A CompuCom Perspective - Wireless LAN Security:

Transcription

1 A CompuCom Perspective - Wireless LAN Security: A White Paper Prepared by CompuCom s ConvergeMobile and Security Practices September 2003 Introduction... 2 Benefits of Wireless LANs... 2 Productivity... 2 Mobile and Real-time Applications... 2 Reduced Cost... 2 WLAN Security Challenges and Problems... 2 Physical Security... 2 WLAN Security Shortcomings... 3 WEP... 3 Non-Broadcast SSID... 3 MAC Address Filtering... 3 Proprietary Security Solutions... 3 Misconfiguration... 4 Rogue Access Points... 4 WLAN Security Solutions... 4 WPA... 4 TKIP X/EAP... 4 PSK... 5 WLAN Gateways... 5 WLAN Monitoring... 5 The Future i... 6 Summary and Conclusions... 6 Glossary... 7

2 2 Introduction It is now possible to implement secure Wireless Local Area Networks (WLANs) at a reasonable cost. Much has been written about the security issues surrounding the use of WLANs and many organizations have postponed implementation of WLANs due to security concerns. Unfortunately, this reaction causes organizations that postpone deployment to miss out on the many benefits of WLANs. A number of vendors and industry groups have been working on the challenge of WLAN security and have developed effective WLAN safeguards that reduce the risk to predictable, acceptable and manageable levels. Benefits of Wireless LANs Productivity Increased productivity is a key benefit of WLANs. With a WLAN employees can easily make use of network connectivity in a variety of locations including conference rooms, co-workers offices, labs and cafeterias. Network connectivity provides the ability to communicate, look up accurate information and capture data without re-keying. With a WLAN employees can make more effective use of their time and collaborate more effectively. Various studies have shown that employees using a WLAN gain 30 to 90 minutes of productivity a day and experience an increase in job satisfaction. 1,2 Mobile and Real-time Applications WLANs provide the means to enable new mobile and real-time applications. These applications can greatly improve a variety of processes through increased productivity, greater data accuracy and better decision making. The applications allow data to be delivered and captured instantaneously from any location within a facility or campus. Some examples of industries where WLANs are enabling new applications include health care, warehousing and distribution, manufacturing, retail, food service, hospitality and travel. Reduced Cost Compared to wired networks, WLANs are easy and inexpensive to install and modify. With a WLAN it is only necessary to run wire to access point locations instead of to every network client. When client devices move, there is no need to rewire. A WLAN infrastructure can enable an organization to reorganize floors and whole buildings plus process moves, adds and changes without rewiring their data infrastructure. WLANs are particularly cost effective in temporary spaces, classrooms or auditoriums, large spaces that would otherwise require fiber runs, and building-to-building bridging. WLAN Security Challenges and Problems Physical Security With most wired LANs, the primary and usually only safeguard against unauthorized access is physical security. By controlling access to facilities, organizations control access to network connections. Unlike wired network connections, WLANs cannot be put under lock and key. Although careful WLAN design can minimize signal leakage outside a facility it cannot completely eliminate it. 1 NOP World Technology on behalf of Cisco Systems, Wireless LAN Benefits Study, Fall Microsoft Information Technology Group Case Study, Mobility: Empowering People Through Wireless Networks, August 2002

3 3 Also, within a facility there is no visual confirmation that a WLAN device is connected to the network, such as a cable plugged into a wall jack. For these reasons, security safeguards other than physical security must be used with WLANs. A strong argument can be made that physical security used as the only safeguard on most current wired networks is insufficient. Access to wired networks should require authentication and authorization. In the future, the majority of wired networks will have safeguards similar to those we will discuss below for wireless networks. WLAN Security Shortcomings The basic security mechanisms previously built into WLANs had some major weaknesses. The following discusses the problems with WEP, non-broadcast SSIDs and MAC address filtering. WEP WEP (Wired Equivalent Privacy) is the primary security mechanism built into WLAN devices. WEP provides encryption of data using a shared key that is entered on both access point and clients. Any wireless client that has the WEP key can gain access to the network. WEP has several weaknesses. First, due to a weakness in the way WEP keys are initialized between the client and access point, WEP keys can be cracked relatively easily. In fact, there are tools such as WEPCRACK that will do it automatically. Secondly, WEP keys are difficult to manage effectively. They are static so they must be distributed to an entire group of users and once distributed they are difficult to change. Finally, WEP keys are stored on client devices, so a stolen device would have access to the network. Non-Broadcast SSID SSID (Service Set Identifier) is the name given to a wireless network. A wireless client must provide the SSID to associate to the wireless network. Most access points provide the capability to turn off SSID broadcasting, which removes the clear text SSID from beacon and probe response frames. With broadcast turned off the client must know the SSID since it won t be visually presented on a list of wireless networks. Turning off SSID broadcast provides very rudimentary security. Non-broadcast SSIDs do not provide adequate security because they must be widely communicated to users, they don t change and can be easily sniffed. Furthermore, all client devices must have the SSID configured (always in clear text) to access the network. MAC Address Filtering MAC address filtering, also known as access control list (ACL), is a common security mechanism built into many access points. MAC address filtering allows network access to be limited to specific MAC addresses. It has several drawbacks. First of all, client MAC addresses can be easily changed making it possible to spoof the MAC address of an authorized client. Since MAC addresses are transmitted in clear text, it is easy to sniff valid MAC addresses. Secondly, MAC address filters are extremely difficult to manage and keep up to date. Proprietary Security Solutions Recognizing the security weaknesses in WLAN standards, a number of WLAN equipment manufacturers have provided proprietary security solutions. Proprietary security solutions vary in the strength of the security they offer, but all provide a dramatic improvement over standard WEP. The big problem with these solutions is that their proprietary nature severely limits flexibility. Proprietary solutions typically require all access points and client devices be provided by the same manufacturer. This adds cost and complexity and limits the devices an organization can use. For these reasons, CompuCom has always recommended that clients adhere to standards based security solutions whenever possible.

4 4 Misconfiguration Although WLANs have security weaknesses, the biggest problem with many of today s WLANs is failure to properly implement the security that is available. Many of the WLAN security concerns arise from published stories in which networks are accessed through access points with no security whatsoever. Often, failure to adequately configure a WLAN is brushed off with the excuse, we are just trying wireless out. These extended tests do not change the fact that a wide-open WLAN with default access point settings is an invitation to unauthorized access. Regardless of the technology in use (wired or wireless), test systems belong on test networks instead of in the production environment. Rogue Access Points A rogue access point is an access point that is plugged into an organization s network without the authorization of the network administrator. Rogue access points are an issue for all organizations, whether they officially make use of WLANs or not. Consumer WLAN equipment is popular and affordable and employees want to benefit from the same productivity advantages they gain using a WLAN at home. An employee or department may purchase a WLAN access point and plug it into the organization s network, usually with little regard for network security. Organizations need to communicate policies against the use of unauthorized access points and make use of WLAN analyzers or monitoring tools to detect and eliminate rogue access points. Beyond the security threats posed by rogue access points, they can also negatively impact the performance of a carefully designed WLAN by causing frequency interference. WLAN Security Solutions The WLAN industry has recognized the security weaknesses of WLANs and taken steps to greatly improve security. These efforts have resulted in new standards and tools to address security concerns. Products incorporating the new standards are available now. WPA WPA (Wi-Fi Protected Access) is a new, interoperable security specification that addresses the shortcomings discussed in the previous section and provides effective WLAN security for organizations. WPA provides strengthened encryption and authentication that addresses all known security threats. WPA is available in most products now and will be required for Wi-Fi Certification by Q4/2003. WPA can be installed as a software update on most existing WLAN devices. TKIP WPA uses a greatly enhanced encryption scheme called TKIP (Temporal Key Integrity Protocol). TKIP replaces WEP s single, 40-bit static key with 128-bit keys that are dynamically generated. TKIP uses a key hierarchy and key management methodology that removes the predictability which intruders relied upon to exploit the WEP key. TKIP also includes a Message Integrity Check (MIC) to protect against packet forgeries, replays or spoofing X/EAP WPA uses 802.1X and EAP (Extensible Authentication Protocol) to provide authentication using a RADIUS server X/EAP has been available in a number of access points for some time. IEEE 802.1X is a port-based network access control method for both wired and wireless networks. EAP handles the presentation of users credentials such as digital certificates, usernames and passwords, or hardware tokens. WPA allows flexibility in the type of credentials used and the EAP type. Industry standard EAP types such as EAP-TLS, EAP-

5 5 TTLS and PEAP are supported by a wide variety of client devices, access points and RADIUS servers X and EAP provide a framework for authenticating and controlling user traffic to a protected network and dynamically varying encryption keys. Initial 802.1X communications begins with a client device attempting to connect with an access point. The access point responds by enabling a port for passing only EAP packets from the client to an authentication server, such as RADIUS, located on the wired side of the access point. The access point blocks all other traffic until the access point can verify the client's identity using an authentication server. Once authenticated, the access point opens the client's port for other types of traffic. PSK WPA also takes into account the security needs of small businesses and homes that do not want to purchase and maintain a backend authentication server. This is accomplished by using TKIP encryption enabled through the use of a PSK (Pre-shared Key). The PSK is a password that is configured on both the access points and client devices. Using a PSK is similar to using WEP without the encryption weaknesses. WLAN Gateways WLAN gateways are appliances that sit between access points and an organization s network. These devices typically support advanced security functionality and other WLAN management features. WLAN gateways can provide security in conjunction with or independent of 802.1x/EAP. Security features provided by WLAN gateways that are above and beyond those provided by WPA include termination of IPSec or PPTP VPN connections and rolebased access control. In addition to security, WLAN gateways can provide other functionality such as cross subnet roaming and role-based bandwidth management. WLAN Monitoring As mentioned above, all organizations need to be concerned about rogue access points. WLAN analyzers and WLAN monitoring tools are available to help in identifying rogues access points. A WLAN analyzer is a wireless network sniffer than can help organizations identify and find rogue access points. Using a WLAN analyzer to find rogue access points is a manual process in which someone must walk around a facility capturing radio signals. WLAN monitors provide an automated approach to identifying and finding rogue access points. With WLAN monitors sensors are placed in an environment to look for and analyze radio signals. When a rogue access point is identified an alert is sent to a management console.

6 6 Some vendors are providing products that act as the wireless equivalent of a honeypot. When they detect certain tools utilized to attack wireless networks the honeypot device will broadcast vulnerable configuration information to the attacker. With the propensity of attackers to go for the most vulnerable device in an environment this can stop or delay attacks on the actual corporate network. The Future i A new WLAN security specification named IEEE i is expected to be ratified in Q1/ i is similar to WPA, except that i will also include AES (Advanced Encryption System). Because it uses AES, i will require new WLAN hardware to handle the computational overhead. However, TKIP encryption will also be included in i and WPA is forward compatible with i. CompuCom s viewpoint is that since WPA runs on existing hardware, is available immediately, and provides nearly all the benefits of i, organizations should not wait for i before deploying WLANs. Summary and Conclusions Great strides have been made in the area of WLAN security. Effective, standards-based WLAN security solutions are now available. For organizations that have postponed WLAN deployments due to security concerns, there is no longer a need to wait. Technologies such as 802.1X/EAP, TKIP, and WLAN gateways provide robust security while enabling organizations to realize the benefits of WLANs. Organizations that are already using WLANs need to reexamine their security measures in light of these new, standards-based security technologies. These organizations should look to implement these technologies to address security issues. Organizations that are using proprietary WLAN security solutions should examine the benefits of moving to a standards-based approach. All organizations need to be concerned about rogue access points. WLAN analyzers or monitoring tools can be used to proactively address the problem of rogue access points. Even though an organization may have chosen not to implement WLANs, the threat of rogue access still exists and should be monitored.

7 7 Glossary 802.1X IEEE standard for port-based network access control. It provides a means of authenticating and authorizing devices that attach to a LAN port. This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network a IEEE specification for WLANs operating in the 5.8Ghz unlicensed frequency range with maximum speeds of 54Mbps b IEEE specification for WLANs operating in the 2.4Ghz unlicensed frequency range with maximum speeds of 11Mbps g IEEE specification for WLANs operating in the 2.4Ghz unlicensed frequency range with maximum speeds of 54Mbps g is backward compatible with b i - IEEE draft specification for enhanced WLAN security through the use of stronger encryption protocols such as the TKIP and AES (Advance Encryption Standard). These protocols provide replay protection, cryptographically keyed integrity checks, and key derivation based on the IEEE 802.1X port authentication standard i is expected to be ratified in Q1/2004. EAP Extensible Authentication Protocol. EAP is an 802.1X standard that allows passing of security authentication data between client, access point or switch and RADIUS server to authenticate users. There are a number of EAP variants including EAP-TLS, EAP-TTLS, LEAP and PEAP. EAP-TLS EAP Transport Layer Security. EAP-TLS provides for certificate-based, mutual authentication of the client and the network. EAP-TLS relies on client-side and server-side certificates to perform authentication, using dynamically generated user and session-based WEP keys distributed to secure the connection. EAP-TTLS EAP Tunneled Transport Layer Security. EAP-TTLS is an extension of EAP-TLS. Unlike EAP-TLS, EAP-TTLS requires only server side certificates, eliminating the need to configure certificates for each WLAN client. LEAP Lightweight Extensible Authentication Protocol. LEAP is primarily used in Cisco WLAN access points. LEAP provides security during credential exchange, encrypts data transmission using dynamically generated WEP keys, and supports mutual authentication. PEAP Protected Extensible Authentication Protocol. PEAP is an extension of EAP-TLS. Unlike EAP-TLS, PEAP requires only server side certificates, eliminating the need to configure certificates for each WLAN client. RADIUS - Remote Authentication Dial-In User Service. A client/server protocol and software that enables access servers to communicate with a central server to authenticate users and authorize their access to the requested system or service. RADIUS allows organizations to maintain user profiles in a central database that all remote servers can share. TKIP Temporal Key Integrity Protocol, pronounced tee-kip. TKIP is an encryption standard that provides per-packet key mixing, a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP. Wi-Fi Wireless Fidelity. A WLAN industry group tasked with defining and certifying interoperability of WLAN devices. WEP Wired Equivalent Privacy. Prior to WPA, WEP was the standard for providing data encryption for WLANs using a shared key. WPA Wi-Fi Protected Access. WPA is a specification of standards-based, interoperable security enhancements that increases the level of data protection and access control for existing and future wireless LAN systems. WPA will be required for Wi-Fi certification by Q4/2003.