This article is part three in a five-part series from contributor Michael Finneran. Read the first two:
Step 1: Planning for capacity, not just coverage
Step 2: Moving to 802.11a
Critical Step 3: Assessing security enhancements
Security is the most frequently cited reason that commercial users have been slow to deploy wireless LANs, but hopefully that issue will be put to bed in 2004. Indeed, the Wired Equivalent Privacy (WEP) function defined with the original 802.11 standards had significant deficiencies. Not the least of these is the use of a static 40-bit encryption key that a hacker can crack using a free online program like AirSnort. AirSnort requires a few million packets to work, but it works.
The major fix for the privacy concern will be the new 802.11i standard that will incorporate the Advanced Encryption Standard (AES); ratification is expected in mid-2004. AES was developed through the National Institute of Standards and Technology (NIST) and uses an algorithm called Rijndael in honor of the two developers Vincent Rijmen and Joan Daemen. AES is a mind-numbingly complex symmetrical block cipher that offers protection far beyond WEP's RC4 and the 3DES algorithm typically used with secure tunnel VPNs. The problem is that encryption engines are hardware devices, so upgrading from WEP to AES cannot be done with a simple software upgrade. That means it is critical in selecting WLAN products today that you find devices that will be upgradeable to 802.11i.
In the interim, there are a number of solutions that outperform WEP. Users can opt for the VLAN/VPN configuration where all of the WLAN access points are configured in a separate virtual LAN. To access any LAN-based resources, WLAN users must first go through an authentication server and then establish a secure tunnel connection through a firewall. In essence, WLAN users are treated like remote access users, and the VPN secure tunnel encryption is used to insure privacy over the radio link. Alternately, you could use a vendor-provided solution like those from Reefedge or Proxim. However, that weds your organization to a particular vendor-defined implementation.
To stay on the path of industry-wide standards, the preferred choice would be to employ the Wi-Fi Alliance's Wi-Fi Protected Access (WPA). WPA incorporates three major elements:
- Temporal Key Integrity Protocol (TKIP): TKIP uses WEP's 40-bit key but changes the key on each packet, thereby thwarting the brute force decryption mechanism used by programs like AirSnort.
- Message integrity check: WLAN transmissions include a message integrity check called Michael designed to defeat "spoofed" access points that are introduced by hackers attempting to gain access to your WLAN.
- Extensible Authentication Protocol: WPA also employs the 802.1x Extensible Authentication Protocol that can provide mutual authentication (i.e. the network authenticates the user and the user authenticates the network) and key distribution.
The biggest advantage of WPA is that it is standards-based and can be implemented with a software upgrade. The Wi-Fi Alliance Web site currently lists over 175 products that comply with WPA.
One potential security threat with WPA was identified in a paper by Bob Moskowitz, Senior Technical Director of TruSecure's ICSA Labs. The weakness was apparently known by WPA's developers, and it can be addressed by selecting a more challenging passphrase to initiate the encryption key. Implemented correctly, WPA addresses all of the major deficiencies of WEP.
The good news is that commercial users should be able to deploy WLANs with security features that address the concerns of all but the most paranoid. Again, it is important to recognize what's in the pipeline and insure that the products we select will not preclude the potential of incorporating stronger, standards-based options as they become available.
Go on to part four in the series, Incorporating quality of service.
About the author:
Michael Finneran is an independent telecommunications consultant specializing in wireless networks and technologies. Besides his research and consulting activities, he writes a regular column called "Network Intelligence" for Business Communications Review and teaches their seminars on wireless technologies and wireless LANs. He can be reached at mfinneran@att.net.
