5-Minute Security Advisor - Strengthening Wireless Authentication
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Wireless LANs (WLANs) provide many benefits, including enhanced mobility for users, freedom from pulling cables through dusty ceilings or musty basements, and support for an increasing diversity of devices. However, as these articles indicate, the most commonly used WLAN standard, IEEE 802.11b (also called WiFi), has some serious security flaws that raise the risk of deploying WiFi WLANs in your home, office, or enterprise. Weaknesses in the WiFi standard's WEP encryption scheme affect everyone who uses WiFi; however, the 802.11 family of standards also specifies standards for authenticating mobile devices and access points (APs), and these standards need to be strengthened for business and enterprise use.
On This Page
How WLAN Authentication Works
802.11 networks use two authentication methods: open-system authentication and shared-key authentication. In both schemes, each mobile client (called a station) must authenticate to the access point. Open-system authentication might better be called "no authentication", because no actual authentication takes place: the station says "please authenticate me", and the AP does so, with no credential exchange. Shared-key authentication is somewhat more robust (except that it depends on WEP). The station requests authentication, and the access point (AP) responds with a WEP-encrypted challenge. The station can decrypt the challenge and respond only if it has the correct WEP password. In both of these methods, the station must also know the service set identifier (SSID) of the AP. However, because the AP might broadcast its SSID, and because stations talking to that SSID always broadcast it, this behavior isn't much of an obstacle to learning the SSID.
Why WiFi Authentication is Vulnerable
The existing WiFi authentication process leads to a couple of potential problems:
The station doesn't have any way to authenticate the identity of the AP, so an attacker can easily set up a rogue AP that unaware clients can connect to. Other devices on the network don't have any way to authenticate the AP either, meaning that network administrators don't have any good way to block unauthorized APs from using their network. (Compare this with Windows 2000's DHCP server, which requires Active Directory authorization before it will start issuing addresses).
The AP has no way to tell whether the station is authorized to be on the network or not. This situation is like the security system at my local boatyard: If you have a sticker on your car, you can drive in the front gate, whether you're supposed to be there or not.
The AP authenticates only the station, not the user of the station. That means if I don't take good precautions, a miscreant might be able to penetrate my network.
Strengthening Your Wireless Authentication
In general, this authentication process isn't as strong as you'd like it to be, but you can't do much about it directly. The useful steps are pretty obvious:
Turn on WEP encryption. It's better than nothing, and without it you won't get any authentication at all.
If your AP supports it, turn off SSID broadcasting and make your network a closed network. This arrangement is admittedly a hassle for clients; for example, Windows XP does a great job of automatically finding wireless networks, but it can't automatically find closed networks—your users will have to manually enter the SSID name.
Pay attention to the radio footprint your WLAN creates. If you can keep eavesdroppers and intruders outside of your signal coverage range, that helps minimize the authentication problem (but don't forget that clever folks are using a variety of antennas to sniff signals from relatively long distances!)
Supplement your WLAN authentication with other means. If you allow direct access to your internal systems over a WLAN, you might want to reconsider that plan, perhaps moving the WLAN outside the firewall and requiring users to access the network over a VPN, just as they would from home. Another alternative is to assign a separate IP address range to your WLAN clients, then apply IP-based access controls on your intranet sites.
The best way to strengthen WLAN authentication is to augment it by adding support for stronger authentication protocols. In particular, the IEEE 802.1x standard, along with the Protected EAP protocol, provides much more secure authentication, and you probably already have the tools you need to implement them.