Wireless Security:
Issues and Solutions
Mike Brockney
Bluesocket
www.bluesocket.com
© 2004 Bluesocket, Inc.
Secure Mobility™
Agenda
 WLAN
Security and Management Requirements
 WLAN Challenges
 WLAN security standards
– WEP, WPA, 802.11i
 VPNs and WLANs
 Evolution of WLAN deployment model
© 2004 Bluesocket, Inc.
Secure Mobility™
A little Wi-fi related joke:
© 2004 Bluesocket, Inc.
Secure Mobility™
About Bluesocket…
© 2004 Bluesocket, Inc.
Secure Mobility™
WLAN Management &
Security Requirements

Access Control
–
–
–
–

Data is more dense
–
–
–

–
Multiple devices: laptops, PDAs, scanners,
phones, networking vendors’ appliances
Different radio protocols (802.11 alphabet soup)
Need for simple management
–
–
–
–

Need to manage bandwidth
Avoid unnecessary encryption overhead
Don’t allow bandwidth “hogs”
Imperative for Interoperability
–

Authentication
Authorization
Airlink Privacy
Physical Security
Single Web-based login
Transparent login where possible
Guest / Visitor Access
Client software maintenance at a minimum
Secure Mobility™ and Policy-based networks
–
Voice over WLAN will be widely used
© 2004 Bluesocket, Inc.
Secure Mobility™
Wireless LAN Challenges –
Minimal security and
management in APs
Weak Security
No True Mobility
© 2004 Bluesocket, Inc.
Stop or Go - Same Access For All
Visitor or Employee or Contractor
(Policy Management)
No Bandwidth Management
or QoS
Secure Mobility™
Wireless LAN Challenges –
Rogue APs

Employee brings an AP to work and
simply plugs it in, opening your
network to anyone within radio
distance

Malicious user attaches an AP to the
network to allow access

Attacker positions an AP near the
building in an attempt to have a
legitimate user associate with it

AirMagnet, AirDefense, Wavelink can
detect and alert in real-time

Cisco, Proxim/Orinoco and others are
now building Rogue Detection into
standard APs
© 2004 Bluesocket, Inc.
Secure Mobility™
Wireless LAN Challenges –
Emerging 802.11 devices
© 2004 Bluesocket, Inc.
Secure Mobility™
Wireless LAN Challenges –
Network Authentication
PPTP
Executive
IPsec
Finance
802.1x
Admin
ACS
LDAP
Radius
NT Domain
Clear
Visitor
© 2004 Bluesocket, Inc.
Secure Mobility™
Wireless LAN Challenges –
Which standards?

The “Alphabet Soup” of 802.11 standards (b, a, g, h, i, e, f, 1x) and the
need to support other wireless interfaces such as Bluetooth on PDAs
brings upgrade and compatibility challenges
?
?
Which protocol?
Which air interface?
Which vendor?
Solutions must be
‘agnostic’ to support
current and
future standards
© 2004 Bluesocket, Inc.
Secure Mobility™
WEP Security –
Wired Equivalent Privacy







Available in all APs and wireless cards
Available in many different key lengths
Uses a static key to encrypt data
Good for home use
Better than no security at all
Can be difficult to manage keys
Encryption algorithm has been compromised
© 2004 Bluesocket, Inc.
Secure Mobility™
WEP Security –
Wired Equivalent Privacy
A series of academic papers exposed serious flaws in
WEP– the security system built into the 802.11b
standard.
 Rapid passive attack was
first described in July 2001by Fluhrer, Mantin &
Shamir.
 AT&T Labs team successfully implemented the attack
and concluded that WEP is
“totally insecure”.
 In August 2001, the Airsnort program was released
on the Web.
http://airsnort.sourceforge.net/

© 2004 Bluesocket, Inc.
Secure Mobility™
802.1x Background

802.1x is an IEEE standard
– Originally designed for Port Authentication in wired networks
– IEEE 802.11 has chosen to use 802.1x to support
access authentication in WLANs (June 2001)
 Enables authentication and key management for WLANs
– Dynamic WEP encryption designed to overcome issues with WEP
 Augmented to use Upper Layer Authentication Protocols (ULAPs)
as a framework for authentication
– An EAP is an implementation
– 802.1x originated as a Point-to-Point Protocol (PPP) authentication
scheme along with RADIUS
– Implementing EAP methods in mobile devices requires
modifications/additions to the operating system
© 2004 Bluesocket, Inc.
Secure Mobility™
802.1X & EAP
EAP- (TLS, TTLS, PEAP, LEAP)
EAPOL
RADIUS
Campus
Authenticator
Network
Authentication
Server
Supplicant
• 802.1X defines EAPOL (Extensible Authentication Protocol Over LAN)
• Provides centralized authentication and dynamic key exchange
• EAP packets carried at the MAC layer, embed RADIUS commands
• Different EAP types deliver different authentication techniques
© 2004 Bluesocket, Inc.
Secure Mobility™
802.1x: EAP Methods





There is no “standard” EAP, but several competing protocols
– LEAP, MD5, TTLS, TLS, PEAP, SRP, SIM, AKA
– The same EAP method needs to be supported on the
client device and Authentication Server
EAP Methods can be sorted into 3 approaches
– Password based (can be open to dictionary attacks)
– Digital Certificate based (cumbersome to set-up and manage)
– Token Based
Early Entries into the field were LEAP, TLS (Mutual Authentication)
and TTLS (Digital Certificate for Server-side Authentication)
Emerging Leaders:
– PEAP (Microsoft, Cisco and RSA), TTLS (Funk and Certicom)
No specific EAP for PDA clients (PocketPC2002 or Palm),
Wi-Fi Phones (SpectraLink, etc.) or Apple devices
© 2004 Bluesocket, Inc.
Secure Mobility™
PEAP
(Protected Extensible
Authentication Protocol)
 Microsoft
has started shipping 802.1x client with PEAP
– Built into Windows XP SP1
– Released a PEAP client for Windows 2000 in November 2002
– No support yet for other OS’ (’98, ME)
 WEP keys to supplicant protected by ‘session key’ from RADIUS server
– At a configurable interval, updated key sent to authenticated PC
 Using one vendor’s EAP method could lock you into using certain clients
and devices
© 2004 Bluesocket, Inc.
Secure Mobility™
Is 802.1x “Good Enough”?

Most implementations require vendor specific APs/NICs/AAA servers
– Interoperability is difficult in multi-vendor environments
– There is no consensus on a “standard” EAP method or operating mode
(TLS/PEAP in WinXP SP1 only)
– Same problem as proprietary IPsec clients for guest access
 Client software is required to run 802.1x , involving the need to
upgrade all client devices
– Only some Windows versions provide support; not on other devices
(PDA’s, Apple MACs, Scanners, etc., etc.)
– No visitor, non-802.1x guest user access
 Underlying privacy is based on RC4 with rapid re-keying, requiring
extensions to APs
 Installed base of APs may require forklift upgrades
– Potential high cost of deployment--- as each AP must support the final
802.11 standard and be properly configured
 Access is all or nothing (either on or off the network)
– No provisions for prioritization or bandwidth control by class of user
© 2004 Bluesocket, Inc.
Secure Mobility™
Is WPA a Step in the Right Direction?
Yes
 Wi-Fi
–
–
–
–
Protected Access (WPA)
New terminology announced by the Wi-Fi Alliance (formally WECA)
to describe 802.1x with TKIP and MIC
TKIP with WEP represents a significant air-link privacy improvement
Subset of the 802.11i security standard
802.11i will use AES in a mode to be determined later
 Issues
–
–
–
–
with WPA
Requires a 802.1x client/driver on all end-user devices
Limited device support
Variety of methods (LEAP, PEAP, TLS, TTLS, MD5)
Which will be widely used or accepted as standard?
Does not provide a solution for securing sensitive traffic with
alternate type technologies and protocols (e.g. IPSec, PPTP, SSL)
© 2004 Bluesocket, Inc.
Secure Mobility™
802.11i (a.k.a. WPAv2)
• IEEE 802.11TGi
• Stronger encryption
• Makes sense to plan for 802.11i
• Will support secure, fast, reliable, roaming
• For Voice over WLAN
• But not all details are settled upon yet
Beware: You may have to upgrade a lot of equipment!
© 2004 Bluesocket, Inc.
Secure Mobility™
Is WPA/802.11i Good Enough?
Depends On Your Needs
Feature
WPA/80211i
Authentication
√
Dynamic WEP Encryption
√
Missing Parts
Alternate Encryption (IPSec, PPTP, SSL)
√
Access Control and Policy Management
√
Guest/Visitor Access
(Support for “client-free” devices)
√
Bandwidth Management
√
Support for any mobile device
√
Support for Secure Roaming
√
Intrusion Detection
√
Rogue Access Point Detection
√
© 2004 Bluesocket, Inc.
Secure Mobility™
Policy Enforcement and
Compliance: Healthcare

Enforce network policies
based on user rights

Examples:
– Nurses:
Given HTTPS access to
patient databases only
– Doctors:
E-mail and Web access
with IPSec encryption
for HIPAA compliance
– Contractors:
Access only to their
work servers
– Patients/Public/Guests:
Access to Internet only,
with limited bandwidth
© 2004 Bluesocket, Inc.
Secure Mobility™
Wi-Fi Security Using IPSec
IPSec
Campus
Client software
IPSec
Termination
Network
• Requires wireless users to authenticate before gaining network access
• IETF standard - Layer 3 authentication & encryption
• Familiar, reliable, trustworthy
• Challenges:
• No Layer 2 protection mechanisms
• IPSec clients may not be available for all handheld devices
• Can be difficult to manage and to scale
• Ensure the solution provides cross-subnet roaming
© 2004 Bluesocket, Inc.
Secure Mobility™
WLANs Yesterday:
External to Corporate Network
Wireless
Network
Internet
firewall
Wireless traffic untrusted
• Access points placed outside the firewall
• Local wireless users placed on a separate network
© 2004 Bluesocket, Inc.
Secure Mobility™
Corporate
network
WLANs Today:
Integrated Within the Network
Wireless
Network
Internet
firewall
Corporate
network
Wireless traffic authenticated before accessing network
• Access points installed on the regular wired LAN
• Wireless users managed like wired users
© 2004 Bluesocket, Inc.
Secure Mobility™
WLANs Tomorrow:
Throughout the Network
Internet
Firewall
/ VPN
Corporate
network
Wireless traffic authenticated before accessing network
• Access points installed on any LAN
• Wireless users managed like remote users
© 2004 Bluesocket, Inc.
Secure Mobility™
WLANs Tomorrow:
Universal Access Regardless
of Location
Are the same
credentials used
remotely
The login credentials
used at work
Internet
Firewall
/ VPN
Corporate
network
One method for network authentication from any location
• One set of login credentials used for on campus and remote network access
• Provides appropriate level of security and eases end-user adoption
© 2004 Bluesocket, Inc.
Secure Mobility™
Recommendations
802.1x
• Strongly recommended if you’re using Layer 2 security
• Provides centralized management/policy control
EAP
• Consider EAP-TLS if client certificates infrastructure is in
place
• Avoid LEAP if standards are important (ASLEAP attack)
• If you have Microsoft kit, PEAP is built in
IPSec
• If you chose IPSec be sure not to forgo mobility
VLAN
• Deploy per-user VLAN policy if your network supports it
Take the path of least resistance that meets your network needs
© 2004 Bluesocket, Inc.
Secure Mobility™
Bluesocket Future Directions

Continue to support standards – PEAP, TTLS, 802.11i

Add additional authentication methods to support customer needs
– Have added PIN, Cosign, Certificate, use API for other methods

Continue to innovate around security and mobility
– VLAN Mobility
– More efficient traffic routing

Load Sharing to distribute load

More flexibility around login pages – by location/interface
© 2004 Bluesocket, Inc.
Secure Mobility™
Thank You….
Mike Brockney, SE Manager
Bluesocket
djuitt@bluesocket.com
© 2004 Bluesocket, Inc.
Secure Mobility™