Wireless Spec No Security Elixir

Experts warn that 802.1x has unresolved problems and should not be considered a panacea for the security ills plaguing wireless LANs.

A new WLAN security specification is gaining momentum in the marketplace, with several vendors set to announce new products that use the technology. However, experts warn that the specification, 802.1x, has unresolved problems and should not be considered a panacea for the security ills plaguing wireless LANs.

802.1x is meant to serve as a framework on which enterprises can layer authentication methods such as smart cards or certificate-based systems. But security experts say it has limitations.

Researchers at the University of Maryland earlier this year found two security problems in the 802.1x standard that enabled them to hijack user sessions and execute man-in-the-middle attacks. The IEEE working group responsible for the standard is in the process of fixing the problems now.

"I dont think that [802].1x is the answer to all of the problems with 802.11. Clearly, the crypto needs—and has received—lots of work," said William Arbaugh, assistant professor of computer science at the University of Maryland, in College Park, and co-author of the paper describing the flaws in 802.1x. "It is not the complete solution."

Nevertheless, software developers are moving forward with the technology. Funk Software Inc. and ReefEdge Inc., for example, will each unveil this week new versions of their software that support 802.1x.

Funks Steel-Belted Radius 4.0 RADIUS (Remote Authentication Dial-In User Service) server is designed for use in large enterprises with heterogeneous environments and, as such, can now authenticate WLAN users against a variety of back ends, including SQL, LDAP and Microsoft Corp.s Active Directory. The new version adds support for EAP-TLS (Extensible Authentication Protocol-Transport Layer Security and EAP-TTLS (EAP-Tunneled Transport Layer Security).

The company is also introducing a new version of its Odyssey Server, a RADIUS server for smaller organizations, which handles only authentication requests for Windows authentication. It can forward non-Windows requests to Steel-Belted Radius.

Funk executives said that while VPNs (virtual private networks) have become the de facto standard for authentication on WLANs, they dont offer the flexibility of 802.1x.

"Security is paramount for wireless LANs. When we looked at VPNs, we realized [they] wouldnt scale from management and cost perspectives," said Joe Ryan, Funks vice president, in Cambridge, Mass.

At NetWorld+Interop in Atlanta this week, ReefEdge, of Fort Lee, N.J., will introduce its Connect System 3.0 for securing WLANs, which includes 802.1x support. Version 3.0 also includes a third edge controller device that offers greater throughput. The EC200 edge device supports 150M bps of Triple-DES (Data Encryption Standard) throughput.

Related stories:

  • Fledgling WLAN Spec Picks Up Early Support
  • Protecting the WLAN
  • Wireless LAN Security Crackdown
  • Sniffing Out Rogue Wireless LANs
  • 802.11a and 802.11g Evolve the WLAN Space