Networking

Major vendors tighten WLAN security

Several vendors, including Microsoft and Cisco Systems, have released technologies aimed at better securing 802.11b wireless networks. See how measures such as stronger authentication and centralized management could push corporate adoption of WLANs.


By Andrew Garcia

The enthusiasm for 802.11b wireless networking has been dampened by reports of vulnerabilities in the protocol's WEP algorithm. A number of new products are attempting to rally support by providing additional measures of security and control.

Microsoft has thrown its considerable weight behind 802.11b. The newest sitting chair member of the WiFi consortium, Microsoft has added a host of wireless-related features to the Windows XP operating system. These include new driver support and client association tools, but the most significant feature is the integration of the nascent 802.1x standard, a move toward user-authenticated network access control.

As part of the 802.1x standard, which has been approved but not implemented within 802.11b, the Windows XP client natively supports Extensible Authentication Protocol (EAP), which provides dynamic, session-specific wireless encryption keys, central user administration via specialized third-party Remote Authentication Dial-In User Service (RADIUS) servers, and mutual authentication between client and Access Point (AP) and AP to RADIUS server.

Windows XP is also compatible with EAP-Transport Level Security (EAP-TLS), which uses digital certificates for authentication. Windows XP's integration of these features will significantly ease deployment of EAP solutions because separate client utilities will no longer be necessary. These capabilities will reduce the risk involved in using 802.11b within a corporate network.

For example, one of the biggest security problems with 802.11b is that it authenticates the hardware, not the user. Therefore, stolen laptops or forged media access control (MAC) addresses can be used to infiltrate the network. With EAP, the RADIUS server will authenticate the user, not just the hardware, providing a scalable, centrally managed authentication solution. Plus, EAP's dynamic Wireless Equivalent Privacy (WEP) keys reduce the exposure of the same WEP key over multiple transmissions, reducing the risk of the latest cryptographic vulnerabilities.

Cisco Systems was one of the first vendors to provide a wireless-ready RADIUS server, the Cisco Secure Access Control Server. Released in January, it can be used with Cisco's proprietary Lightweight Extensible Authentication Protocol implementation, and it already interoperates with 802.1x.

Additionally, Funk Software is in beta testing with its own wireless-ready solution, Steel-Belted RADIUS. The release of these products signifies the first salvo in a serious push toward an effective, scalable wireless authentication solution.

Check out CNET Enterprise Business
This article appears courtesy of CNET’s Enterprise Business section, where you can explore IT business solutions on various topics, including ASPs, Linux, groupware, information systems infrastructure, and supply chain management.

Centralized management
Another hurdle to corporate wireless networking is a lack of centralized management, making it difficult to implement and update a wireless security policy across the enterprise. Wavelink Corp. has stepped into the void by releasing Mobile Manager 5.0.

As the only existing multiplatform access point configuration utility, Mobile Manager centralizes the discovery, monitoring, and configuration of access points across the network. Originally designed for use with Symbol Technologies’ equipment, Wavelink's product has added support for Cisco’s Aironet 340/350, Intel’s Pro Wireless 2011, and Ericsson’s AB WLAN (wireless LAN) 11-Mbps hardware. Full support for 3Com, Nortel Networks, and Agere Systems hardware is expected in the next version of Mobile Manager.

Although capability and performance vary a bit depending on the hardware, Mobile Manager provides a handy solution for defining and implementing policies for wireless access points, including defining the network name, changing radio performance metrics, and updating those pesky static WEP keys.

By recognizing vendor-specific broadcasts over the wired network, Mobile Manager can also be used to track unauthorized "rogue" access points on the network. However, given the limited number of supported devices, we recommend using a wireless protocol analyzer to detect these rogues through their wireless broadcasts. Network Associates’ Sniffer Wireless Pro 4.6 and WildPackets' AiroPeek 1.1 are good choices.

Summing up
The products and technologies mentioned above are among the first to enhance wireless LAN security to the point that it can become viable in a corporate environment. However, serious administrators should continue to investigate additional technologies, such as VPN and IPSec, to ensure privacy for wireless transmissions.

How do these developments affect your view of WLANs?
Are you more likely to implement WLANs because of these advances in security? We look forward to getting your input and hearing about your WLAN experiences. Join the discussion below or send the editor an e-mail.

 

Editor's Picks

Free Newsletters, In your Inbox