Making Sense of Evolving WLAN Standards, Part 1: Security

Standards Can’t Plug Every Security Hole

It’s important to distinguish here between what vendors should be responsible
for and where customer accountability comes in. Remember, many of the crackable
WLANs out there are easily cracked because encryption and authentication of
any flavor are turned off. You can’t blame the bank-vault manufacturer if the
bank manager never locks the vault because he doesn’t want to bother memorizing
the combination.

Even so, because of the hysteria surrounding wireless security, vendors are
addressing the lazy-bank-manager problem by centralizing security into the core
of the network, moving it away from access points and into a single, centralized
appliance, such as a WLAN switch.

However, then you have yet another problem: your APs may have enough information
in them to put your network at risk.

"Access points are inherently vulnerable because they are not physically
secure. A savvy hacker or a smart disgruntled employ could guess the AP password
and modify security settings to allow open network access," DeBeasi said.
"A switch raises the bar because it requires more sophisticated control
protocols such as SNMP version 3."

Bluesocket’s Juitt says, "Both WPA and 802.11i should provide reasonable
Layer 2 security, but any security professional with an ounce of sense will
tell you that secure networks, be they wired or wireless, are based on a layered
security architecture. You begin with the underlying Layer 2 protocols and build
up from there. In some deployments, a Layer 2 solution is enough. In others,
you may want to add Layer 3 security, perhaps IPSec, on top of that."

A common method for strengthening WLANs beyond Layer 2 encryption is to utilize
an existing wired standard such as IPSec and run virtual private network (VPN)
tunnles over your WLAN. However, VPNs are notorious for
being complex and management intensive. Moreover, since VPNs provide Layer 3
security, they are still vulnerable to Layer 2 attacks. With a Layer 3 security
solution, any node trying to access the network must do so by being granted
Layer 2 access to begin with. With the data link unprotected, an attacker can
see MAC addresses , associate with Access Points,
and receive an IP address from the Dynamic Host Configuration Protocol (DHCP)
server. Of course, much of the problem here stems from
the fact that IPSec is intended as a point-to-point protocol, while WLANs are
broadcast networks.

In contrast to IPSec, both WPA and 802.11i encrypt traffic and enforce user
authentication at layer 2 using IEEE 802.1x. IEEE 802.1x uses EAP (Extensible
Authentication Protocol) to provide the ability to conduct centralized authentication
and dynamic key exchange. EAP packets are carried at the MAC layer over the
WLAN and are then forwarded to the RADIUS server by the WLAN switch/AP. 802.1x
also enables centralized policy control, so session time-outs can be enforced
and automatic key redistribution can be mandated.

Security Is a Moving Target

This whole issue of strong-enough WLAN security standards reminds me of several
conversations I’ve had with security guru Bruce Schneier, founder and
CTO of Counterpane Internet Security
and author of several books on security, including Secrets & Lies: Digital
Security in a Networked World.
You can’t have a conversation with Schneier
without hearing two security refrains repeated over and over: "Security
is a process, not a product," and "Security is a moving target."
In other words, there is human intelligence involved with any type of network
attack, so those attacks constantly evolve. Products can address known vulnerabilities,
but they tend to be blindsided by innovative attack methods.

While it would be foolish to believe that wireless security issues will ever
be solved, I have noticed lately that my discussions about WLAN security are
strikingly similar to the conversations I was having a couple of years ago about
wired Internet security. In other words, the security gap between the two is
rapidly closing (you could argue it has closed already). Instead of worrying
about security holes you can drive a truck through (like WEP), the industry
is beginning to worry about more savvy, creative, and sophisticated security
issues. If you have an 802.11i- or WPA-compliant WLAN that centralizes authentication
and policy procedures, then wireless security is no longer an issue of wireless
security, but simply of network security.

(Part Two of this article will investigate the issues that arise once security
concerns have been taken off the table. Which version of radio technology should
you commit to — 802.11a, b, or g? And once the client-to-radio communication
is addressed, how then should your radios communicate back to your centralized
WLAN appliance?)

Jeff Vance is a technology writer and consultant. He was previously the
editor of
Mobile Internet Times and E-Infrastructure Times, before
striking out as a freelance writer. He now focuses on high-tech trends in wireless,
next-generation networking, and Internet infrastructure. His articles have appeared
or are forthcoming in
Network World, Wi-Fi Planet,,,
and Telecom Trends, among others. You can contact him at [email protected].