What’s Really New In WLAN Security?

RFG believes wireless local area network (WLAN) security is on the threshold of providing acceptable security for many enterprise applications, but only if the security requirements for wireless-accessible applications are accurately identified and addressed. In addition, enterprises must be capable of actively monitoring WLAN security to detect both security breaches and improperly configured security options. IT executives should scrutinize WLAN security needs carefully, and ensure WLAN security includes business application security requirements, as well as the administration, configuration, and monitoring capabilities needed to maintain acceptable enterprise security.

Business Imperatives:

• To select suitable WLAN security, enterprises should first clarify what security measures are available, as well as applications’ end-to-end security requirements. IT executives should begin by identifying application requirements for authentication and data encryption, and then checkpoint these requirements against available WLAN security capabilities.
• Recently, the Wi-Fi Alliance in conjunction with the Institute of Electrical and Electronics Engineers (IEEE) announced Wi-Fi Protected Access (WPA), to provide stronger, interoperable security as a functional replacement to the Wired Equivalent Privacy (WEP) protocol. IT executives should understand the strengths and weaknesses of both WEP and WPA, and then evaluate if and how these items could fit into their overall WLAN security scheme.
• Traditional network and security management tools may not be up to the task of proactively monitoring and maintaining WLAN security. As a result, a new generation of WLAN security tools is now available, and should be considered as a key component of WLAN architectures. IT executives should familiarize themselves with this new breed of WLAN security products, and consider incorporating them into the WLAN infrastructures.

WLAN growth continues to be spurred by two simple facts: they are inexpensive to deploy, and they work. Consequently, it is not surprising that the flexibility and user mobility provided by WLANs continue to generate high levels of enterprise interest. However, concerns about security complexity, costs, and effectiveness still remain, even as enterprises struggle to develop and deploy secure access to WLAN applications. WLAN security remains very fluid indeed, and several important new measures are now available, or on the near horizon for 2003. The objective of this Research Note is to provide IT executives with a straightforward overview of current WLAN security measures, as well as the latest initiatives that are promised to arrive this year.

The first generation of WLANs, commonly known as Wi-Fi, consists of 802.11b products that operate in the unlicensed 2.4-gigahertz (GHz) frequency band with raw data speeds of 11 megabits per second (Mbps). These products also provide several different security mechanisms, including WEP and access control lists (ACLs) to block unauthorized users, and encrypt data transmissions. Unfortunately, in many instances, these basic security measures are not fully or properly utilized, resulting in poor security that is not compliant with enterprise requirements.

Likewise, the static key exchange process, along with WEP’s original 40-bit feckless encryption, presents an easy target for hackers to penetrate unless other security measures, such as virtual private networks (VPNs), are employed. Despite its flaws, the more robust 128- and 256-bit versions of WEP do provide minimal security compared to no security at all. Regrettably, many 802.11b networks still fail to activate WEP encryption, providing an easy target to network hackers and mobile war-drivers.

One reason for this situation is that WEP is a WLAN security option that takes time to activate and configure for each access point (AP) and remote wireless user. The bigger the network, the more time it takes administrators to properly configure and test WEP. Still, enterprises should always implement the highest level of WEP as the lowest level of security for WLAN applications. IT executives should then implement the additional security measures required by each wireless-enabled application based on the requirements stated in business application profiles (BAPs) or their equivalents.

The next step up to more robust WLAN protection requires the addition of the IEEE standard designated as 802.11X. This standard provides the framework for controlled port access between wireless client devices, access points, and servers, and replaces WEP’s static key process with a dynamic key exchange mechanism. As a result, the 802.11X key exchange process makes it easy to rotate security keys, and requires an authentication scheme, such as Remote Authentication Dial-In User Service (RADIUS), for authentication purposes.

802.11X also requires the use of the Extensible Authorization Protocol (EAP). EAP is an upper-layer authentication protocol that provides a challenge-response for users attempting to connect to the WLAN. Since there are several different implementations of EAP available, interoperability between vendors could pose a problem. As an example, Cisco Systems, Inc. supports its own proprietary version of EAP, known as lightweight EAP (LEAP), to derive the encryption keys for each user and for each wireless session.

The essential point is that WLAN security can be easily improved by implementing the following sequence of actions. (Note: WPA is not included here because it is not yet available in WLAN vendor products.)

• Verify antenna characteristics, radiation patterns, and transmit power are aligned with the required coverage area to limit stray radio frequency (RF) signals that could be intercepted.
• Block the broadcast transmission of the Service Set Identification (SSID), and change the SSID from all manufacturer defaults on a regular basis.
• Use Media Access Control (MAC) layer filtering and access control lists in APs.
• Implement 802.11X security for authentication.
• Utilize WLAN analyzers and intrusion detection products to maintain security and detect rogue APs.

Now that WPA has been announced, enterprises should expect significant improvements and tighter security for those WLANs that are upgraded to support WPA. Basically, WPA is a subset of the forthcoming IEEE 802.11i security standard that will probably not be ratified until late this year. Because of the current WLAN security situation, the IEEE made a judicious decision to pre-release a portion of the 802.11i security specification, now designated as WPA. In addition, the Wi-Fi Alliance, a nonprofit organization that currently certifies interoperability of IEEE 802.11 products, is gearing up to begin the Wi-Fi certification for all WPA capable products. The Wi-Fi Alliance had five basic objectives in mind for WPA security.

• To allow existing Wi-Fi products to be easily upgraded via software.
• To be available no later than the summer of 2003.
• To be forward compatible with the full 802.11i security standard.
• To provide improved authentication security for enterprise and home users.
• To release a standards-based, interoperable replacement for WEP.
• IT executives should understand that WPA provides two important improvements over existing WLAN security.

Dynamic key exchange mechanisms and improved data encryption Temporal Key Integrity Protocol (TKIP) will support dynamic key management, improved message integrity checks, and per packet key-mixing function. TKIP will undoubtedly make a hackers job much more difficult.

Strong mutual authentication EAP will verify that the user is indeed who they say they are, and that the wireless AP is a valid network component, and not a rogue AP in disguise.

From a product availability standpoint, WLAN vendors have already committed to support WPA security via firmware or software upgrades, with actual product availability this summer. RFG believes IT executives should consider WPA as a critical security upgrade, and contact their respective WLAN vendors to understand how and when they will support a WPA upgrade. In the interim, IT executives should verify that the full complement of WEP-based security described earlier in this Research Note is operational, especially for WLANs that will not be upgraded to WPA in the near future.

After upgrading to WAP, the next significant security event will be the release of the 802.11i security standard, which is intended to plug all remaining known holes in WLAN security. Although the IEEE has targeted its availability as late 2003, it is unlikely that products will be available before 2004. Also worth noting is the fact that 802.11i mandates the use of the Advanced Encryption Standard (AES), a powerful block cipher algorithm that is computationally taxing for existing WLAN products. Consequently, it is probable that upgrading WPA security to full compliance with the 802.11i standard will not be as simple or as inexpensive as the upgrade from WEP to WPA. At this point, vendor upgrade paths from WPA to 802.11i remain unclear; although several companies have stated that existing WLAN products will require hardware accelerators to support the AES computations.

Finally, enterprises will be required to invest in proactive security management and diagnostic tools capable of preemptively monitoring WLAN security performance to detect and prevent hacking attacks especially from rogue APs. Existing network management platforms were not designed to support WLAN security, and in many cases, adding the required functionality does not appear to be straightforward or inexpensive.

Therefore, a new generation of companies that focus on software tools that provide WLAN performance and security monitoring are emerging. Although traditional network management companies, including Computer Associates International, Inc. (CA), Hewlett-Packard Co. (HP), and Micromuse Inc., are clearly beginning to address WLAN security, numerous innovative WLAN-focused companies appear to be one step ahead of them. As a part of WLAN security planning, enterprises should become familiar with the available products and tools that could help administer, maintain, and monitor WLAN security.

Some examples of the innovative companies that provide WLAN security analysis, detection, and management tools include AirMagnet Inc., Latis Networks Inc., and Yo Inc.. A condensed, but not comprehensive, summary of the WLAN security management functionality these companies provide is as follows.

AirMagnet’s WLAN products are available for the PocketPC or Windows-based laptops, and enable network and security personnel to administer, analyze, and manage WLAN environments. AirMagnet products also detect rogue APs, identify performance problems, provide security alerts, and perform site surveys to properly locate APs and antennae.

Latis Network’s StillSecure Border Guard Wireless product helps protect networks from rogue wireless users and malicious intrusions. Border Guard sits at the border of wireless and wired networks, and blocks intrusions before they enter the corporate network, enforces VPN traffic over the WLAN, and protects against unauthorized users.

Yo’s VisEdge provides a secure, private network platform that secures the entire connection from user device to the specific business applications. VisEdge also helps automate most of the network security and connectivity processes related to remote network access and network resource distribution.

RFG believes IT executives should scrutinize WLAN security from a broad viewpoint that includes identifying application security requirements in conjunction with the administration, configuration, and monitoring capabilities needed to maintain acceptable security levels. Although different WLAN security solutions are available, WPA represents the next most logical step to bolster WLAN security. IT executives should also identify, test, and implement the required administration and security management tools essential to support WLANs, and ensure the appropriate costs are included in IT budgets.

RFG analyst John Stehman wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Mr. Stehman.