WLAN Security: Help on the Way

Funk's Odyssey taps new authentication scheme.

A small Cambridge, Mass., developer this week will introduce software designed to lock down notoriously insecure WLAN systems.

Funk Software Inc.s Odyssey includes server and client software and is based on a new authentication scheme known as EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security). EAP-TTLS requires no client-side digital certificates.

To date, most wireless LAN security products have been based on EAP-TLS, which uses Transport Layer Security, a successor to SSL (Secure Sockets Layer), and requires customers to set up a certificate authority.

"People are facing a battle between complexity and security, and TTLS addresses that," said Steve Pettit, general manager of the software business unit at Enterasys Networks Inc., based in Portsmouth, N.H., which has tested Odyssey. "Its significantly easier to deploy than something that requires a [certificate authority]."

"This allows customers to deploy a WLAN without complexity," Pettit said.

Funks new software also enables IT managers to lock down existing WLANs without having to invest in new hardware. Thats because, although its based on TTLS, Odyssey also supports TLS and other security protocols.

WLANs that are based on the 802.11b standard have gained a large following in the enterprise in the last year for several reasons, including their low cost and their ability to allow users to roam while connected to the network.

However, security researchers have shown 802.11b and WEP (Wired Equivalent Privacy), its encryption protocol, to be riddled with vulnerabilities.

Odyssey, which enters an open beta period this week and is scheduled to ship later this month, relies on passwords instead of a client-side digital certificate for user authentication.

The password is wrapped in the TLS encryption and then sent to the server, which authenticates to the client.

Because Odyssey doesnt require client certificates, it also enables users to access the WLAN from multiple PCs. Traditional WLAN security products require users to obtain a separate certificate or transfer that certificate.

But Funk isnt alone. ReefEdge Inc., of Fort Lee, N.J., has taken a similar approach with its Connect Server and Connect Bridges, which together let users log in to WLANs via any browser and use SSL encryption to transmit the authentication data.

Further security is provided via customizable policies.

Security experts say these novel approaches have merit but user access must be closely monitored.

"Access control is important if you dont want others to piggyback their traffic on your WLAN," said Avi Rubin, principal researcher at AT&T Corp.s Labs division, in Florham Park, N.J., and part of a team that designed a WEP exploit.

"I think that the SSL solution is the right way to go," Rubin said.