Dos and don'ts for your wireless LAN Network World


Dos and don'ts for your wireless LAN Network World, 03/25/02
Location, location, location
  Do perform extensive site surveys before deploying access points.
  Don't forget to routinely check access point locations to see if any alteration in the surrounding environment will interrupt connectivity.
Less is more
  Do limit the number of protocols used. Sticking to TCP/IP will reduce chances of clogging the wireless LAN.
  Don't deploy high-volume, bandwidth-hogging applications.
Keep it simple
  Do design an intuitive and simple user interface to help users acclimate.
  Don't try to meet all user whims. Keep the wireless LAN as simple as possible.
  Security smarts
  Do employ user identification/password, encryption, authentication and other security measures. Firewalls and VPNs are options for smaller wireless LANs.
  Don't trust the out-of-the-box security vendors offer.
Standard issue
  Do standardize access devices to ensure applications will work across laptops, PDAs and other handhelds.
  Don't assume users will always respect corporate rules regarding the wireless LAN. Performing constant network discoveries may uncover unauthorized devices.

Wi-Fi spies
New authentication and encryption techniques will protect wireless LANs from drive-by hackers.
By Jim Geier
Network World, 03/25/02
By now, the stories of hackers driving around in cars, breaking into wireless LANs with off-the-shelf tools such as AirSnort or WEPcrack have become commonplace.
Wired Equivalent Privacy (WEP), the 802.11 standard for wireless security has been discredited on a couple of counts:
* Weak encryption. To comply with federal encryption export rules that existed in 1997, the 802.11 standards group limited WEP key lengths to 40 bits. This provides a limited level of encryption that is relatively easy to compromise.
A hacker using a statistical analysis tool can crack a WEP key from a wireless LAN with typical levels of traffic in less than 24 hours.
* Static keys. Another problem is that WEP keys are common among the desktop cards and access points within the same wireless LAN, and they don't automatically change on a regular basis. To make matters worse, WEP has no key distribution method. Once you set up the keys for each user, they're difficult to change.
Network managers are reluctant to update WEP keys because of the long, tedious process of going to each end user's device to make the changes. As a result, wireless LANs using WEP have relatively weak keys banging around the network for days, weeks and even months.
The bottom line is that the current version of WEP is ineffective for protecting valuable information. Most applications need stronger, dynamic encryption and authentication mechanisms. Even if you don't think you need something stronger than WEP, you probably do.
Any wireless LAN that provides a potential path to valuable resources - even if those resources don't have anything to do with the intended wireless application - requires more security than what WEP offers.
Consider a hospital that deploys a wireless LAN to support mobile monitoring of a patient's heart rate and temperature. Because of the limited security requirements of that type of patient information, the hospital may decide that this application doesn't require encryption.
However, the wireless LAN offers a path through the network backbone to the hospital billing system. A hacker with a radio-equipped laptop sitting in a car in the hospital parking lot can easily traverse the network. This puts the hospital billing system in the hands of the hacker.
The obvious industries that require the strongest wireless security include banking and finance. In addition, the expected increase of public wireless LANs at airports, hotels and other public places will increase the potential for hackers to find ways into places on networks where they shouldn't go.
In response, companies such as Illuminet and TTS-Linx are developing public wireless LAN products that focus on strong security mechanisms that go well beyond the existing 802.11 WEP. In addition, the 802.11 working group, the Wireless Ethernet Compatibility Alliance, Wireless ISP Roaming and vendors are aggressively developing solutions to fill the wireless LAN security hole.
802.1X to the rescue
Windows XP and the majority of access point vendors support IEEE 802.1X, which is a standard defining the framework for port-based authentication and key distribution over both wired and wireless LANs.
Most people envision 802.1X as the primary enabler for wireless LAN security because it does a great job of dynamically allocating encryption keys.
Extensible Authentication Protocol (EAP) is the heart of 802.1X and facilitates the authentication process between an "authenticator" and a "supplicant" via an authentication server (see diagram below).
In the case of a wireless LAN, the supplicant is the client (802.11 network interface card) and the authenticator is the access point. The access point serves as the boundary between the protected and the unprotected parts of the network. Authentication servers approve and disapprove access, and they come in several varieties, such as Remote Authentication Dial-In User Service and Kerberos.
When an 802.1X client attempts to connect with an access point, the access point establishes a port that only lets EAP traffic through. The process continues, and the access point uses the client's identity for authentication with the authentication server.
If the authentication result is positive, the access point will enable other specific traffic (such as Dynamic Host Configuration Protocol, Post Office Protocol 3 and Simple Mail Transfer Protocol) from the client to flow through the access point to the protected side of the network. If the client logs off, the access point will disable the client's ports.
EAP alone doesn't define all the techniques for securing a wireless connection. The security solution also needs to implement an "authentication type," such the Lightweight Extensible Authentication Protocol (LEAP) or EAP Transport Layer Security (EAP-TLS).
Both of these methods include mutual authentication between client and access point. LEAP dynamically generates WEP keys within Cisco-based wireless LANs.
EAP-TLS is an authentication type that requires clients and access points to possess digital certificates, which enables the dynamic distribution of WEP keys over a secure connection. Windows XP supports EAP-TLS for wireless network authentication. Most wireless LAN vendors now support EAP-TLS as well.
An issue with these 802.1X products is that they still use WEP for encryption, which is based on relatively weak keys. However, at least 802.1X changes the keys often enough to minimize problems. Administrators can set up systems to change keys every hour, every 10 minutes or once each session.
802.11i also to the rescue
The IEEE 802.11i subgroup, also referred to as Task Group I (TGi), is developing an enhancement to the 802.11 Media Access Control Layer to incorporate 802.1X mechanisms.
TGi is working out the details, but the standard will specify the use of 802.1X and leave the choice of EAP authentication type to the implementer. The 802.11i upgrade will change keys frequently and strengthen the encryption process.
Thus, 802.11i will solve the two primary security problems with WEP: weak encryption and static keys.
The 802.11i standard should become available and integrated within products toward year-end or the beginning of next year.
802.1X offers wireless LAN security
The 802.1X standard for port-based authentication and key distribution is based on Extensible Authentication Protocol (EAP).

1.When client attempts to connect to access point, EAP handshake process begins.
2.Access point establishes port for EAP-only traffic and asks client for identity.
3.Client responds.
4.Access point requests authentication from server.
5.If client is authenticated, access point will accept traffic. 


Written by