIP is backward compatible with current APs and wireless cards and requires only a software upgrade. But because it is based on rapid rekeying and generates a new encryption key every 10,000 packets, there are some latency issues.
"[TKIP] performance is vendor-dependent. If you have a small ARM processor in the access point, there may be some [performance] hit," says Dennis Eaton, chairman of the Wireless Ethernet Compatibility Alliance based in Mountain View, Calif.
AES (Advanced Encryption Standard) completes the current IEEE 802.11 road map. AES is recommended and used by the federal government's National Institute of Standards -- it has a far-better underlying cipher, according to Eaton.
The major issue with AES is its incompatibility with current hardware, requiring that processing be off-loaded to a separate chip.
"You can't have a WEP client that talks to AES access point," Eaton says.
But what do companies do while waiting almost two years for AES availability? Johnson examined the situation carefully before making a decision. "AES is in the future. I need something now," he says.
Johnson went with Fortress Technologies Inc., a company offering its own hardware appliance and software solution. AirFortress is compatible with the Army directive barring WLANs unless they use the National Institute of Standards Technology Federal Information Processing (NIST FIP) security standards on top.
Gartner's Pescatore believes solutions such as AirFortress do offer the highest level of WLAN security. But it is more costly than software-only security, and network security can still be compromised if companies keep only software-level security for Internet access to their VPN.
For now, Pescatore recommends that companies put the AP outside the firewall and use a VPN to get in.
"If you have public exposure to your signal or people wandering around with wireless NICs, then use VPN. It is the most secure approach," Pescatore says.
Standards in the works
-- 802.1x: moves authentication from access point to authentication server; ratified by IEEE in July.
-- TKIP: based on rapid rekeying; will replace WEP.
-- AES: better underlying cipher; hardware incompatibility is a hurdle.