Three Levels of Wireless Security

1 — Physical Layer Encryption

The lowest level of security that can be deployed in a wireless network is the Wired Equivalent Privacy standard (WEP). WEP allows for 40-bit or 128-bit keys to be entered in both the access point and the clients to encrypt the traffic between the PC and the access point.

Figure 1-1 WEP Standard for Securing Wireless Networks

Figure 1 depicts the WEP standard. Unauthorized users can gain access with easy-to-find software. Also, all authorized users must use the same encryption key.

The challenge however, is the inherent weakness of WEP security. With a little digging, unauthorized users can easily find software on the Internet that can be used to crack WEP encryption by capturing the network traffic over the air and deciphering the key (figure 1). Once the WEP key is deciphered, the traffic can be read in the clear, overcoming the encryption on the network traffic.

Another challenge of WEP-only encryption is the need to key each client device and each access point with the same encryption key (figure 1). In environments with more than ten users, the management of these keys, and manual re-keying whenever a user is removed from the network can be burdensome.

To address the inherent flaws of WEP, the Wi-Fi Alliance has created a new standard called Wi-Fi Protected Access (WPA). WPA combines two components to provide strong security for wireless networks. The first component is called Temporal Key Integrity Protocol (TKIP), which replaces WEP with a much stronger protocol. TKIP provides data encryption enhancements including a key mixing function, a message integrity check, and a re-keying mechanism that rotates through keys faster than any sniffer software can decode the encryption keys. Through these enhancements, TKIP addresses all of WEP's known encryption vulnerabilities. TKIP software upgrades are expected to be available from wireless LAN component suppliers in 2003.

A more robust replacement for TKIP being debated in the IEEE standards committees is a new encryption standard called 802.11i. This standard will require new hardware components and is not expected to be implemented in production by WLAN equipment providers until the end of 2003.

The second component of WPA is 802.1X security, which addresses the key management issue with user authentication. 802.1X is the second layer of security which, when combined with TKIP, provides a strong level of wireless security. 802.1X provides a security mechanism through which a user must be authenticated before he is allowed access to the network.

2 — 802.1X User Authentication

WEP and TKIP have no user authentication mechanism. Any user that has the encryption key (whether legitimately or illegally obtained) can get free access to the network and the traffic data. To overcome this weakness, 802.1X security is layered on top of the physical layer security.

The more recent physical layer security protocols, Wi-Fi Protected Access (WPA) and the emerging 802.11i standard, both specify 802.1x security as a framework for strong wireless security.

Figure 1-2 802.1x Authentication

Figure 2 shows how a security server verifies that the access point is part of the network and requires users to provide unique credentials to verify their identity.

802.1X user authentication as shown in Figure 2, requires a user to provide credentials to the security server before getting access to the network. The credentials can be in the form of user name and password, certificate, token, or biometric. The security server authenticates the user's credentials to verify that the user is who he or she claims to be, and is authorized to access the network.

If the user is both authenticated and authorized to access the network, and the access point is verified as being part of the network, then the security server communicates directly with the access point to authorize the user's access to the network. The security server also creates a unique pair of encryption keys for this user session, which are sent to both the access point and the client to securely and uniquely encrypt the wireless communication between the two.

The security server also verifies that the access point is a valid part of the network. This is done to protect the user from connecting to an unauthorized access point that may have been set up to fraudulently capture network data.

802.1X security overcomes two significant limitations that physical layer security alone presents. It provides unique encryption keys for each user each time they sign onto the network, and eliminates the key management issues associated with maintaining common encryption keys across all access points and users.

The security server allows network access to be managed on a user basis. It can tie in to other corporate user databases or directories to authenticate the user against a common set of user credentials, eliminating the need for replicating and maintaining separate databases.

Combining 802.1X user authentication with physical layer security provides robust, strong security that cannot be broken with any known off-the-shelf software tools. It can provide wireless LAN users with a high level of assurance that their data will remain protected and that only authorized network users can access the network.

While no security mechanism can be considered “absolutely secure,” the protection given by 802.1X security is strong enough to prevent most sophisticated attacks. As such, layer 2 security offers a pragmatic, economical security mechanism to meet the requirements of most corporate environments. Gartner Research believes this level of security will meet the needs of most businesses through 2005.

In some cases where higher levels of data security is required, VPNs can be layered on top of the security servers to provide an additional level of encryption of the IP data.

3 — VPN Security

In environments where triple DES encryption is required, or the data on the wireless network may be passed through the Internet, VPNs may be used to provide another layer of security over 802.1X based solutions.

A word of caution on VPN implementations for wireless security: early wireless implementations used VPNs as the only security layer for wireless LANs. This practice leaves open security vulnerabilities. VPNs only encrypt data between the IP packets, leaving the wireless network vulnerable to a number of lower level attacks on the MAC and IP headers, such as wireless session hijacking and rogue AP, or man-in-the-middle attacks.

802.1X-based security should be used to prevent unauthorized access to the network, and to prevent the sniffing and stealing of IP and MAC addresses. It should also be used to prevent session hijacking and man-in-the-middle attacks through rogue access points. VPNs, while providing very strong IP data encryption, cannot prevent these types of lower level attacks.

If VPN security is required, a layered approach in conjunction with an 802.1X security server is the predominately recommended approach, as shown in Figure 3.

Figure 1-3 VPN Security and 802.1x Authentication Used Together

Figure 3. VPN security used in conjunction with 802.1X authentication.

Another consideration that must be weighed is the additional costs and administration overhead associated with VPNs. Traditionally, VPNs have been used for remote access to corporate networks in a low throughput environment. With a wireless network, one should plan for much more traffic, as a result of a local presence, direct access, network environment. Consideration should also be given to the scalability costs and requirements as the wireless access, traffic, and number of users expand in future months.