WIRELESS SECURITY IN 802.11 (WI-FI ) NETWORKS



Similar documents
Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

Wireless security. Any station within range of the RF receives data Two security mechanism

The next generation of knowledge and expertise Wireless Security Basics

Particularities of security design for wireless networks in small and medium business (SMB)

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

The Importance of Wireless Security

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Chapter 2 Wireless Networking Basics

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

WIRELESS NETWORK SECURITY

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Network Access Security. Lesson 10

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Wireless Networking Basics. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

Certified Wireless Security Professional (CWSP) Course Overview

Wireless Security for Mobile Computers

Security in IEEE WLANs

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

WLAN - Good Security Principles. WLAN - Good Security Principles. Example of War Driving in Hong Kong* WLAN - Good Security Principles

ALL Mbits Powerline WLAN N Access Point. User s Manual

m-trilogix White Paper on Security in Wireless Networks

Wi-Fi in Healthcare:

Huawei WLAN Authentication and Encryption

Securing Wireless LANs with LDAP

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

MN-700 Base Station Configuration Guide

Understanding Wireless Security on Your Polycom SpectraLink 8400 Series Wireless Phones

Wireless LAN Security Mechanisms

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

CS 356 Lecture 29 Wireless Security. Spring 2013

Implementing Security for Wireless Networks

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Apple AirPort Networks

CISCO WIRELESS SECURITY SUITE

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Design and Implementation Guide. Apple iphone Compatibility

Chapter 17 Determining Windows 2000 Network Security Strategies

Recommended Wireless Local Area Network Architecture

Link Layer and Network Layer Security for Wireless Networks

How To Secure Wireless Networks

Configuring Security Solutions

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Wireless VPN White Paper. WIALAN Technologies, Inc.

Security Awareness. Wireless Network Security

ipad in Business Security

Wi-Fi Client Device Security and Compliance with PCI DSS

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

Extensible Authentication Protocol (EAP) Security Issues

Chapter 2 Configuring Your Wireless Network and Security Settings

Self Help Guide IMPORTANT! Securing Your Wireless Network. This Guide refers to the following Products: Please read the following carefully; Synopsis:

Wireless LAN Security In a Campus Environment

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Application Note: Onsight Device VPN Configuration V1.1

Wireless Network Standard and Guidelines

Computer Networks. Secure Systems

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

Chapter 3 Safeguarding Your Network

Deploying iphone and ipad Security Overview

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

Authentication in WLAN

How To Protect A Wireless Lan From A Rogue Access Point

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Developing Network Security Strategies

Wi-Fi Client Device Security & HIPAA Compliance

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Analysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal

Network Security Best Practices

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

Link Layer and Network Layer Security for Wireless Networks

Agenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story

Issue 1 EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

WLAN Authentication and Data Privacy

Deploying iphone and ipad Virtual Private Networks

Cisco Virtual Office Express

TECHNICAL NOTE REFERENCE DOCUMENT. Improving Security for Axis Products. Created: 4 October Last updated: 11 October Rev: 1.

White paper. Wireless Security: It s Like Securing Your Home

chap18.wireless Network Security

IT-Sicherheit: Sicherheitsprotokolle. Wireless Security. (unter Benutzung von Material von Brian Lee und Takehiro Takahashi)

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Security in Wireless Local Area Network

Abstract. Avaya Solution & Interoperability Test Lab

Wireless Security for Hotspots & Home PCCW Feb, 2009

Understanding the Cisco VPN Client

Application Note Secure Enterprise Guest Access August 2004

Wireless Technology Seminar

Chapter 6 CDMA/802.11i

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

HP AP8760 Dual Radio a/b/g Access Point Overview

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Cipher Suites and WEP

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Transcription:

January 2003 January WHITE 2003 PAPER WIRELESS SECURITY IN 802.11 (WI-FI ) NETWORKS With the increasing deployment of 802.11 (or Wi-Fi) wireless networks in business environments, IT organizations are working to implement security mechanisms that are equivalent to those existing today for wire-based networks. An important aspect of this is the need to provide secure access to the network for valid users. Existing wired network jacks are located inside buildings already secured from unauthorized access through the use of keys, badge access, and so forth. A user must gain physical access to the building in order to plug a client computer into a network jack. In contrast, a wireless access point (AP) may be accessed from off the premises if the signal is detectable (for instance, from a parking lot adjacent to the building). There are a number of approaches to secure 802.11 networks. No one approach works for all environments and situations. The optimal solution(s) in a particular network depends on factors such as the level of security required, size of the network, whether access is required for remote workers, and so forth. Because of this diversity, Dell is committed to offering a broad set of standards-based tools and solutions that offer customers flexibility in designing and implementing 802.11 security solutions. This white paper begins by discussing the basic security control methods that form the basis of the original 802.11 architecture. The paper continues with the more-robust virtual private network (VPN) alternative, as well as the upcoming IEEE 802.11i standard that addresses weaknesses in 802.11 native security. Both VPN and 802.11i-based security solutions provide better security and scale well to large networks. The paper also presents Wi-Fi Protected Access (WPA), which is an interim release of key components of 802.11i. Wi-Fi products based on WPA are expected by the middle of 2003. Basic 802.11 Security Three well-known methods to secure access to an AP are built into 802.11 networks. These basic methods are widely available and may be sufficient for some deployments: Service set identifier (SSID) Media Access Control (MAC) address filtering Wired Equivalent Privacy (WEP) One or more of these methods may be implemented, but all three together provide a more robust solution. SSID Network access control can be implemented using an SSID associated with an AP or group of APs. The SSID provides a mechanism to segment a wireless network into multiple networks serviced by one or more APs. Each AP is programmed with an SSID corresponding to a specific wireless network. To access this network, client computers must be configured with the correct SSID. A building might be segmented into multiple networks by floor or department. Typically, a client computer can be configured with multiple SSIDs for users who require access to the network from a variety of different locations. Because a client computer must present the correct SSID to access the AP, the SSID acts as a simple password and, thus, provides a measure of security. However, this minimal security is compromised if the AP is configured to broadcast its SSID. When this broadcast feature is enabled, any client computer that is not configured with a specific SSID is allowed to receive the SSID and access the AP. In addition, because users typically configure their own client systems with the appropriate SSIDs, they are widely known and easily shared. (Dell strongly recommends that APs be configured with broadcast mode disabled, which is referred to as closed mode. ) Visit the Vectors Technology Information Center @ www.dell.com/r&d 1

www.dell.com/r&d Wireless Security in 802.11 (Wi-Fi) Networks MAC Address Filtering While an AP or group of APs can be identified by an SSID, a client computer can be identified by the unique MAC address of its 802.11 network card. To increase the security of an 802.11 network, each AP can be programmed with a list of MAC addresses associated with the client computers allowed to access the AP. If a client's MAC address is not included in this list, the client is not allowed to associate with the AP. Figure 1 depicts WEP-based security with MAC address filtering. MAC address filtering (along with SSIDs) provides improved security, but is best suited to small networks where the MAC address list can be efficiently managed. Each AP must be manually programmed with a list of MAC addresses, and the list must be kept up-to-date. In practice, the manageable number of MAC addresses filtered is likely to be less than 255 clients. In addition, MAC addresses can be captured and spoofed by another client to gain unauthorized access to the network. WEP-Based Security Wireless transmissions are easier to intercept than transmissions over wired networks. The 802.11 standard currently specifies the WEP security protocol to provide encrypted communication between the client and an AP. WEP employs the symmetric key encryption algorithm, Ron s Code 4 Pseudo Random Number Generator (RC4 PRNG). Under WEP, all clients and APs on a wireless network typically use the same key to encrypt and decrypt data. The key resides in the client computer and in each AP on the network. The 802.11 standard does not specify a key-management protocol, so all WEP keys on a network usually must be managed manually unless they are used in conjunction with a separate key-management protocol. For example, 802.1X (discussed later in this paper) provides WEP key management. Support for WEP is standard on most current 802.11 cards and APs. WEP specifies the use of a 40-bit encryption key and there are also implementations of 104-bit keys. The encryption key is concatenated with a 24-bit initialization vector (IV), resulting in a 64- or 128-bit key. This key is input into a pseudorandom number generator. The resulting sequence is used to encrypt the data to be transmitted. (WEP keys can be entered in alphanumeric text or hexadecimal form.) Figure 1. 802.11 Security Using SSID, MAC Address Filtering, and WEP WEP encryption has been shown to be vulnerable to attack. Because of this, static WEP is only suitable for small, tightly managed networks with low-to-medium security requirements. In these cases, 128-bit WEP should be implemented in conjunction with MAC address filtering and SSID (with the broadcast feature disabled). Customers should change WEP keys on a regular schedule to further minimize risk. For networks with high security requirements, the VPN or emerging 802.11i standards-based solutions discussed in the next sections are preferable. These solutions are also preferable for large networks, in which the administrative burden of maintaining MAC addresses on each AP makes this approach impractical. The point at which the number of wireless client systems becomes unmanageable varies depending on the organization s ability to administer the network, the choice of security methods (SSID, WEP, and MAC address filtering), and its tolerance for risk. If MAC address filtering is used on a wireless network, the fixed upper limit is established by the maximum number of MAC addresses that can be programmed into each AP used in an installation. This upper limit varies, 2

January 2003 but the practical problem of manually entering and maintaining valid MAC addresses in every AP on a network limits the use of MAC address filtering to smaller networks. VPN Wireless Security VPN solutions are widely deployed to provide remote workers with secure access to the network via the Internet. In this remote user application, the VPN provides a secure, dedicated path (or tunnel ) over an untrusted network in this case, the Internet. Various tunneling protocols, including the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) are used in conjunction with standard, centralized authentication solutions, such as Remote Authentication Dial-In User Service (RADIUS) servers. The same VPN technology can also be used for secure wireless access. In this scenario, the untrusted network is the wireless network. The APs are configured for open access with no WEP encryption, but wireless access is isolated from the enterprise network by the VPN server. The APs can be connected together via a virtual LAN (VLAN) 1 or LAN that is deployed in the Demilitarized Zone (DMZ) 2 and connected to the VPN server. (The APs should still be configured in closed mode with SSIDs for network segmentation.) Authentication and full encryption over the wireless network is provided through the VPN servers that also act as firewalls/gateways to the internal private network. Unlike the WEP key and MAC address filtering approaches, the VPN-based solution is scalable to a very large number of users. Figure 2 shows how VPN connections can provide flexible access to a private network. Remote workers can use a dial-up, cable modem, Digital Subscriber Line (DSL), or cellular data (such as General Packet Radio Service [GPRS]) connection to the Internet and then establish a VPN connection to the private network. Public wireless LAN (WLAN) networks in locations such as airports can also be used to establish a VPN connection back to the private network. Finally, on-campus 802.11 wireless access can be implemented via a secure VPN Figure 2. 802.11 VPN Wireless Security connection. The user login interface is the same for each of these scenarios, so that the user has a consistent login interface. The VPN approach has a number of advantages: Already deployed on many enterprise networks. Scalable to a large number of 802.11 clients. Low administration requirements for 802.11 APs and clients. The VPN servers can be centrally administered. Traffic to the internal network is isolated until VPN authentication is performed. WEP key and MAC address list management is not needed because of security measures created by the VPN channel itself. Addresses general remote access with a consistent user interface in different locations such as at home, at work, and in an airport. A drawback to current VPN solutions is the lack of support for multicasting, which is a technique used to deliver data efficiently in real time from one source to many users over a network. Multicasting is useful for 1. A VLAN is a logical subgroup of client nodes in a local area network that is created using software. The purpose of a VLAN is to isolate untrusted traffic within the VLAN. 2. The DMZ is a middle ground that lays between an organization's trusted internal network and an untrusted, external network such as the Internet. It is a subnetwork (or subnet) that may reside between firewalls or off one leg of a firewall. 3

www.dell.com/r&d Wireless Security in 802.11 (Wi-Fi) Networks streaming audio and video applications such as press conferences and training classes. Another minor issue of VPNs is that roaming between wireless networks is not completely transparent. Users receive a logon dialog when roaming between VPN servers on a network or when the client system resumes from standby mode. Some VPN solutions address this issue by providing the ability to auto-reconnect to the VPN. When using a VPN solution, it is still recommended that client computers be equipped with personal firewall protection (such as Norton Internet Security, Black Ice, or the built-in firewall in Microsoft Windows XP) to protect against attacks by nearby wireless client systems. VPNs are a good solution for many networks, particularly those with existing VPN infrastructure for remote access. Additional wireless security alternatives are emerging that are based on the IEEE 802.11i standard. IEEE 802.11i Standards-Based Wireless Security 802.11i is a new security standard being developed by the IEEE Taskgroup i (TGi). 802.11i addresses the weaknesses of WEP-based wireless security. Scripting tools exist that can be used to take advantage of weaknesses in the WEP key algorithm to successfully attack a network and discover the WEP key. The industry and IEEE are working on solutions to this problem through the TGi working group. Substantial components of the 802.11i standard have already been released or announced and products are beginning to appear in the market. The 802.11i standard addresses the user authentication and encryption weaknesses of WEP-based wireless security. The components of 802.11i include the alreadyreleased IEEE 802.1X port-based authentication framework, the Temporal Key Integrity Protocol (TKIP), the Advanced Encryption Standard (AES) encryption algorithm (to replace WEP s RC4 encryption), key hierarchy and management features, and cipher and authentication negotiation. 802.11i addresses the security requirements of AP-based (or Basic Service Set [BSS]) and ad hoc (or Independent BSS [IBSS]) 802.11 wireless networks. The formal completed 802.11i standard is expected in the second half of 2003. Meanwhile, because of important security requirements of 802.11 wireless networks, a subset of the 802.11i standard has been released under the auspices of the Wi-Fi Alliance. Formerly called WECA, the Wi-Fi Alliance is a nonprofit organization that certifies interoperability of 802.11 products and promotes 802.11 as the global, wireless LAN standard. A strong supporter of the Wi-Fi Alliance, Dell is a member of its board of directors and is very active in Wi-Fi Alliance committees. In November 2002, the Wi-Fi Alliance announced WPA, which is based on those components of the 802.11i standard that are stable and may be deployed on existing 802.11 network and client equipment with a software upgrade. When it is released, 802.11i will be backward-compatible with WPA. In fact, the final standard will be adopted by Wi-Fi as WPA, version 2. Wi-Fi expects to begin certifying WPA solutions in the first quarter of 2003, and these solutions will begin appearing in the market shortly thereafter. The initial release of WPA addresses AP-based 802.11 networks. Ad hoc (or peer-to-peer) networks will be addressed in the final standard. The following components of 802.11i are included in the initial WPA release: 802.1X authentication framework TKIP Key hierarchy and management Cipher and authentication negotiation WPA also specifies an 802.1X/RADIUS implementation and a preshared key implementation discussed later in this paper. Port-Based Authentication With 802.1X The IEEE 802.1X standard specifies generic, extensible port-based authentication that applies to both wireless and wired Ethernet networks. 802.1X authentication solutions that use WEP encryption exist in the market today, but they provide for dynamic WEP keys. Under WPA, 802.1X supports the other components of WPA. 802.1X is supported in several current operating systems (see discussion of operating system support later in this paper) and in the enterprise APs offered by major 4

January 2003 vendors, including Dell. The standard specifies a framework that accommodates various authentication methods such as certificate-based authentication, smart cards, and traditional passwords. In the context of an 802.11 wireless network, 802.1X is used to securely establish an authenticated association between the client and the AP. Generally, the scenario would be as shown in Figure 3. The user of an 802.11 wireless client system requests access to an AP. The AP passes the request to a centralized authentication server that handles the authentication exchange and, if successful, provides an encryption key to the AP. The AP uses the key to securely transmit a unicast session or multicast/global encryption key to the client. (Prior to the WPA announcement, WEP was the only encryption method supported by the 802.11 standard, but upcoming TKIP solutions will replace WEP.) At this point, the client has access to the network, transmissions between the client and AP are encrypted, and the user may log on to the network domain. During the session, new keys are generated between the client and AP (referred to as dynamic WEP key exchange) to help mitigate exposure to WEP attacks. 1. User requests authentication. AP prevents network access. 2. Encrypted credentials sent to authentication server (RADIUS). 3. Authentication server validates user and grants access rights. 4. AP port is enabled and WEP keys are assigned to client (encrypted). 5. Wireless client accesses general network services securely. Figure 3. 802.1X/RADIUS Authentication 802.1X does not require a specific protocol for authentication. Instead, it specifies that the Extensible Authentication Protocol (EAP) will be used. EAP is an encapsulation protocol that allows different authentication protocols to be selected and used. Effectively, EAP serves as a conduit for other authentication protocols. There are four main authentication protocols: MD5 One-way authentication to network using a password. Cisco Lightweight Authentication Extension Protocol (LEAP) Cisco proprietary username-based authentication. EAP-Transport Layer Security (TLS) IETF-standardized authentication. Public Key Infrastructure (PKI) certificate-based authentication of both the user (or client system) and the authentication server. EAP-Tunneled TLS (TTLS) and Protected EAP (PEAP) PEAP and TTLS are similar approaches that are based on TLS extensions. These approaches can be used with higher-layer authentication protocols (such as MS-CHAPv2) and do not require certificates on the client. The best method for a particular installation depends on the specific requirements of the environment. However, while MD5 is the simplest authentication method, it is also the weakest, so it is not recommended for use in wireless networks. Under MD5, the user passwords are stored in a way that allows the authentication server access to the plain-text password. This approach makes it possible for entities other than the authentication server to gain access to the password. This weakness is compounded by the fact that MD5 only authenticates the user and not the authentication server. More robust methods provide mutual authentication of both entities. Cisco LEAP offers stronger security than MD5, but should be considered a proprietary solution that could limit choices and lead to potentially higher long-term costs. In contrast, the following standards-based EAP solutions offer stronger authentication and offer the benefit of broader vendor equipment support. The IETF-standardized EAP-TLS, EAP-TTLS, and PEAP methods offer the strongest authentication and are recommended for 802.1X implementations. TLS is based on an authentication protocol that is nearly identical to the protocol used in the Secure Sockets Layer (SSL) 5

www.dell.com/r&d Wireless Security in 802.11 (Wi-Fi) Networks protocol for securing Web transactions. TLS provides mutual authentication between the supplicant and the authentication server. Once authentication is completed, 802.1X enables dynamic WEP keys to be generated. In EAP-TLS, PKI-based digital certificates are used for mutual authentication. (PKI digital certificates can be stored on Smart cards or on the client computer.) Alternatively, EAP-TTLS is an extension of EAP-TLS that is designed for organizations that are not ready to implement PKI on every client. (This is required to achieve mutual authentication with digital certificates). Instead, it only requires PKI for digital certificate-based authentication of the authentication server. In some cases, selfrooted certificates can be used instead of a PKI, as long as each client has a copy of the server certificate. EAP- TTLS supports legacy authentication methods for the client system or user. An extension to EAP called PEAP is also designed to overcome problems associated with certificate management under EAP-TLS. PEAP can be used in conjunction with a higher-layer authentication mechanism such as MS-CHAPv2. EAP and PEAP occur during the IEEE 802.1X authentication process before WEP keys are generated and distributed. PEAP uses the TLS handshake solely to identify the network to a client device. This approach avoids the need to assign signed certificates to individual client devices. Client authentication is done inside the established TLS tunnel (thus providing the advantages of TLS communication) using a higher-layer protocol such as MS-CHAPv2. Any EAPbased authentication method might be used inside the established secure channel. TTLS and PEAP are very similar. Both use a one-way TLS tunnel. The difference is in the upper-layer authentication method after the tunnel is established. TTLS uses simple, less-structured, token-pair-based authentication mechanisms. In contrast, PEAP uses more structured EAP-compatible authentication mechanisms. Because Microsoft has created MS-CHAPv2 as an EAP-compatible authentication mechanism, TTLS and PEAP are nearly identical when MS-CHAPv2 is used. Table 1 compares the main 802.1X authentication protocols. The 802.1X standard also includes a management specification for complete end-to-end management of the 802.1X protocol. The 802.1X approach has the following advantages: Standards-based. Flexible authentication: administrators may choose the type of authentication method used. Scalable to large enterprise networks by simply adding APs and, as needed, additional RADIUS servers. Centrally managed. Client keys are dynamically generated and propagated. Because authentication is central, rather than at each AP, roaming can be made as transparent as possible. At most, the user may be asked for alternate credentials if an AP requires alternate identification. Characteristic MD5 Cisco LEAP EAP-TLS PEAP and TTLS Key length None 128 128 128 Mutual authentication No. Authenticates user, but not authentication device. Yes Yes Yes Rotating keys Yes Yes Yes Yes Overall security Weak Stronger than MD5; weaker than other EAP solutions. Client software support Native support in Windows XP. Other operating systems require client software. Requires proprietary features in the NIC and AP. Wide range of operating-system support with Cisco 802.11 wireless card. Strongest Native support available in Windows XP and Windows 2000. Other operating systems may require additional client software. Table 1. Comparison of Main 802.1X Authentication Protocols Strong PEAP support available natively in Windows XP and Windows 2000. TTLS support available via thirdparty software. 6

January 2003 802.1X requires software support on the client system and AP, as well as a RADIUS server that supports a strong EAP authentication method such as EAP-TLS and EAP-TTLS. Currently, client operating-system support for 802.1X is limited, with native support provided only in Microsoft Windows XP. Microsoft recently introduced support for 802.1X in Windows 2000. This support is available in a software patch that can be downloaded from the Microsoft website. This patch will be incorporated in the next Windows 2000 service pack. In addition, there are now Microsoft PEAP solutions for Windows XP and Windows 2000. 802.1X support is expected to expand as 802.1X matures and becomes established. Meanwhile, third-party client software exists for other PC client operating systems. 802.1X is designed to authenticate and distribute encryption keys between the wireless client and an AP. It is not an encryption protocol, nor is it designed to be a generalized VPN solution suitable for secure remote access. VPNs are still required for remote access using public APs (in airports or hotels) and from remote or home offices. TKIP TKIP enables secure, dynamic key generation and exchange. TKIP continues to use the RC4 encryption engine used by WEP, but provides the following important improvements over WEP: Dynamic keys Allows per-session and per-packet dynamic ciphering keys. Message integrity checking (MIC) to ensure that the message has not been tampered with during transmission. (The TKIP MIC is sometimes referred to as Michael. ) 48-bit IV hashing Longer IV (used in conjunction with a base key to encrypt and decrypt data) avoids the weaknesses of the shorter 24-bit WEP RC4 key. Correction of WEP security vulnerability in which the IV is sent in clear text over the wireless connection. Ultimately, a more robust encryption method based on the next-generation AES is being considered as a future replacement for RC4 in TKIP. Key Hierarchy and Management WPA provides for more-secure and better key creation and management. This capability helps to safeguard against known key attacks. Client keys received via 802.1X key messages are used to derive base keys that are, in turn, used to derive per-packet keys. The master and base keys are not used to directly encrypt the data traffic. Cipher and Authentication Negotiation WPA improves interoperability by requiring APs to announce their supported ciphers and authentication mechanisms. Clients wishing to authenticate to the AP via WPA can receive this announcement and respond appropriately (via a policy-based decision). In addition, the client can now choose the most secure cipher and authentication mechanism that it and the AP both support. WPA Modes: 802.1X/RADIUS or Preshared Key WPA can be implemented with 802.1X and a RADIUS server (referred to by the Wi-Fi Alliance as enterprise mode ) or with a simple preshared key (referred to as home mode ). 802.1X/RADIUS In this implementation, WPA requires 802.1X and is used in conjunction with an authentication server to provide centralized access control and management. This includes managing user credentials, authorizing users requesting network access, and generating session and group encryption keys. Figure 4 shows the components of this implementation. Figure 4. WPA 802.1X/RADIUS Solution 7

www.dell.com/r&d Wireless Security in 802.11 (Wi-Fi) Networks Preshared Key In the home, small office, or even some enterprises, WPA can be used in a preshared key mode that does not require an authentication server (or 802.1X). Access to the Internet and the rest of the wireless network services is allowed only if the preshared key of the computer matches that of the AP. This approach offers the setup simplicity of the WEP key, but uses the stronger TKIP encryption. The WPA preshared key differs dramatically from the WEP key. Under WPA, the preshared key is used only in the initial setup of the dynamic TKIP key exchange. As described in Key Hierarchy and Management, this base key is never sent over the air or used to directly encrypt the data stream. In contrast, the WEP key is static until manually changed by the user or administrator. Figure 5 shows the components of this implementation. Figure 5. WPA Preshared Key Solution WPA is the first phase of the overall 802.11i standard. WPA immediately addresses the current weaknesses found in WEP. WPA also leverages the power of 802.1X, while providing the same capability to nonenterprise home users. Wi-Fi Security Implementation on Dell Network Internally, Dell was an early adopter of Wi-Fi technology and has a large Wi-Fi network implementation. Dell already had a VPN solution in place for remote worker access to the corporate network. Dell extended this solution to provide security for its internal Wi-Fi users. The result is robust security with a consistent interface regardless of where or how the user connects via WLAN on campus; an airport hot spot; or from home via dial-up, cable, or DSL modem. Conclusion Recent industry efforts are bringing more-robust native security to Wi-Fi networks. The basic 802.11 security solutions that are available out of the box SSID, MAC address filtering, and WEP are soon to be strengthened by replacing important components of WEP with WPA via software upgrades to the wireless client systems and APs. This solution will provide suitable security for both small home or business networks and larger networks. 802.1X- and/or VPN-based solutions provide more scalable solutions for large enterprise networks or networks that require more robust security. Because no one of these approaches addresses all environments and situations, Dell is committed to providing a wide range of standards-based security solutions that can be implemented flexibly to address varying customer requirements and environments. Future releases of WPA will include increased security measures such as stronger ciphers (that is, AES), additional countermeasures (that is, additions to MIC), and additional design changes to TKIP. Information in this document is subject to change without notice. 2003 Dell Computer Corporation. All rights reserved. Trademarks used in this text: The DELL logo is a trademark of Dell Computer Corporation; Microsoft and Windows are registered trademarks of Microsoft Corporation; Wi-Fi is a registered trademark of Wireless Ethernet Compatibility Alliance, Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Computer Corporation disclaims any proprietary interest in trademarks and trade names other than its own. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information