In the first two parts of this series on wireless LAN authentication, we explored how to manage guest wireless
networks and enforce wireless LAN access control. Now we address how to manage embedded Wi-Fi devices on the wireless LAN.
New strategies have emerged for identifying and provisioning enterprise wireless LAN (WLAN) access for employee and guest smartphones and tablets, but what about managing embedded Wi-Fi devices that lack user interfaces?
In early wireless LANs, embedded Wi-Fi clients usually meant barcode scanners, point-of-sale terminals, Voice over IP handsets and other purpose-built devices. Access was often loosely controlled by MAC address and protocol filter, supplemented by hidden SSIDs and static WEP keys. Such measures reduced accidental connections and discouraged (but did not reliably prevent) unauthorized use of embedded device wireless LANs.
This "security through obscurity" strategy is largely unacceptable for today's wave of Wi-Fi enabled consumer electronic devices. From wireless printers and cameras to media players and displays, enterprise networks are being overrun by embedded Wi-Fi devices that don't fit the old mold and cannot be easily wedged into existing policies and IT processes. Banning such devices won't really work, and simply adding MAC loopholes is rarely justified. Instead, IT must find ways to enable secure use without unacceptable risk or cost.
Using WPA2-Personal to control embedded Wi-Fi devices
One often overlooked strategy for controlling embedded wireless LAN access is WPA2-Personal: Pre-Shared Key (PSK) authentication and AES encryption. “Personal" suggests that this is not a strategy designed for enterprise wireless LANs, and PSKs are not preferred for devices that can be controlled effectively with WPA2-Enterprise. However, for consumer electronics that do not support WPA2-Enterprise or device certificates, PSKs can be a viable alternative.
Today, all Wi-Fi certified consumer electronics must support WPA2-Personal; more than 1800 device types now support Wi-Fi Protected Setup (WPS). WPS is an easy way to enable WPA2-Personal in a relatively strong fashion with little or no data entry.
To use WPS, look for a unique WPS PIN printed on the client device, its packaging, or on an LCD setup panel. Enter that PIN into your AP or Controller's WPS setup page. The pair will complete a secure handshake during which the client is given a random PSK. Some WPS clients also support push-button or Near-Field Communication (NFC) setup as an alternative to PIN-based setup. In any case, WPS not only automates PSK setup, it generates long, random PSKs that deter cracking.
Once embedded devices are authenticated this way, common strategies can be used to control traffic flows. Separate SSIDs are mapped onto VLANs and prioritized and filtered by protocol, as appropriate for device type and business use. For example, you may only allow printing protocols to reach wireless printers, not Telnet, SNMP or other unexpected packets that might be used to hack those embedded devices.
Using Wi-Fi Direct to manage traffic from embedded Wi-Fi devices
Given its origins, WPS is not broadly supported by enterprise APs and controllers. However, WPS will be required in every Wi-Fi Direct certified product. This peer-to-peer Wi-Fi alliance specification enables simple direct device-to-device connection, without requiring either an AP or conventional Wi-Fi ad hoc mode. Wi-Fi Direct-capable devices discover each other and form Wi-Fi Direct "groups" composed of two or more devices. These self-organized groups are intended to make Wi-Fi easier for as-needed communication, such as file sharing and printing between consumer electronic devices.
Enterprises may want to selectively authorize Wi-Fi Direct use for convenience and traffic separation. Network teams could, for example, grant use for wireless printing by anyone without access to the corporate network. To facilitate enterprise wireless LAN coexistence, Wi-Fi Direct defines a "managed device" option that could be used by IT to exert control over Wi-Fi Direct channel and power. However, products that support this option are not yet available, and it is too soon to tell how Wi-Fi Direct will really impact enterprise wireless LANs.
More embedded Wi-Fi device authentication methods
To participate in WPA2-Enterprise authentication, embedded Wi-Fi devices would need non-user-interactive 802.1X credentials, such as device certificates. Certificates are not widely embedded in consumer electronic devices, but some more advanced devices may support EAP-TLS using enterprise-issued certificates. For example, devices may provide TPM chips for secure key storage, or they may have a slot that accepts an inserted smartcard or USB that carries a certificate.
Alternatively, Wi-Fi devices that implement Cisco Compatible Extensions (CCX) support EAP-FAST. This EAP type allows an enterprise to issue protected access credentials (PACs), which can be used for secure, non-interactive 802.1X authentication without digital certificates. CCX certified client devices currently include Wi-Fi voice handsets, wearable computers, ruggedized handhelds and even some smartphones.
Another option for GSM smartphone authentication is EAP-SIM, an EAP type that identifies the device using its subscriber identity module (SIM). For UMTS smartphones, a similar capability is provided by EAP-AKA. These credentials are more likely to be used by cellular carriers than enterprises, but they have an interesting role to play—Wi-Fi/3G roaming. In particular, the Wi-Fi Alliance is now developing a hotspot certification program, based on IEEE 802.11u, to facilitate transparent roaming for converged mobile devices (e.g., smartphones, tablets). Certified devices would be able to discover a suitable nearby hotspot and connect to it using WPA2-Enterprise with EAP-SIM or EAP-AKA without disruption or user assistance. Behind the scenes, carriers would use roaming agreements to enable call/session handoff and billing, making the experience similar to cellular voice roaming today.
Embedded Wi-Fi devices are still a mixed bag, and they are strongly affected by device type, Wi-Fi security capabilities (including EAP types) and intended business use. Note that device fingerprinting can also be helpful—if for no other reason than to provide visibility into embedded devices that are used without IT knowledge. Enterprises should keep a watchful eye on this area and consider creative "out of the box" strategies to address pressing access control needs, without exposing enterprise wireless LANs to unacceptable risk.
About the author: Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices.