Using SSL to secure wireless LAN traffic

I see a lot of press regarding the use of SSL to secure remote access traffic, not much on using SSL to secure

wireless LAN traffic? This solution seems (on the surface) ideal for campus wireless application. Are corporations considering or already using SSL as an enterprise solution for bolt-on wireless LAN security? Leads to any research or white papers on this topic would be greatly appreciated! Thank you.

That's an excellent question and one I would love to really talk about in depth but I'll see if I can cut it short and sweet so I don't end up boring you to death. SSL is a point-point encryption protocol. Under normal circumstances it (SSL v2) is used to encrypt data between a Web server and an end-user, however SSL is an abnormality in itself. If we look at where SSL sits within the OSI layer we find that it actually sits somewhere between Layer 3 (the network layer) and Layer 4 (the transport layer) however it's implemented by Layer 7 (the application layer). As such, what you're seeing is your Web browser (which sits at Layer 7) actually invoking a Layer 3/4 protocol to communicate (which is extremely unusual.)

The problem with applying this theory directly to wireless networks is that every network application would have to invoke SSL individual - just as we have HTTP and SHTTP we would have FTP and Secure FTP, IRC and Secure IRC, ICQ and SICQ, etc, etc and this would require that every application implement an SSL version of itself. Along with the development overhead for companies in developing SSL for their applications, our PCs also have a secure tunnel for each application session that we have established resulting in every application endpoint requiring a certificate and drastically reducing the number of Internet sessions that our PC could support, let alone the enormous increase in process load on Internet-based application servers.

Having said this, like yourself, others were inspired by the elegance of SSL and found a way to augment wireless networking using the fundamental idea behind SSL, Transport Later Security (TLS). Since then vendors have looked to implement Layer 2 encryption between the wireless clients and the access points. By implementing the encryption at Layer 2, you remove the need for extraneous application development (such as SSL for FTP) whilst avoiding the 10-20% encryption overhead of Layer 3 encryption techniques such as VPN. There are a few SSL-like encryption implementations vary but the major ones include EAP-TLS, Protect EAP (PEAP) and EAP-TTLS.

Essentially, these authentication protocols operate in logically the same way as SSL Version 2 (PEAP and EAP-TTLS) or SSL Version 3 (EAP-TLS) with an access point passing a username/password or user certificate to an authentication server for authentication, using the authentication to establish a shared-key encryption scheme between the end-user and the access point and then acting as the end-point for the encrypted session.

Protocols such as EAP-TLS (which operate exactly like SSL version 3) require a certificate at both ends, whilst PEAP operates like SSL version 2 (the most common version of SSL used on the Internet) where only the authentication server requires a certificate. PEAP is an authentication mechanism designed by Cisco, Microsoft and RSA Securities and whilst proprietary has quickly begun to gain momentum throughout the wireless industry due to the ability to leverage either an organization's Microsoft IAS RADIUS solution or Cisco's CiscoSecure Access Control Server. End-user PEAP support is available in Microsoft's Windows 2000 with Service Pack 3 and the 802.1X Supplement or Windows XP with Service Pack 1.

For more information on these SSL-like authentication and encryption mechanisms I would suggest checking out the following URLs:
Microsoft - Protected EAP
Cisco - Wireless Authentication

This was first published in June 2003

Dig deeper on WLAN Security



Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: