News Stay informed about the latest enterprise technology news and product updates.

Cisco says despite risks, LEAP wasn't worth fixing

Even though the LEAP security flaw could affect half of Cisco's WLAN customers, the company didn't patch it because more LEAP flaws could have emerged. While experts say LEAP should be abandoned immediately, they say Cisco's security strategy is sound.

As many as half of Cisco Systems Inc.'s wireless LAN customers could be affected by the release of a hacking tool designed to exploit a weakness in the networking giant's proprietary authentication protocol. Though Cisco has minimized the threat with new security protocols, questions remain as to whether the networking giant chose the best approach to keep its customers' networks safe.

Chris Bolinger, a product marketing manager in Cisco's wireless network business unit, said that the company conducted a survey of its wireless LAN customers and found that nearly 50% of those surveyed use Lightweight Extensible Authentication Protocol (LEAP), an authentication protocol built into Cisco's WLAN gear. There are likely thousands of affected businesses, Bolinger said.

The vulnerability was first brought to light last August when Joshua Wright, a network security architect at Johnson and Wales University in Providence, R.I., approached Cisco about a flaw in LEAP. Cisco asked Wright to delay releasing a tool he had developed to exploit the vulnerability until the problem could be addressed.

In February, Cisco released a new authentication protocol called Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), which circumvents the problems.

We knew this kind of attack was theoretically possible.
Chris Bolinger
Cisco product marketing manager, on the LEAP vulnerability 

 Last week Wright released the tool that exploits LEAP's vulnerability. That debut came a day after Cisco announced the existence of the security flaw in its wireless networking equipment.

Waking up to Asleap

Wright's tool, called Asleap, identifies LEAP traffic traveling between a client and access point. It then disrupts the user's session and forces a reauthentication. When the user does reauthenticate, Asleap captures the data stream.

Once the tool grabs the data, it initiates a dictionary attack, in which it uses a stream of likely usernames and passwords to determine the authentication information. When the username and password are determined, the hacker can then gain access to the network as an authorized user.

"We knew this kind of attack was theoretically possible," Bolinger said. Cisco chose not to patch LEAP because it was concerned that if it drew attention to the problem, hackers would then find more vulnerabilities with the protocol, Bolinger said.

Cisco's LEAP replacement, EAP-FAST, transmits password information using an encrypted tunnel. Cisco has posted that protocol to the Internet Engineering Task Force Web site, where it can be downloaded and will be considered for inclusion in the 802.1x WLAN security standard.

"From my perspective, everyone should stop using LEAP," said Michael Disabato, an analyst with the Midvale, Utah-based research firm, Burton Group. He said there are now plenty of better standards-based alternatives to consider.

New Wi-Fi security approaches, such as Wi-Fi Protected Access (WPA), offer better encryption (48-bit as opposed to 24-bit), making them harder to crack, he said. And once the full 802.11i protocol is ratified later this year, he suggests that businesses move to the upcoming Advanced Encryption Protocol, which is even more secure.

Another security protocol called Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS) provides encryption and authentication, which can help deter hackers, Disabato said. He said businesses should consider making the switch.

Leaping away from LEAP

Cisco, meanwhile, is not pushing any single security approach, Bolinger said. Any Cisco access point that supports 802.1x should support EAP-FAST, as well as other security options, he said. Bolinger added that older access points can also be upgraded to support EAP-FAST.

Despite the problems with LEAP, Bolinger said that some businesses may want to stay with it. That's because LEAP does not require IT departments to manage certificates, Bolinger said.

Other approaches, such as Protected Extensible Authentication Protocol (PEAP), mandate the use of certificates, and some businesses may not want to bear the burden of managing them, he said.

But Jeff Posluns, founder of the Montreal, Canada-based security consultancy, SecuritySage, Inc., said that businesses can set up and manage certificates efficiently if they are deployed by a trained consultant. Windows 2000 Server and Windows Server 2003 both have certificate capabilities built in, Posluns said, and the management can easily be handled by a junior admin.

For those companies that do use LEAP going forward, Bolinger suggested using strong passwords that aren't as vulnerable to the kind of dictionary attack that the Asleap tool uses.

Sleeping on security?

This most recent security dust-up comes just one day after Cisco sent a bulletin to its users, notifying them of a problem with its Wireless LAN Solutions Engine (WLSE). According to Cisco, the company hard-coded a default user name and password in the WLSE that manages and secures the wireless network. If a user knows the default information, he or she could easily take over a wireless LAN powered by WLSE.

Disabato called the hard-coded password "an incredible mistake."

For more information

Learn why few have made the LEAP to PEAP.

Read our exclusive: Maturing authentication clears last WLAN hurdle.

 Cisco's Bolinger said the networking giant was able to release a patch before anyone reported trouble with the flaw.

Also, Cisco yesterday announced a vulnerability that affects Cisco's Catalyst 6500 Series Switches and 7600 Series Internet Routers using the IP Security (IPSec) VPN Services Module (VPNSM).

Despite the negative publicity, this small string of security problems is likely coincidental, Posluns said, and does not represent a failure in Cisco's overall security strategy.

However, Disabato said it should be a reminder to IT departments that they cannot blindly trust anyone, even Cisco. "There is so much complexity in what we are doing that no one company should be trusted as being secure without being vetted by an independent agency," he said.

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.