The Extricom EXSW-2400Wireless LAN Switch includes 802.11isecurity as a standard feature, delivering high security without performance degradation, thanks to a dedicated co-processor in the switch and no processing bottlenecks at the access point. |
The Wi-Fi community thought it had the security nut cracked with the arrival of the 802.11i security standard. But businesses still face hurdles in securing WLANs and ensuring safe hotspot usage — an issue vendors and service providers also must consider.
The 802.11i specification that comprehensively addresses authentication and encryption of the over-the-air connection is now part of the Wi-Fi Alliance’s certification process. Additionally, intrusion protection systems, mobile device management and laptop security can go a long way to solving security problems related to Wi-Fi. “Everything needed for a highly secure WLAN or hotspot now exists,” says Frank Hanzlik, managing director of the Wi-Fi Alliance. “It is now used in government and Department of Defense applications, which says a lot.”
|
Explaining the Standards
WLAN security began with Wired Equivalent Privacy (WEP) — an encryption approach that quickly was cracked by hackers. It now has evolved to the 802.11i standard that has been introduced into the Wi-Fi Alliance’s certification process. The 802.11i includes as a subset Wi-Fi Protected Access (WPA) for encryption, and a follow-on version, WPA2. The former focuses primarily on the home user, and was designed more for backward compatibility with WEP devices. The WPA2 protocol provides a more secure environment for business networks, through the Advanced Encryption Standard algorithm. 802.11w, which is projected to be ratified in 2008, will go further and define protection for management frames. For now, “unprotected management frames can leave a wireless network vulnerable to denial of service and other attacks,” says Victoria Fodale, In-Stat analyst. For instance, the AirJack tool impersonates an access point, and forges a deauthentication frame, which makes the station believe that the infrastructure no longer wants to provide service. Further, the IEEE 802.3 standard now is publishing 802.11i-like solutions (known as 802.1ae). While it is a different standard from 802.11i, the underlying infrastructure (reliance on 802.1X and EAP) is the same, allowing for a single authentication infrastructure. The Extricom EXSW-2400 Wireless LAN Switch includes 802.11i security as a standard feature, delivering high security without performance degradation, thanks to a dedicated co-processor in the switch and no processing bottlenecks at the access point. |
Nonetheless, Wi-Fi still is perceived as having security holes. According to a recent In-Stat end-user survey, the top concern of businesses, in general, is the exposure of sensitive data that is transmitted using wireless connections. Other concerns include securing data stored on wireless devices, intruders accessing the corporate network via wireless connections, and the installation of unauthorized wireless equipment within the corporate network.
Those security concerns are a major problem for technologies like Wi-Fi, given industry and federal regulations that mandate the protection of personal data. It has been well documented that Sarbanes-Oxley and HIPAA mandate higher levels of protection for data. Of course, even without such regulations, it’s in the best interest for companies to guard against the exposure of critical data such as customer, product and financial information.
So this need for security is well understood, and the tools to secure Wi-Fi networks have arrived, but securing Wi-Fi remains a complex process. “Protecting data is the foundation of security in a business, whether you are protecting it in a database or application, on a server, computer or portable device, during transmission over a network, or physically in the facility itself,” says In-Stat analyst Victoria Fodale. “[But] two major factors make wireless more complex [than in the past] and represent how security has had to evolve.” Namely, unlike a wired environment, the boundaries of air space in a wireless environment are not easy to control or define. And, a more mobile workforce and the widespread use of portable devices introduces more vulnerabilities and attack vectors.
“According to our research, most businesses today are using wireless technology to access the company LAN from within the corporate environment or from a remote location,” says Fodale. “However, other usages, such as machine-to-machine communication, which are less visible, can also introduce significant risks.” That also includes VoWiFi and dual-mode devices. Further, deployments of WiMAX, mesh and municipal wireless networks mean more wireless connectivity is available than ever before. These networks are subject to the same security issues as a Wi-Fi hotspot or WLAN — though on a much larger scale.
Part of the challenge for IT departments also lies in scaling the security measures. For instance, the 802.11i protocol relies on the Extensible Authentication Protocol (EAP), which is a framework that allows for a large number of authentication protocols to be used, and consequently products support a large number of EAP “methods.”
“The number of methods available does cause some confusion in the market, because each one of them has a different characteristic,” says Pat Calhoun, CTO of Cisco Systems Inc.’s wireless networking business unit. “Cisco prefers the use of EAP-FAST because it is not susceptible to man-in-the-middle attacks, which many of the other EAP methods are. And it allows for the use of username/ passwords.”
Also, each client needs to be configured to use the right EAP method, with the appropriate set of configuration parameters — thus increasing the complexity.
|
Best Practices
There are several general concepts involved in securing wireless networks. They include the following:
“Businesses need to employ a variety of security mechanisms to protect their operations and assets,” says Victoria Fodale, In-Stat analyst. “Furthermore, businesses must protect employees whether they use wireless connections from remote offices, hotspots or home offices. But technology can’t protect users from attacks that include social engineering like phishing and pharming, which is why user education is important too. “Finally, businesses need to use a risk management approach when evaluating Wi-Fi,” she adds. “Nobody wants to see their CEO on the front page of The Wall Street Journal explaining a data breach.” |
“It’s a fast-evolving technology with a lot of moving parts,” says Fodale. “Since its introduction in the late 1990s, WLAN equipment has blazed through three generations of architectures and at least half-a-dozen industry standards.”
A lack of knowledge about how to protect oneself is another problem. Media coverage of data breaches is raising identity theft awareness among the general public, but other issues, including the relative ease of accessing hard drives that are on the same Wi-Fi network, the ability to gain access to e-mail and data by capturing unencrypted transmissions to gain user/password information, and other risks are less well known. As such, users may not take every precaution when using a hotspot.
“Laptops are factory-configured to work in networks, and yet that is the most dangerous configuration in a public access setting,” says Shannon Michael, director of corporate communications at iBAHN, which offers end-to-end managed Wi-Fi services for businesses. Thanks to municipal mesh networks, “another new issue that relates to Wi-Fi is that it is no longer necessary to be in the same location in order to sniff traffic, because the range of the network might reach as far as several buildings away, a city block away, etc.”
One typical scenario might be a business traveler with a laptop full of proprietary or corporate data using a public access Wi-Fi network without, at the very least, the Wi-Fi client protection turned on. It is then easy, requiring no special software or expertise, to gain access to a laptop hard drive on an insecure network, notes Michael, placing competitive knowledge at risk.
Another remaining hurdle for Wi-Fi security lies in intrusion detection and prevention. It’s important to make sure no one externally can log onto the corporate network. “The obvious challenge to securing Wi-Fi is that radio waves represent a shared transport medium that often will propagate beyond the geographic boundaries of your business,” says a spokesperson for Extricom, a WLAN equipment vendor. “The internal security of WLAN is now fully addressable [with 802.11i]. So, as the WLAN that you design now can be of high internal integrity, the focus shifts to threats that are external to your network — hence the increased attention on detecting attempts to intrude or, more likely, disrupt your network from the outside.” Thus, increasing sophistication of the wireless intrusion detection and prevention intelligence to better qualify detected threats, reduce the impact of false positives, and increase effectiveness of remediation/response, will be a frontier going forward.
The range of risk scenarios Wi-Fi can present is as varied as businesses themselves. The approach, however, should be consistent for all, according to Extricom. That is, assess the risk profile of the business, and then look at the continuum of security technologies to decide which combination provides the best protection-cost-manageability mix. For example, while authentication with pre-shared keys and the RC4 encryption engine may suffice for a small business, larger businesses might be forced to higher-level authentication protocols such as EAP-TLS, AES-based encryption, and an overlay wireless intrusion and rogue AP detection system.
| Links |
| Cisco Systems Inc. www.cisco.com Extricom www.extricom.com iBAHN www.ibahn.com In-Stat www.instat.com Wi-Fi Alliance www.wi-fi.org |
