A CompuCom Perspective - Wireless LAN Security:

Similar documents
Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

WIRELESS SECURITY IN (WI-FI ) NETWORKS

Wi-Fi Client Device Security and Compliance with PCI DSS

Wireless Security for Mobile Computers

Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003

Chapter 2 Wireless Networking Basics

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

The Importance of Wireless Security

Configuring Security Solutions

The next generation of knowledge and expertise Wireless Security Basics

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with RangeBooster. User Guide WIRELESS WMP54GR. Model No.

ALL Mbits Powerline WLAN N Access Point. User s Manual

How To Protect A Wireless Lan From A Rogue Access Point

The following chart provides the breakdown of exam as to the weight of each section of the exam.

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

DESIGNING AND DEPLOYING SECURE WIRELESS LANS. Karl McDermott Cisco Systems Ireland

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter. User Guide WIRELESS WMP54G. Model No.

Best Practices for Outdoor Wireless Security

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

Wireless security. Any station within range of the RF receives data Two security mechanism

Recommended Wireless Local Area Network Architecture

Implementing Security for Wireless Networks

Wireless-N. User Guide. PCI Adapter WMP300N (EU) WIRELESS. Model No.

How To Secure Wireless Networks

Design and Implementation Guide. Apple iphone Compatibility

CS549: Cryptography and Network Security

Wi-Fi in Healthcare:

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Wireless-G Business PCI Adapter with RangeBooster

9 Simple steps to secure your Wi-Fi Network.

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

WIRELESS NETWORK SECURITY

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Wi-Fi Client Device Security & HIPAA Compliance

Configure WorkGroup Bridge on the WAP131 Access Point

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

White Paper. Understanding the Layers of Wireless LAN Security & Management

Authentication in WLAN

White paper. Wireless Security: It s Like Securing Your Home

Wireless Troubleshooting

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

How To Secure A Wireless Network With A Wireless Device (Mb8000)

WHITE PAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Link Layer and Network Layer Security for Wireless Networks

Network Security Best Practices

Wireless Network Standard and Guidelines

Wireless Networking Basics. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

Cipher Suites and WEP

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Wireless Networks. Welcome to Wireless

Particularities of security design for wireless networks in small and medium business (SMB)

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

WHITE PAPER. Three Steps for Bullet-proof Wireless LAN Security & Management

Certified Wireless Security Professional (CWSP) Course Overview

m-trilogix White Paper on Security in Wireless Networks

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Wireless Network Analysis. Complete Network Monitoring and Analysis for a/b/g/n

CSC574: Computer and Network Security

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Optimizing Converged Cisco Networks (ONT)


Chapter 2 Configuring Your Wireless Network and Security Settings

Link Layer and Network Layer Security for Wireless Networks

Securing Wireless LANs with LDAP

Agenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story

Ensuring HIPAA Compliance in Healthcare

Nokia E90 Communicator Using WLAN

Wireless VPN White Paper. WIALAN Technologies, Inc.

Observer Analyzer Provides In-Depth Management

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

How To Manage An Wireless Network At A University

NXC5500/2500. Application Note w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015

Apple AirPort Networks

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

PCI Wireless Compliance with AirTight WIPS

CS 356 Lecture 29 Wireless Security. Spring 2013

IEEE a/ac/n/b/g Enterprise Access Points ECW5320 ECWO5320. Management Guide. Software Release v

WLAN solutions for HP enterprise notebooks and Tablet PCs

Top 10 Security Checklist for SOHO Wireless LANs

Configuring Settings on the Cisco Unified Wireless IP Phone 7925G

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Wireless Technology Seminar

Integrated Health Systems. Enterprise Wireless LAN Security for Long Term Care. Integrated Systems, Inc. (866)

Security in IEEE WLANs

The Value of Cisco Compatible Extensions (CCX) for Philips PageWriter Cardiographs

OmniAccess Wireless LAN Switching Systems. The Next Generation of Wireless LAN Connectivity Secure mobility for the enterprise

White paper. Securing WLANs with Two-factor Authentication

Cisco SAFE: Wireless LAN Security in Depth

Industrial Communication. Securing Industrial Wireless

Securing WLANs using i

IT-Sicherheit: Sicherheitsprotokolle. Wireless Security. (unter Benutzung von Material von Brian Lee und Takehiro Takahashi)

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

WLAN Authentication and Data Privacy

Transcription:

A CompuCom Perspective - Wireless LAN Security: A White Paper Prepared by CompuCom s ConvergeMobile and Security Practices September 2003 Introduction... 2 Benefits of Wireless LANs... 2 Productivity... 2 Mobile and Real-time Applications... 2 Reduced Cost... 2 WLAN Security Challenges and Problems... 2 Physical Security... 2 WLAN Security Shortcomings... 3 WEP... 3 Non-Broadcast SSID... 3 MAC Address Filtering... 3 Proprietary Security Solutions... 3 Misconfiguration... 4 Rogue Access Points... 4 WLAN Security Solutions... 4 WPA... 4 TKIP... 4 802.1X/EAP... 4 PSK... 5 WLAN Gateways... 5 WLAN Monitoring... 5 The Future 802.11i... 6 Summary and Conclusions... 6 Glossary... 7

2 Introduction It is now possible to implement secure Wireless Local Area Networks (WLANs) at a reasonable cost. Much has been written about the security issues surrounding the use of WLANs and many organizations have postponed implementation of WLANs due to security concerns. Unfortunately, this reaction causes organizations that postpone deployment to miss out on the many benefits of WLANs. A number of vendors and industry groups have been working on the challenge of WLAN security and have developed effective WLAN safeguards that reduce the risk to predictable, acceptable and manageable levels. Benefits of Wireless LANs Productivity Increased productivity is a key benefit of WLANs. With a WLAN employees can easily make use of network connectivity in a variety of locations including conference rooms, co-workers offices, labs and cafeterias. Network connectivity provides the ability to communicate, look up accurate information and capture data without re-keying. With a WLAN employees can make more effective use of their time and collaborate more effectively. Various studies have shown that employees using a WLAN gain 30 to 90 minutes of productivity a day and experience an increase in job satisfaction. 1,2 Mobile and Real-time Applications WLANs provide the means to enable new mobile and real-time applications. These applications can greatly improve a variety of processes through increased productivity, greater data accuracy and better decision making. The applications allow data to be delivered and captured instantaneously from any location within a facility or campus. Some examples of industries where WLANs are enabling new applications include health care, warehousing and distribution, manufacturing, retail, food service, hospitality and travel. Reduced Cost Compared to wired networks, WLANs are easy and inexpensive to install and modify. With a WLAN it is only necessary to run wire to access point locations instead of to every network client. When client devices move, there is no need to rewire. A WLAN infrastructure can enable an organization to reorganize floors and whole buildings plus process moves, adds and changes without rewiring their data infrastructure. WLANs are particularly cost effective in temporary spaces, classrooms or auditoriums, large spaces that would otherwise require fiber runs, and building-to-building bridging. WLAN Security Challenges and Problems Physical Security With most wired LANs, the primary and usually only safeguard against unauthorized access is physical security. By controlling access to facilities, organizations control access to network connections. Unlike wired network connections, WLANs cannot be put under lock and key. Although careful WLAN design can minimize signal leakage outside a facility it cannot completely eliminate it. 1 NOP World Technology on behalf of Cisco Systems, Wireless LAN Benefits Study, Fall 2001 2 Microsoft Information Technology Group Case Study, Mobility: Empowering People Through Wireless Networks, August 2002

3 Also, within a facility there is no visual confirmation that a WLAN device is connected to the network, such as a cable plugged into a wall jack. For these reasons, security safeguards other than physical security must be used with WLANs. A strong argument can be made that physical security used as the only safeguard on most current wired networks is insufficient. Access to wired networks should require authentication and authorization. In the future, the majority of wired networks will have safeguards similar to those we will discuss below for wireless networks. WLAN Security Shortcomings The basic security mechanisms previously built into WLANs had some major weaknesses. The following discusses the problems with WEP, non-broadcast SSIDs and MAC address filtering. WEP WEP (Wired Equivalent Privacy) is the primary security mechanism built into WLAN devices. WEP provides encryption of data using a shared key that is entered on both access point and clients. Any wireless client that has the WEP key can gain access to the network. WEP has several weaknesses. First, due to a weakness in the way WEP keys are initialized between the client and access point, WEP keys can be cracked relatively easily. In fact, there are tools such as WEPCRACK that will do it automatically. Secondly, WEP keys are difficult to manage effectively. They are static so they must be distributed to an entire group of users and once distributed they are difficult to change. Finally, WEP keys are stored on client devices, so a stolen device would have access to the network. Non-Broadcast SSID SSID (Service Set Identifier) is the name given to a wireless network. A wireless client must provide the SSID to associate to the wireless network. Most access points provide the capability to turn off SSID broadcasting, which removes the clear text SSID from beacon and probe response frames. With broadcast turned off the client must know the SSID since it won t be visually presented on a list of wireless networks. Turning off SSID broadcast provides very rudimentary security. Non-broadcast SSIDs do not provide adequate security because they must be widely communicated to users, they don t change and can be easily sniffed. Furthermore, all client devices must have the SSID configured (always in clear text) to access the network. MAC Address Filtering MAC address filtering, also known as access control list (ACL), is a common security mechanism built into many access points. MAC address filtering allows network access to be limited to specific MAC addresses. It has several drawbacks. First of all, client MAC addresses can be easily changed making it possible to spoof the MAC address of an authorized client. Since MAC addresses are transmitted in clear text, it is easy to sniff valid MAC addresses. Secondly, MAC address filters are extremely difficult to manage and keep up to date. Proprietary Security Solutions Recognizing the security weaknesses in WLAN standards, a number of WLAN equipment manufacturers have provided proprietary security solutions. Proprietary security solutions vary in the strength of the security they offer, but all provide a dramatic improvement over standard WEP. The big problem with these solutions is that their proprietary nature severely limits flexibility. Proprietary solutions typically require all access points and client devices be provided by the same manufacturer. This adds cost and complexity and limits the devices an organization can use. For these reasons, CompuCom has always recommended that clients adhere to standards based security solutions whenever possible.

4 Misconfiguration Although WLANs have security weaknesses, the biggest problem with many of today s WLANs is failure to properly implement the security that is available. Many of the WLAN security concerns arise from published stories in which networks are accessed through access points with no security whatsoever. Often, failure to adequately configure a WLAN is brushed off with the excuse, we are just trying wireless out. These extended tests do not change the fact that a wide-open WLAN with default access point settings is an invitation to unauthorized access. Regardless of the technology in use (wired or wireless), test systems belong on test networks instead of in the production environment. Rogue Access Points A rogue access point is an access point that is plugged into an organization s network without the authorization of the network administrator. Rogue access points are an issue for all organizations, whether they officially make use of WLANs or not. Consumer WLAN equipment is popular and affordable and employees want to benefit from the same productivity advantages they gain using a WLAN at home. An employee or department may purchase a WLAN access point and plug it into the organization s network, usually with little regard for network security. Organizations need to communicate policies against the use of unauthorized access points and make use of WLAN analyzers or monitoring tools to detect and eliminate rogue access points. Beyond the security threats posed by rogue access points, they can also negatively impact the performance of a carefully designed WLAN by causing frequency interference. WLAN Security Solutions The WLAN industry has recognized the security weaknesses of WLANs and taken steps to greatly improve security. These efforts have resulted in new standards and tools to address security concerns. Products incorporating the new standards are available now. WPA WPA (Wi-Fi Protected Access) is a new, interoperable security specification that addresses the shortcomings discussed in the previous section and provides effective WLAN security for organizations. WPA provides strengthened encryption and authentication that addresses all known security threats. WPA is available in most products now and will be required for Wi-Fi Certification by Q4/2003. WPA can be installed as a software update on most existing WLAN devices. TKIP WPA uses a greatly enhanced encryption scheme called TKIP (Temporal Key Integrity Protocol). TKIP replaces WEP s single, 40-bit static key with 128-bit keys that are dynamically generated. TKIP uses a key hierarchy and key management methodology that removes the predictability which intruders relied upon to exploit the WEP key. TKIP also includes a Message Integrity Check (MIC) to protect against packet forgeries, replays or spoofing. 802.1X/EAP WPA uses 802.1X and EAP (Extensible Authentication Protocol) to provide authentication using a RADIUS server. 802.1X/EAP has been available in a number of access points for some time. IEEE 802.1X is a port-based network access control method for both wired and wireless networks. EAP handles the presentation of users credentials such as digital certificates, usernames and passwords, or hardware tokens. WPA allows flexibility in the type of credentials used and the EAP type. Industry standard EAP types such as EAP-TLS, EAP-

5 TTLS and PEAP are supported by a wide variety of client devices, access points and RADIUS servers. 802.1X and EAP provide a framework for authenticating and controlling user traffic to a protected network and dynamically varying encryption keys. Initial 802.1X communications begins with a client device attempting to connect with an access point. The access point responds by enabling a port for passing only EAP packets from the client to an authentication server, such as RADIUS, located on the wired side of the access point. The access point blocks all other traffic until the access point can verify the client's identity using an authentication server. Once authenticated, the access point opens the client's port for other types of traffic. PSK WPA also takes into account the security needs of small businesses and homes that do not want to purchase and maintain a backend authentication server. This is accomplished by using TKIP encryption enabled through the use of a PSK (Pre-shared Key). The PSK is a password that is configured on both the access points and client devices. Using a PSK is similar to using WEP without the encryption weaknesses. WLAN Gateways WLAN gateways are appliances that sit between access points and an organization s network. These devices typically support advanced security functionality and other WLAN management features. WLAN gateways can provide security in conjunction with or independent of 802.1x/EAP. Security features provided by WLAN gateways that are above and beyond those provided by WPA include termination of IPSec or PPTP VPN connections and rolebased access control. In addition to security, WLAN gateways can provide other functionality such as cross subnet roaming and role-based bandwidth management. WLAN Monitoring As mentioned above, all organizations need to be concerned about rogue access points. WLAN analyzers and WLAN monitoring tools are available to help in identifying rogues access points. A WLAN analyzer is a wireless network sniffer than can help organizations identify and find rogue access points. Using a WLAN analyzer to find rogue access points is a manual process in which someone must walk around a facility capturing radio signals. WLAN monitors provide an automated approach to identifying and finding rogue access points. With WLAN monitors sensors are placed in an environment to look for and analyze radio signals. When a rogue access point is identified an alert is sent to a management console.

6 Some vendors are providing products that act as the wireless equivalent of a honeypot. When they detect certain tools utilized to attack wireless networks the honeypot device will broadcast vulnerable configuration information to the attacker. With the propensity of attackers to go for the most vulnerable device in an environment this can stop or delay attacks on the actual corporate network. The Future 802.11i A new WLAN security specification named IEEE 802.11i is expected to be ratified in Q1/2004. 802.11i is similar to WPA, except that 802.11i will also include AES (Advanced Encryption System). Because it uses AES, 802.11i will require new WLAN hardware to handle the computational overhead. However, TKIP encryption will also be included in 802.11i and WPA is forward compatible with 802.11i. CompuCom s viewpoint is that since WPA runs on existing hardware, is available immediately, and provides nearly all the benefits of 802.11i, organizations should not wait for 802.11i before deploying WLANs. Summary and Conclusions Great strides have been made in the area of WLAN security. Effective, standards-based WLAN security solutions are now available. For organizations that have postponed WLAN deployments due to security concerns, there is no longer a need to wait. Technologies such as 802.1X/EAP, TKIP, and WLAN gateways provide robust security while enabling organizations to realize the benefits of WLANs. Organizations that are already using WLANs need to reexamine their security measures in light of these new, standards-based security technologies. These organizations should look to implement these technologies to address security issues. Organizations that are using proprietary WLAN security solutions should examine the benefits of moving to a standards-based approach. All organizations need to be concerned about rogue access points. WLAN analyzers or monitoring tools can be used to proactively address the problem of rogue access points. Even though an organization may have chosen not to implement WLANs, the threat of rogue access still exists and should be monitored.

7 Glossary 802.1X IEEE standard for port-based network access control. It provides a means of authenticating and authorizing devices that attach to a LAN port. This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network. 802.11a IEEE specification for WLANs operating in the 5.8Ghz unlicensed frequency range with maximum speeds of 54Mbps. 802.11b IEEE specification for WLANs operating in the 2.4Ghz unlicensed frequency range with maximum speeds of 11Mbps. 802.11g IEEE specification for WLANs operating in the 2.4Ghz unlicensed frequency range with maximum speeds of 54Mbps. 802.11g is backward compatible with 802.11b. 802.11i - IEEE draft specification for enhanced WLAN security through the use of stronger encryption protocols such as the TKIP and AES (Advance Encryption Standard). These protocols provide replay protection, cryptographically keyed integrity checks, and key derivation based on the IEEE 802.1X port authentication standard. 802.11i is expected to be ratified in Q1/2004. EAP Extensible Authentication Protocol. EAP is an 802.1X standard that allows passing of security authentication data between client, access point or switch and RADIUS server to authenticate users. There are a number of EAP variants including EAP-TLS, EAP-TTLS, LEAP and PEAP. EAP-TLS EAP Transport Layer Security. EAP-TLS provides for certificate-based, mutual authentication of the client and the network. EAP-TLS relies on client-side and server-side certificates to perform authentication, using dynamically generated user and session-based WEP keys distributed to secure the connection. EAP-TTLS EAP Tunneled Transport Layer Security. EAP-TTLS is an extension of EAP-TLS. Unlike EAP-TLS, EAP-TTLS requires only server side certificates, eliminating the need to configure certificates for each WLAN client. LEAP Lightweight Extensible Authentication Protocol. LEAP is primarily used in Cisco WLAN access points. LEAP provides security during credential exchange, encrypts data transmission using dynamically generated WEP keys, and supports mutual authentication. PEAP Protected Extensible Authentication Protocol. PEAP is an extension of EAP-TLS. Unlike EAP-TLS, PEAP requires only server side certificates, eliminating the need to configure certificates for each WLAN client. RADIUS - Remote Authentication Dial-In User Service. A client/server protocol and software that enables access servers to communicate with a central server to authenticate users and authorize their access to the requested system or service. RADIUS allows organizations to maintain user profiles in a central database that all remote servers can share. TKIP Temporal Key Integrity Protocol, pronounced tee-kip. TKIP is an encryption standard that provides per-packet key mixing, a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP. Wi-Fi Wireless Fidelity. A WLAN industry group tasked with defining and certifying interoperability of WLAN devices. WEP Wired Equivalent Privacy. Prior to WPA, WEP was the standard for providing data encryption for WLANs using a shared key. WPA Wi-Fi Protected Access. WPA is a specification of standards-based, interoperable security enhancements that increases the level of data protection and access control for existing and future wireless LAN systems. WPA will be required for Wi-Fi certification by Q4/2003.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information