Securing the ethereal Ethernet

Wireless networking is taking the IT world by storm, but security technologies are struggling to keep up

Wireless networking is taking the IT world by storm, but security technologies are struggling to keep up

It's not often that the techniques of depression-era hobos and the antics of modern-day cyberwarriors have much in common, but a new phenomenon this year has brought the two together in the eyes of the popular press. Homeless travellers in 1930s California used to chalk symbols on houses to let others know the chances of getting a free meal there. These days, laptop owners looking for a wireless Internet connection have taken to 'warchalking' - marking chalk symbols on floors or walls in areas where wireless networks exist, describing their level of security. In many cases, the symbol denotes a completely open network, which would provide free access to the Internet via a connected corporate network.

This phenomenon shows how quickly the idea of wireless local area networks (WLANs) has taken off in the UK. This method of networking, in which a PC card or built-in antenna acts as a network interface card between the client PC and the network via a wireless access point, is attractive to businesses that don't want to cable their premises. Conventional office environments with highly mobile employees might benefit from the convenience of a wireless network, but it could be particularly valuable in other environments, such as temporary construction sites or listed buildings.

Even more exciting for companies is the rise of public WLANs. BT is slowly rolling out WLAN access points for public use as part of its OpenZone initiative, which launched on 1 August. The telecoms giant plans to deliver 400 such hotspots around the UK by June next year, and has already started serving the Heathrow Hilton hotel and its own BT Centre in London. It would have 20 hotspots operational by launch, the company said. A recent report from telecommunications analyst company Analysys suggests that the market for public WLANs will total more than ¤3bn (£1.8bn) in 2006. Following the disillusionment over 3G services, WLANs are likely to be big business for resellers.

Security vulnerabilities
Unfortunately, the warchalking phenomenon also highlights the security vulnerabilities of WLANs built on the IEEE 802.11b wireless networking standard, which is still the predominant standard in the UK. The standard, developed in 1999 following the ratification of the initial 802.11 physical networking standard in 1997, became known as WiFi following the formation of the Wireless Ethernet Compatibility Alliance in August 1999. A number of vulnerabilities in the technologies supporting the 802.11b protocol have since come to light, which present value-added resellers and systems integrators with some technical challenges and revenue opportunities.

802.11b WLANs that haven't been enhanced in some way face two major security issues: user authentication and encryption of information. Because the nature of the medium is inherently insecure (signals must be broadcast within a certain radius if they are to be picked up by legitimate users), networks are more vulnerable to infiltrators. This is not helped by the fact that wireless networking equipment vendors do not encrypt the service set identifier (SSID) - an identification string that is sent when a conversation begins between a wireless network and a wireless device. This means that hackers can detect wireless networks easily using an 802.11b-enabled laptop.

"The major issue was that the uptake of the technology outpaced the security," explains Steven Salmon, head of security at network integrator Logical. As the technology became more widely adopted, it inspired enthusiasts and academics to look closely at the underlying security standards and develop ways to defeat them. It's now up to resellers to implement extra security in a bid to lock down wireless network security for customers, he argues. "So now we're being asked to come in and talk to them about securing the WLAN and scaling the security, which is one of the biggest issues."

Clearly there is a need for network resellers that are security-aware, and customers are gradually realising that need following a couple of high-profile media events that highlighted the vulnerable nature of wireless LAN technology. Salmon discusses a security demonstration at the InfoSec computer security conference this year in which I-Sec, a security consultancy, hacked into an 802.11b network using a Pringles can and a freely available network detection program called NetStumbler.

Inadequate encryption
Geoff Davies, managing director of I-Sec, explains why the encryption mechanism used in 802.11b networks to date has been inadequate. The encryption protocol, called the wired equivalent privacy (WEP), is meant to encrypt data travelling between the wireless access point and the client WiFi card, but the algorithm that it used was badly implemented, he reveals. "The problem is that WEP reuses part of the key after a certain period of time," says Davies. "From that, a cryptographer would be able to calculate the key, and that's what programs such as WEPCrack do."

WEPCrack can be used on a laptop in the broadcast area to sniff network packets and analyse them. Eventually, it will be able to deduce the WEP key agreed by the access point and the wireless client, meaning that it can decrypt the code. This can take a matter of hours on a network with high traffic, Davies says.

Why can't companies simply change their WEP keys on a regular basis to avoid people decrypting them? The problem goes back to the insecure nature of a wireless LAN link. 802.11b WLANs work on the pre-shared key concept, in which the access point shares a key with the client that can be used to log onto the system. The problem is that the 802.11b specification doesn't include any guidance on how to manage keys using the insecure radio link between the client and the access point. In practice, where the administrator bothers to turn on pre-shared key access, a single key is provided to all mobile terminals. The lack of key management guidelines in the specification means that if the administrator wants to change the encryption keys, he has to do so manually. In reality, changing the encryption keys in every access point and client in a large company simply isn't feasible, so many network administrators simply don't do it. Using the same key for a long period of time opens you up to attacks from key decrypters. Because the keys are static (that is, not renewed automatically by the system on a regular basis), once they are cracked the network is generally vulnerable, meaning that a hacker - even one located in an adjoining building - could have client access to the network.

Additional layer
The bottom line is that even WEP-enabling your network won't necessarily stop a determined hacker. One way around the problem has been to layer additional security on top of the flawed security in the 802.11b protocol. But although authenticating users with established remote authentication dial-in user service (RADIUS) security authentication mechanisms may help to ensure that only the right users get access to the system, it won't stop hackers sniffing network packets. Virtual private networks using third-party encryption techniques are the strongest solution to the problem. Davies recommends using VPNs based on the commonly accepted IPSec encryption protocol, for example.

But things will get more difficult as more powerful wireless network technology comes into play, says Salmon. "[VPN technology] fitted with 802.11b because you were only talking about 11Mbit/sec," he explains. "The hardware could cope with that. With 50Mbit/sec, you have gigabytes of data going up there." In truth, while the 802.11a standard that promises to supersede the 802.11b standard in many areas can have up to five times the throughput of the older standard, technical reviewers from magazines such as eWeek have found that, just as with 802.11b, 802.11a networks generally achieve about half the maximum throughput in real-world environments. Anything over that is a bonus. HiperLAN/2, a European equivalent of 802.11a and standardised by the European Telecommunications Standards Institute, also promises higher throughput than 802.11b.

While VPN encryption can alleviate the problems with WEP, the authentication issue remains - the lack of dynamic key management means that it's relatively easy for hackers to infiltrate WLANs. Another potential problem is the fact that 802.11b networks only require the access point to validate the user, and not the other way around. Unless additional authentication has been built into a system, all that a hacker has to do is plug another access point into the network to impersonate a valid access point and gather network keys from unwitting clients.

Mutual authentication
Luckily, the industry has been working on better wireless authentication technologies to solve this problem. Microsoft, Hewlett-Packard and 3Com developed 802.1x, a standard that was ratified in June 2001 by the IEEE. 802.1x does what 802.11b didn't by introducing mutual authentication technology so that the access point has to prove its identity to the client. Also, whereas the wireless access point itself acted as a weak authentication system within 802.11b, 802.1x turns the wireless access point into a conduit, passing authentication information to a back-end security system (generally a RADIUS server). The other big advantage of using 802.1x is that unlike VPN technologies, it doesn't impose a per packet encryption/decryption overhead. This means that there is no performance impact when scaling up bandwidth, making it just as suitable for 802.11a as it is for 802.11b.

The most important part of 802.1x is the extensible authorisation protocol (EAP), a technology that enables network administrators to specify a number of different authentication mechanisms in a wireless networking session. Generally, the authentication mechanisms would be handled by a back-end server, with the wireless access point merely serving as a conduit between the server and the client device. The upside of this for the customer is that once an access point supports 802.1x and EAP, it won't have to be upgraded to support each new authentication mechanism that comes out. 802.1x will also make it easier for users to roam wirelessly between different access points (useful if you have a large building, a multi-building campus or multiple offices), because now all authentication can be done from a single point.

The enhanced authentication is great, but unfortunately 802.1x doesn't provide any new encryption technology itself. On the other hand, enabling the use of multiple authentication technologies via EAP enables administrators to choose an authentication mechanism that includes key management. This provides the ability to issue encryption keys dynamically, meaning that if you do want to use WEP, you can change keys on a regular basis and avoid others decrypting your keys.

Way forward
So how will encryption improve? The only way forward for WEP, other than dynamic key management, is to use greater key lengths, making them harder to decrypt. VPNs are the other option, using established encryption technologies such as IPSec or the point-to-point tunnelling protocol (PPTP). Some extensions to EAP are appearing for the management of VPN session keys. These include EAP-TLS, EAP-TTLS, the protected extensible authentication protocol (PEAP) and EAP-mutual authentication protocol.

What does all this mean for resellers? For enterprise-class applications, selling 802.11b-compliant access points and clients alone won't give you the best security option, because authentication is flawed and encryption key management is difficult. Using 802.1x equipment will give you stronger authentication and better WEP key management. The alternative is to use 802.11b access point hardware with VPN server software built into the access point, or end-to-end VPN sessions between the client and the server. But again, authentication under 802.11b will still be an issue.

As the industry gradually moves to 802.1x, companies will begin to feel safer with WLANs, but like most technologies, it is far from perfect, according to academics. Professor William Arbaugh of the University of Maryland already claims to have found vulnerabilities in the standard that render networks open to attack. This attack on a relatively new standard shows how volatile the wireless networking industry is, and how much effort resellers will need to put into securing such networks, possibly using combinations of third-party products.

The use of wireless networking also creates other challenges, such as laptop management. WLANs will appeal to laptop users who move around constantly, but companies that mobilise their users in this way must make sure that laptops and PDAs (the latter offer notoriously bad security) are taken care of. Providing secure wireless LAN access to a laptop user is all fine and dandy, unless he leaves his laptop - complete with unencrypted locally stored data and his password stored in an Outlook note - in the back of a cab. This represents just as much of an opportunity for resellers as the more complex security technology that will form part of any WLAN sale.

Further resources
The Unofficial 802.11 Security Web page:
802.11 Planet - resource site for 802.11 issues:
Wireless Ethernet Compatibility Alliance:
IEEE 802 standards site:
The Maryland University 802.1x vulnerability paper:
802.11a white paper by Proxim:
HiperLAN/2 information page:

Read more on Wireless networking