Wireless networking is taking the IT world by storm, but security
technologies are struggling to keep up
It's not often that the techniques of depression-era hobos and the
antics of modern-day cyberwarriors have much in common, but a new
phenomenon this year has brought the two together in the eyes of
the popular press. Homeless travellers in 1930s California used to
chalk symbols on houses to let others know the chances of getting a
free meal there. These days, laptop owners looking for a wireless
Internet connection have taken to 'warchalking' - marking chalk
symbols on floors or walls in areas where wireless networks exist,
describing their level of security. In many cases, the symbol
denotes a completely open network, which would provide free access
to the Internet via a connected corporate network.
This phenomenon shows how quickly the idea of wireless local area
networks (WLANs) has taken off in the UK. This method of
networking, in which a PC card or built-in antenna acts as a
network interface card between the client PC and the network via a
wireless access point, is attractive to businesses that don't want
to cable their premises. Conventional office environments with
highly mobile employees might benefit from the convenience of a
wireless network, but it could be particularly valuable in other
environments, such as temporary construction sites or listed
buildings.
Even more exciting for companies is the rise of public WLANs. BT is
slowly rolling out WLAN access points for public use as part of its
OpenZone initiative, which launched on 1 August. The telecoms giant
plans to deliver 400 such hotspots around the UK by June next year,
and has already started serving the Heathrow Hilton hotel and its
own BT Centre in London. It would have 20 hotspots operational by
launch, the company said. A recent report from telecommunications
analyst company Analysys suggests that the market for public WLANs
will total more than ¤3bn (£1.8bn) in 2006. Following the
disillusionment over 3G services, WLANs are likely to be big
business for resellers.
Security vulnerabilities
Unfortunately, the warchalking
phenomenon also highlights the security vulnerabilities of WLANs
built on the IEEE 802.11b wireless networking standard, which is
still the predominant standard in the UK. The standard, developed
in 1999 following the ratification of the initial 802.11 physical
networking standard in 1997, became known as WiFi following the
formation of the Wireless Ethernet Compatibility Alliance in August
1999. A number of vulnerabilities in the technologies supporting
the 802.11b protocol have since come to light, which present
value-added resellers and systems integrators with some technical
challenges and revenue opportunities.
802.11b WLANs that haven't been enhanced in some way face two major
security issues: user authentication and encryption of information.
Because the nature of the medium is inherently insecure (signals
must be broadcast within a certain radius if they are to be picked
up by legitimate users), networks are more vulnerable to
infiltrators. This is not helped by the fact that wireless
networking equipment vendors do not encrypt the service set
identifier (SSID) - an identification string that is sent when a
conversation begins between a wireless network and a wireless
device. This means that hackers can detect wireless networks easily
using an 802.11b-enabled laptop.
"The major issue was that the uptake of the technology outpaced the
security," explains Steven Salmon, head of security at network
integrator Logical. As the technology became more widely adopted,
it inspired enthusiasts and academics to look closely at the
underlying security standards and develop ways to defeat them. It's
now up to resellers to implement extra security in a bid to lock
down wireless network security for customers, he argues. "So now
we're being asked to come in and talk to them about securing the
WLAN and scaling the security, which is one of the biggest
issues."
Clearly there is a need for network resellers that are
security-aware, and customers are gradually realising that need
following a couple of high-profile media events that highlighted
the vulnerable nature of wireless LAN technology. Salmon discusses
a security demonstration at the InfoSec computer security
conference this year in which I-Sec, a security consultancy, hacked
into an 802.11b network using a Pringles can and a freely available
network detection program called NetStumbler.
Inadequate encryption
Geoff Davies, managing director
of I-Sec, explains why the encryption mechanism used in 802.11b
networks to date has been inadequate. The encryption protocol,
called the wired equivalent privacy (WEP), is meant to encrypt data
travelling between the wireless access point and the client WiFi
card, but the algorithm that it used was badly implemented, he
reveals. "The problem is that WEP reuses part of the key after a
certain period of time," says Davies. "From that, a cryptographer
would be able to calculate the key, and that's what programs such
as WEPCrack do."
WEPCrack can be used on a laptop in the broadcast area to sniff
network packets and analyse them. Eventually, it will be able to
deduce the WEP key agreed by the access point and the wireless
client, meaning that it can decrypt the code. This can take a
matter of hours on a network with high traffic, Davies says.
Why can't companies simply change their WEP keys on a regular basis
to avoid people decrypting them? The problem goes back to the
insecure nature of a wireless LAN link. 802.11b WLANs work on the
pre-shared key concept, in which the access point shares a key with
the client that can be used to log onto the system. The problem is
that the 802.11b specification doesn't include any guidance on how
to manage keys using the insecure radio link between the client and
the access point. In practice, where the administrator bothers to
turn on pre-shared key access, a single key is provided to all
mobile terminals. The lack of key management guidelines in the
specification means that if the administrator wants to change the
encryption keys, he has to do so manually. In reality, changing the
encryption keys in every access point and client in a large company
simply isn't feasible, so many network administrators simply don't
do it. Using the same key for a long period of time opens you up to
attacks from key decrypters. Because the keys are static (that is,
not renewed automatically by the system on a regular basis), once
they are cracked the network is generally vulnerable, meaning that
a hacker - even one located in an adjoining building - could have
client access to the network.
Additional layer
The bottom line is that even
WEP-enabling your network won't necessarily stop a determined
hacker. One way around the problem has been to layer additional
security on top of the flawed security in the 802.11b protocol. But
although authenticating users with established remote
authentication dial-in user service (RADIUS) security
authentication mechanisms may help to ensure that only the right
users get access to the system, it won't stop hackers sniffing
network packets. Virtual private networks using third-party
encryption techniques are the strongest solution to the problem.
Davies recommends using VPNs based on the commonly accepted IPSec
encryption protocol, for example.
But things will get more difficult as more powerful wireless
network technology comes into play, says Salmon. "[VPN technology]
fitted with 802.11b because you were only talking about
11Mbit/sec," he explains. "The hardware could cope with that. With
50Mbit/sec, you have gigabytes of data going up there." In truth,
while the 802.11a standard that promises to supersede the 802.11b
standard in many areas can have up to five times the throughput of
the older standard, technical reviewers from magazines such as
eWeek have found that, just as with 802.11b, 802.11a networks
generally achieve about half the maximum throughput in real-world
environments. Anything over that is a bonus. HiperLAN/2, a European
equivalent of 802.11a and standardised by the European
Telecommunications Standards Institute, also promises higher
throughput than 802.11b.
While VPN encryption can alleviate the problems with WEP, the
authentication issue remains - the lack of dynamic key management
means that it's relatively easy for hackers to infiltrate WLANs.
Another potential problem is the fact that 802.11b networks only
require the access point to validate the user, and not the other
way around. Unless additional authentication has been built into a
system, all that a hacker has to do is plug another access point
into the network to impersonate a valid access point and gather
network keys from unwitting clients.
Mutual authentication
Luckily, the industry has been
working on better wireless authentication technologies to solve
this problem. Microsoft, Hewlett-Packard and 3Com developed 802.1x,
a standard that was ratified in June 2001 by the IEEE. 802.1x does
what 802.11b didn't by introducing mutual authentication technology
so that the access point has to prove its identity to the client.
Also, whereas the wireless access point itself acted as a weak
authentication system within 802.11b, 802.1x turns the wireless
access point into a conduit, passing authentication information to
a back-end security system (generally a RADIUS server). The other
big advantage of using 802.1x is that unlike VPN technologies, it
doesn't impose a per packet encryption/decryption overhead. This
means that there is no performance impact when scaling up
bandwidth, making it just as suitable for 802.11a as it is for
802.11b.
The most important part of 802.1x is the extensible authorisation
protocol (EAP), a technology that enables network administrators to
specify a number of different authentication mechanisms in a
wireless networking session. Generally, the authentication
mechanisms would be handled by a back-end server, with the wireless
access point merely serving as a conduit between the server and the
client device. The upside of this for the customer is that once an
access point supports 802.1x and EAP, it won't have to be upgraded
to support each new authentication mechanism that comes out. 802.1x
will also make it easier for users to roam wirelessly between
different access points (useful if you have a large building, a
multi-building campus or multiple offices), because now all
authentication can be done from a single point.
The enhanced authentication is great, but unfortunately 802.1x
doesn't provide any new encryption technology itself. On the other
hand, enabling the use of multiple authentication technologies via
EAP enables administrators to choose an authentication mechanism
that includes key management. This provides the ability to issue
encryption keys dynamically, meaning that if you do want to use
WEP, you can change keys on a regular basis and avoid others
decrypting your keys.
Way forward
So how will encryption improve? The only
way forward for WEP, other than dynamic key management, is to use
greater key lengths, making them harder to decrypt. VPNs are the
other option, using established encryption technologies such as
IPSec or the point-to-point tunnelling protocol (PPTP). Some
extensions to EAP are appearing for the management of VPN session
keys. These include EAP-TLS, EAP-TTLS, the protected extensible
authentication protocol (PEAP) and EAP-mutual authentication
protocol.
What does all this mean for resellers? For enterprise-class
applications, selling 802.11b-compliant access points and clients
alone won't give you the best security option, because
authentication is flawed and encryption key management is
difficult. Using 802.1x equipment will give you stronger
authentication and better WEP key management. The alternative is to
use 802.11b access point hardware with VPN server software built
into the access point, or end-to-end VPN sessions between the
client and the server. But again, authentication under 802.11b will
still be an issue.
As the industry gradually moves to 802.1x, companies will begin to
feel safer with WLANs, but like most technologies, it is far from
perfect, according to academics. Professor William Arbaugh of the
University of Maryland already claims to have found vulnerabilities
in the standard that render networks open to attack. This attack on
a relatively new standard shows how volatile the wireless
networking industry is, and how much effort resellers will need to
put into securing such networks, possibly using combinations of
third-party products.
The use of wireless networking also creates other challenges, such
as laptop management. WLANs will appeal to laptop users who move
around constantly, but companies that mobilise their users in this
way must make sure that laptops and PDAs (the latter offer
notoriously bad security) are taken care of. Providing secure
wireless LAN access to a laptop user is all fine and dandy, unless
he leaves his laptop - complete with unencrypted locally stored
data and his password stored in an Outlook note - in the back of a
cab. This represents just as much of an opportunity for resellers
as the more complex security technology that will form part of any
WLAN sale.
Further resources
The Unofficial 802.11 Security Web
page:
www.drizzle.com/~aboba/IEEE
802.11 Planet - resource site for 802.11 issues:
www.80211-planet.com
Wireless Ethernet Compatibility Alliance:
www.wi-fi.net/index.html
IEEE 802 standards site:
www.ieee802.org
The Maryland University 802.1x vulnerability paper:
www.cs.umd.edu/~waa/1x.pdf
802.11a white paper by Proxim:
www.proxim.com/learn/library/whitepaperswp2001-09-highspeed.html
HiperLAN/2 information page:
www.etsi.org/frameset/home.htm?/technicalactiv/Hiperlan/hiperlan1.htm