Tightening WLAN Security

Solutions that provide stronger authentication, centralized management ease 802.11b concerns

The enthusiasm for 802.11b wireless networking has been tempered by reports of vulnerabilities in the protocols WEP algorithm. A number of new products attempt to rally support by providing additional measures of security and control.

Microsoft Corp. has thrown its considerable weight behind 802.11b. The newest sitting chair member of the WiFi consortium, Microsoft has added a host of wireless-related features to the forthcoming Windows XP operating system. These include new driver support and client association tools, but the most significant feature is the integration of the nascent 802.1x standard, a move toward user- authenticated network access control.

As part of the 802.1x standard, which has been approved but not implemented within 802.11b, the Windows XP client natively supports EAP (Extensible Authentication Protocol), which provides dynamic, session-specific wireless encryption keys, central user administration via specialized third-party RADIUS (Remote Authentication Dial-In User Service) servers, and mutual authentication between client and AP (Access Point) and AP to RADIUS server.

Windows XP is also compatible with EAP-TLS (EAP-Transport Level Security), which uses digital certificates for authentication. Windows XPs integration of these features will significantly ease deployment of EAP solutions because separate client utilities will no longer be necessary.

These capabilities will reduce the risk involved in using 802.11b within a corporate network.

For example, one of the biggest security problems with 802.11b is that it authenticates the hardware, not the user. Therefore, stolen laptops or forged MAC (media access control) addresses can be used to infiltrate the network. With EAP, the RADIUS server will authenticate the user, not just the hardware, providing a scalable, centrally managed authentication solution. And EAPs dynamic WEP (Wireless Equivalent Privacy) keys reduce the exposure of the same WEP key over multiple transmissions, reducing the risk of the latest cryptographic vulnerabilities.

Cisco Systems Inc. (www. cisco.com) was one of the first vendors to provide a wireless-ready RADIUS server: Cisco ACS, released in January, can be used with Ciscos proprietary Lightweight Extensible Authentication Protocol implementation, and it already interoperates with 802.1x. By the time you read this, Funk Software Inc. (www. funk.com) should be beta testing its own wireless-ready solution, Steel-Belted RADIUS.

The release of these products signifies the first salvo in a serious push toward an effective, scalable wireless authentication solution.

Centralized Management

Another hurdle to corporate wireless networking is a lack of centralized management, making it difficult to implement and update a wireless security policy across the enterprise. Wavelink Corp. (www.wavelink.com) has stepped into the breach, last month releasing Mobile Manager 5.0.

Mobile Manager, the only existing multiplatform access point configuration utility, centralizes the discovery, monitoring and configuration of access points across the network. Originally designed for use with Symbol Technologies Inc. equipment, Wavelinks product has added support for Cisco Aironet 340/350, Intel Corp. Pro/Wireless 2011 and Ericsson AB WLAN (wireless LAN) 11M-bps hardware. Full support for 3Com Corp., Nortel Networks Ltd. and Agere Systems Inc. hardware is expected in the next version of Mobile Manager. Although capability and performance vary a bit depending on the hardware, Mobile Manager provides a handy solution for defining and implementing policies for wireless access points, including defining the network name, changing radio performance metrics and updating those pesky static WEP keys (see screen, above).

By recognizing vendor-specific broadcasts over the wired network, Mobile Manager can also be used to track unauthorized "rogue" access points on the network. However, given the limited number of supported devices, we recommend using a wireless protocol analyzer to detect these rogues through their wireless broadcasts. Network Associates Inc.s (www.nai.com) Wireless Sniffer Pro 4.6 and WildPackets Inc.s (www.wildpackets.com) AiroPeek 1.1 are good choices.

These products are among the first to provide scalable management across a multivendor enterprise network, and, in their own ways, are effective at shoring up security. However, serious administrators should continue to investigate additional virtual private network technologies to ensure privacy for wireless transmissions.