Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, August 23, 2004

Wi-Fi Plays Defense

The new 802.11i wireless LAN security standard is a step forward, but Wi-Fi LANs still aren’t impervious to attacks.  Unbounded by the physical constraints of cabling and walls, wireless LANs have proved tricky to secure.

Now that the long-awaited 802.11i standard for enhanced WLAN security has been ratified, can IT assume that WLANs have grown as secure as their cabled counterparts?  Much of it has already been available for about 18 months in an 802.11i subset called Wi-Fi Protected Access (WPA).  And while standards-based security technology plays a big part in protecting enterprises, the issues reach beyond a signed set of technical specs.

For example, there’s a broad installed base of specialized client devices, such as bar code scanners, that run the MS-DOS operating system.  They are not upgradable, even to earlier versions of authentication and encryption, let alone to 802.11i, which requires Advanced Encryption Standard protection.  As enterprises expand their WLANs, these legacy devices might well become the weakest link in the wireless security chain.

And some administrators lack confidence in their ability to properly implement the various pieces of WLAN security, particularly since new attacks regularly make headlines.  WPA also uses the industry-standard 802.1x framework for strong user authentication.  And AES, the U.S. government block-cipher standard for 128-bit data encryption, replaces the RC4 stream-cipher encryption that WEP and WPA use.

Through 2006, 70% of successful Wi-Fi attacks will occur as a result of the misconfiguration of APs and client software, according to Gartner Inc.

This is why the Bethesda, Md.-based SANS Institute, which offers information security training and certification, recommends regular wireless audits.  For example, if an enterprise has adopted 802.1x and has selected Protected Extensible Authentication Protocol, one of several available authentication methods, network administrators should regularly check that all APs are indeed configured for PEAP.  In addition, airborne packets should be regularly examined using a wireless protocol analyzer to verify that they are actually using the EAP method selected.

Another recommended practice is treating the WLAN as an untrusted network, like the Internet, and putting a firewall or gateway where wireless and wired networks meet.

Most enterprises will select an EAP authentication method based on the type of database they have.  Cisco’s broadly deployed Lightweight EAP supports easier-to-manage username/password schemes but is prone to off-line dictionary attacks in shops that can’t enforce strong password policies. LEAP also supports mutual authentication, an 802.11i recommendation, as do PEAP and another common method, EAP-Tunneled Transport Layer Security.  Less than 30% of devices in the field are outfitted with mutual authentication today, leaving many deployments exposed.

Even the world’s largest WLAN operator—Microsoft Corp.—isn’t using WPA yet on its 4,500-AP WLAN, built on APs from Cisco Systems Inc. Many of Microsoft’s older APs are first-generation technology and are not WPA-capable.  Microsoft is poised to make a wholesale change to its global WLAN infrastructure, which supports about 100,000 unique mobile devices.  “11i is our main goal, but we can’t move to it yet because no NICs support it,” says Don Berry, the wireless network engineer who has overseen Microsoft’s global WLAN implementation since 1999.  He estimates that less than 30% of devices in the field are outfitted with mutual authentication today, leaving many deployments exposed.,10801,95411,00.html?f=x596%3E

Posted on 08/23