As WLANs are updated to 802.11n, most will be populated by increasingly diverse devices. According to In-Stat, 2008 Wi-Fi sales were dominated by dual-mode Wi-Fi cell phones (56 million), stationary consumer electronic devices like printers (48 million), and portable consumer electronic devices like cameras (71 million). Traditional Wi-Fi clients like notebooks represented less than half of chipsets shipped last year.
Most administrators already understand how to secure wireless notebooks, but Wi-Fi phones, printers, cameras and specialized devices like barcode scanners pose unique challenges. They cannot be configured by desktop management systems, nor can they participate in human-interactive login processes. So what techniques can be used to secure this new wave of embedded 802.11n devices?
MAC filters fall short
Let's start with the most common method of controlling embedded device access: media access control (MAC) filters. MAC filters, or access control lists (ACLs), are widely used to discourage wireless connections from unknown client devices.
Many Point-of-Sale (PoS) and Voice over IP (VoIP) deployments use old, limited devices – barcode scanners, Wi-Fi handsets – that lack Wi-Fi protected access (WPA). It is common to configure APs with lists of known devices, identified by the MAC address sent in all Wi-Fi frames. APs use this list to reject unrecognized devices and map the rest onto a designated network segment (such as a VLAN). Upstream filters may be added to control service access – for example, permitting only SIP and RTP to reach a VoIP gateway that checks SIP uniform resource identifiers inside those packets.
This approach makes the best of a bad situation where devices lack the embedded capabilities needed to join an 802.11i robust security network. MAC addresses are easily spoofed, however. Anyone within range can capture Wi-Fi frames, extract authorized addresses, and use them to bypass MAC filters. Furthermore, if data payload is unencrypted, one can extract destination IP addresses, ports and service identifiers like URIs, thereby defeating upstream filters.
Some deployments also use wired equivalent privacy (WEP) to make packet analysis more difficult, but given contemporary WEP cracking tools, this raises the bar just slightly. In short, MAC ACLs are at best a weak deterrent, suitable for deflecting accidental connections but not incented intruders.
Simple secure setup
Today, all Wi-Fi certificated products are required to support WPA2, which combines Advanced Encryption Standard (AES) data protection with pre-shared key (PSK) or 802.1X authentication. But, to facilitate out-of-the-box interoperability, almost all Wi-Fi products are shipped with WPA2 turned off.
As a result, many Wi-Fi devices are still put into service with no wireless security. This problem has long plagued residential devices sold to consumers who lack the security awareness needed to configure PSKs. To close this gap, the Wi-Fi Alliance created an optional certification program called Wi-Fi Protected Setup (WPS). As it turns out, WPS is not just for SOHOs – it also provides a convenient way to enable WPA2 on many embedded Wi-Fi devices used in business WLANs.
More than 500 products have achieved WPS certification to date – nearly 300 with 802.11n. These devices include external and internal Wi-Fi adapters, laptops, display devices, print servers, cameras, voice handsets, smartphones, digital audio devices, media servers, set-top boxes and, of course, many APs and gateways. All can automate WPA-PSK2 configuration using one or more WPS techniques: personal information number (PIN), push-button configuration (PBC), and near-field communication (NFC).
With the PIN method, all devices are associated with a unique number printed on the device or its packaging, or displayed on the device's LCD panel or screen. To enroll a device, its PIN is entered into a "WPS registrar" – usually a configuration page on the AP, gateway or controller. The registrar and device complete a secure over-the-air WPS handshake, during which the registrar assigns a random PSK to the device. The device then self-enables WPA2-PSK, using those WPS-supplied SSID and PSK values.
Some devices also support the PBC method, where physical WPS buttons must be pushed simultaneously on the AP and the device to be registered. For a short period, the AP listens for and accepts any nearby device requesting WPS enrollment. This method eliminates PIN entry but creates a brief window of opportunity during which unauthorized devices might conceivably be added.
Last year, an optional NFC method was added to eliminate that gap. When an NFC-enabled client device is placed within 10 centimeters of the NFC "target mark" on the AP, the WPS registrar uses NFC communication to read the client's identity from a token embedded in the device. Once approved, that device is given the SSID and PSK that it needs to complete automated WPA2-PSK setup and join the WLAN.
In all three methods, WPS shifts security setup responsibility from the user to the network itself. Avoiding end-user configuration of Wi-Fi security parameters not only reduces human confusion and error, it can eliminate the need for manual WLAN configuration interfaces on embedded Wi-Fi devices.
WPS is a low-overhead way to secure many new embedded Wi-Fi devices. By assigning random SSIDs to each WLAN and random PSKs to each device, WPS also defeats PSK crackers that depend upon short, easily guessed pass-phrase values. However, PSKs still do not meet all business needs – for example, many businesses wish to use 802.1X to authenticate individual users, map them onto the appropriate VLAN, and track their network activities.
To participate in WPA2-802.1X (also known as WPA2-Enterprise), embedded devices must supply authorized credentials – for example, a digital certificate issued by a trusted certification authority, a unique subscriber identity module (SIM) associated with a cell phone, or protected access credential (PAC) issued to the device. Thus, each device's ability to authenticate to a business WLAN using 802.1X depends upon support for various Extensible Authentication Protocol (EAP) methods.
Devices that support EAP-SIM, for example, implement RFC 8146, a method defined for clients that communicate over both GSM cellular networks and WLANs -- a smartphone that roams between 3G and Wi-Fi might use 802.1X with EAP-SIM to authenticate when connecting to commercial hotspots. Today, 802.11n devices that support EAP-SIM are largely internal and external adapters and laptops, but future 802.11n smartphones may well support EAP-SIM.
EAP-SIM is of greater interest to carriers; enterprises may prefer issuing their own client credentials, even to embedded devices. One method that works this way is EAP-FAST, an integral component of Cisco's Unified Wireless Network architecture. EAP-FAST's PAC-based authentication can be used with Cisco and other-vendor clients that implement Cisco Compatible Extensions (CCX) version 3 or later. Currently, this list includes smartphones, Wi-Fi handsets, "wearable" computers, and ruggedized handhelds – but 802.11n CCX devices have yet to emerge in these categories.
In fact, the first embedded 802.11n WPA-Enterprise devices have been printers and print servers – these will no doubt be quickly followed by other stationary 802.11n devices that require high bandwidth. Mobile devices are expected to take longer to move to 802.11n because of power consumption/battery-life challenges.
Nonetheless, as next-generation embedded 802.11n devices emerge, businesses must prepare to secure them. In the short run, WPS will be a viable answer for many consumer electronic devices – and certainly an improvement over MAC ACLs. In the long run, businesses should use 802.1X to authenticate embedded 802.11n devices that support WPA2-Enterprise. Not only will 802.1X provide more robust wireless protection, it will dovetail with most network access control (NAC) architectures.
About the author:
Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation, and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.