Locking down wireless hot spots with 802.1X

Read about Lisa

Today, public wireless hot spots can be found in many airports, hotels, conference centers, and other venues frequented by business travelers.  In fact, business users are the primary source of revenue for hot spot operators, and the primary target for new services.

According to Biju Nair, VP of Mobility Solutions at PCTEL, many carriers hope to leverage hot spots to further penetrate enterprises.  "Larger revenues could be generated if [hot spot] services were part of an overall package of remote access services," said Nair.  But when carriers surveyed enterprise IT managers, "Their overwhelming concern was not price or availability, but whether [hot spot traffic] was secure."

Hot spots can increase business productivity, but careless use can lead to corporate resource compromise.  Without protection, usernames, passwords, and proprietary data sent over the air are easily captured.  Most hot spots use Web authentication with SSL to protect credentials.  But few hot spots use WEP encryption to protect data sent after login.

Shared key encryption can't provide individual user authentication or confidentiality.  Since everyone holds the key to decrypt everyone else's data, there's little gained by using static WEP in a network of strangers.  WPA-Personal provides stronger encryption, but still uses a shared passphrase that limits hot spot utility.  WPA-Enterprise combines stronger encryption with 802.1X user authentication and dynamic per-session keys.  Some carriers believe this combination holds great promise for hot spot security.

T-Mobile's enhanced WPA network

For example, T-Mobile has been testing 802.1X in selected hot spots for the past year.  Earlier this month, the carrier formally announced general availability of its "Enhanced WPA Network" at 4700+ hot spots.  Customers who download T-Mobile's updated Connection Manager will find the new service is used automatically wherever it's available.

By default, T-Mobile's Connection Manager -- a branded version of PCTEL's Roaming Client -- first tries to connect to a hidden, encrypted network named tmobile1x.  If that fails, it falls back to the standard (broadcasted, unencrypted) tmobile network.  Both networks are supported by the same Access Point, but the tmobile1x network requires authentication using 802.1X Port Access Control with EAP-TTLS, followed by data encryption using TKIP.

When connected to tmobile1x, data over the air is protected from eavesdropping and tampering by other users.  Protection across the Internet still requires something more, like a VPN.  However, airlink encryption can avoid leaking confidential data when browsing public Web sites or automatically trying to reconnect to NetBIOS fileshares.  If your VPN should fail to launch or disconnects unexpectedly, airlink encryption prevents accidental exposure.  In short, WPA-Enterprise better insulates hot spot users from each other, no matter which applications or Internet security measures they might use.

The 802.1X fine print

Airlink security is good news for enterprises concerned with worker exposure at hot spots, but using WPA-Enterprise in hot spots requires satisfying several prerequisites.

1. Users must have a WPA-capable wireless card. 

For new laptops, that's pretty much a given.  For internal/external cards purchased in 2003, WPA upgrades may be available -- check your product's Wi-Fi certification.  Those with older gear are out of luck, but can still use unencrypted networks like tmobile.

For compatibility with older equipment, Connection Manager lets you disable WPA.  But there's no option to require WPA.  If your connection to the Enhanced WPA Network fails, you'll be offered a connection to the Standard Network.  I found it a bit too easy to click through this prompt and end up with an unencrypted airlink.  Enterprises may prefer an option to stop users from connecting to any unencrypted network.

2. Users must have a hot spot account and credentials.

After network connectivity is established, Connection Manager launches a browser window that automatically logs the user into T-Mobile's server, using previously-stored credentials or prompting for login/password.  Those without an account (or with an expired account) are automatically redirected to T-Mobile's Sign-Up page.

3. Users must install a compatible Connection Manager. 

As PCTEL's Nair put it, "Expecting users to have all the software and configuration required to connect to 802.1X is not very user-friendly."  To avoid these external dependencies, Connection Manager includes PCTEL's 802.1X EAP-TTLS supplicant, pre-configured for T-Mobile hot spot use.

This bundled approach has benefits.  PCTEL's EAP-TTLS implementation is compatible with T-Mobile's authentication server and credentials, and keeps both the user's login and password private.  The Connection Manager automatically validates T-Mobile's server certificate, and that server validates the AP's identity, reducing risk of connecting to a rogue AP pretending to be a hot spot AP.  The opportunity for error or breach due to 802.1X mis-configuration is minimized.

On the other hand, requiring client software has well-known drawbacks.  If you're accustomed to using Windows XP Zero Configuration, Cisco's Aironet Client Utility, iPass Connect, or another 802.1X-capable wireless client, you won't be able to access T-Mobile's Enhanced WPA Network through that client.  Instead, you must install and launch Connection Manager when visiting a hot spot.  Conflicting programs (like Zero Config) are detected and optionally disabled when Connection Manager is launched, then restored upon exit.  This automation helps, but some users may find switching between wireless clients confusing.  Alternatively, you can add your own profiles to Connection Manager to access private (home or office) WLANs.

Getting started

T-Mobile's rollout shows that some carriers will invest in 802.1X to address enterprise security concerns.  It's a bit early to tell how 802.1X will fare in hot spots, but we can certainly expect continued evolution.

Companies with corporate hot spot accounts should evaluate their provider's existing and planned support for 802.1X.  Review hardware and software and proxy requirements, considering your own plans for internal 802.1X use, to decide whether and when to make the switch.  Hot spot airlink security isn't going to eliminate your need for remote access VPNs, but it can still reduce risk for workers who frequent public hot spots.