RADIUS, Rogues and Wireless Security Practices

 
 
By Carol Ellison  |  Posted 2004-07-27 Print this article Print
 
 
 
 
 
 
 

Security on wireless LANs may have reached a par with wired networks, but that doesn't mean you can stop sweating the details.

It would be tempting to dismiss Aruba Wireless Networks advisory this week about RADIUS vulnerabilities as old news if security werent so darned important. RADIUS (Remote Authentication Dial-In User Service) servers have been used to authenticate users since virtually the dawn of the World Wide Web, and their weaknesses have been known for about as long. Theyve also been addressed in more ways than one—both wired and wirelessly. Not surprisingly, Aruba happens to have a device that addresses the problem the company described. But Aruba Chief Technology Officer Merwyn Andrade said, "our intent in bringing this up was more to raise awareness around security best practices."
Click here to read about the RADIUS attack that Aruba described.
It also wasnt surprising that, when I called around for reaction to the advisory, I found no one wringing their hands over it. Eric Barnett, wireless administrator at Arkansas State University at Jonesboro, was in the midst of upgrading his campus network when I called, enabling wireless access for as many devices as possible on the campus network. That upgrade includes transitioning to 802.11i devices in departments where strong security is required. And the cost of upgrading all devices is prohibitive. "Were an all-Cisco shop and the only way we can use AES [Advanced Encryption Standard] is with their new 1200 Series APs. Unfortunately most of ours are 350s. So were setting up AES in very specific areas," he said. The latest report, Barnett observed, "sounds kind of like the LEAP attack that came in a few years ago. If you have a good password policy, you should be OK." You should also be OK if you replace LEAP (Lightweight Extensible Authentication Protocol) with EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), the protocol Cisco developed to fix the problem. Arubas Andrade acknowledged there are many fixes for RADIUS weaknesses. "There are existing recommendations to protect against this, its just that people are not following them," he said. He advised IT managers to "work with your vendors to mitigate these threats." What may be most significant about Arubas advisory is that the problem the company describes existed on wired networks even before wireless entered the picture. Gartner Analyst Ken Dulaney notes that the dictionary attack that Aruba described could occur by plugging a laptop into a network port just as easily as it could if you plugged in a rogue access point. For that reason, he said, "we dont think its a big deal. First of all, youve got to gain access to the wired network, and once you have that type of access, you can do damage in a lot of places." If anything, he said, the advisory demonstrates how far wireless security has come. RADIUS servers were put to work to compensate for the vulnerabilities of WEP (Wired Equivalent Privacy) soon after the weaknesses of the original security mechanism became known. The two key components of good security are encryption, which was weak in WEP, and authentication, which wasnt in WEP at all. No small number of enterprises addressed wireless LAN security by running RADIUS authentication with a strong encryption mechanism such as VPN. The IEEEs ratification of 802.11i addressed these problems by scrapping WEPs flawed encryption for strong AES encryption, and by using port-based 802.1X authentication with an EAP type with an authentication server (usually RADIUS) to mutually authenticate devices and isolate rogues. Dulaney said Aruba "may have been trying to use this as an illustration of what can happen. It does go back to the theme that wired and wireless are converging." The message here is that wireless security is no longer just a wireless issue: Its a network issue. If you havent done so already, advises Dulaney, "you need to look at security schemes that protect you across both mediums." More from Carol Ellison Check out eWEEK.coms Mobile & Wireless Center at http://wireless.eweek.com for the latest news, reviews and analysis.

Be sure to add our eWEEK.com mobile and wireless news feed to your RSS newsreader or My Yahoo page

 
 
 
 
Carol Ellison is editor of eWEEK.com's Mobile & Wireless Topic Center. She has authored whitepapers on wireless computing (two on network security–,Securing Wi-Fi Wireless Networks with Today's Technologies, Wi-Fi Protected Access: Strong, Standards-based Interoperable Security for Today's Wi-Fi Networks, and Wi-Fi Public Access: Enabling the future with public wireless networks.

Ms. Ellison served in senior and executive editorial positions for Ziff Davis Media and CMP Media. As an executive editor at Ziff Davis Media, she launched the networking track of The IT Insider Series, a newsletter/conference/Web site offering targeted to chief information officers and corporate directors of information technology. As senior editor at CMP Media's VARBusiness, she launched the Web site, VARBusiness University, an online professional resource center for value-added resellers of information technology.

Ms. Ellison has chaired numerous industry panels and has been quoted as a networking and educational technology expert in The New York Times, Newsday, The Los Angeles Times and The Wall Street Journal, National Public Radio's All Things Considered, CNN Headline News, WNBC and CNN/FN, as well as local and regional Comcast and Cablevision reports. Her articles have appeared in most major hi-tech publications and numerous newspapers and magazines, including The Washington Post and The Christian Science Monitor.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel