In the last three months, we discussed the weaknesses of WEP and LEAP and how WPA addresses those weaknesses. If you haven't read those articles, they will probably provide useful background for this article, and you might want to read them first. The next topic in the discussion of 802.11 security is 802.1X/EAP. 802.1X is a standard that defines a method for using the Extensible Authentication Protocol (EAP) to authenticate users on a WLAN or LAN. Because it supports robust and secure authentication, 802.1X/EAP is a major reason why WPA is much more secure than WEP and LEAP.
WLAN security can be broken down into two main categories: authentication and encryption. Authentication means making sure that unauthorized users don't access the network. Encryption means making sure that unauthorized users can't see the data on the network. In WEP, the same key is used for both of these functions. This is a security weakness, since if a user cracks the WEP key, he or she can both access the network and decrypt the data. LEAP separated encryption from authentication. In LEAP, the user authenticates using a username and password and then encrypts the data using a WEP key. This means that an attacker who cracks the WEP key can read the data but can't get on the network him or herself.
One problem with LEAP is that it only supports one method of authenticating users. The user provides a username and password which are verified by a server using an algorithm called "CHAP-style" authentication. CHAP-style authentication is vulnerable to several well-known attacks and is considered cryptographically weak. Since a security system is only as strong as its weakest link, LEAP is also relatively weak.
WPA, on the other hand, uses 802.1/EAP for authentication. One advantage of 802.1X/EAP is that it doesn't limit the user to just one style of authentication. Rather, 802.1X/EAP provides a generic framework for authenticating users, and vendors can create whatever kind of authentication they prefer within that framework. 802.1X/EAP is like a railroad cargo container: you can put whatever kind of cargo you want in the container and the train carries it. Several of the types of authentication that are available for use with 802.1X/EAP are very strong.
A RADIUS server is required in order to use the most secure types of EAP authentication. RADIUS is similar to EAP in that it is a generic authentication protocol. With 802.1X, EAP is used to communicate between the wireless client and the access point and RADIUS is used to communicate between the access point and the authentication (RADIUS) server. This is handy because many corporations have an existing RADIUS infrastructure which the WLAN can simply tie into. That means that users can log into the WLAN using the same authentication method that they use to log into any other resource.
802.1X/EAP currently offers the strongest authentication mechanisms available to 802.11 WLANs. Whitfield Diffe, one of the creators of public-key cryptography recently said in a lecture that, "Today, [WLANs] can have all the security that anyone would ever want." We interpret that to mean that, although there are some security problems that are unique to WLANS, there's no reason to assume that WLANs need to be any less secure than any other type of network. Security mechanisms like 802.1X/EAP provide the means to make WLANs as secure as we could possibly want them to be. But like any security mechanism, 802.1X/EAP must be understood and properly applied. For example, although some of the 802.1X/EAP authentication mechanisms are very secure, one of them uses the "CHAP-style" authentication that we discussed earlier in the article. An enterprise that was using that type of EAP would be relatively insecure even though it was using 802.1X/EAP. Therefore, although 802.1X/EAP makes it possible to be sufficiently secure, it doesn't guarantee security.
In "Essential Wi-Fi," we discussed that there were several different types of 802.1X/EAP authentication, of varying security levels. Each piece of equipment (client software, access point, and RADIUS server) will only support certain types of EAP authentication, so the first issue in setting up an 802.1X/EAP infrastructure is to ensure that the client software, access points, and RADIUS server all support the type of EAP that you want to use. But how do you decide what type of EAP you should use? In this section, we delve deeper to discuss specific characteristics of different types of EAP authentication.
EAP-MD5 is the earliest EAP authentication type. EAP-MD5 uses usernames and passwords for authentication. EAP-MD5 represents a kind of base-level EAP support among 802.1X devices. EAP-MD5 has three main weaknesses. First, the client is authenticated by the server, but the server is never authenticated by the client, making EAP-MD5 vulnerable to “rogue” servers. Second, EAP-MD5 uses hashed passwords to authenticate the users, which have several well-known cryptographic weaknesses. Third, EAP-MD5 has no support for dynamically assigning encryption keys, therefore all clients must have the same key and keys must be change manually.
EAP-TLS relies on client-side and server-side certificates to perform authentication, using dynamically generated user- and session-based WEP keys distributed to secure the connection. Windows XP includes an EAP-TLS client, and EAP-TLS is also supported by Windows 2000. EAP-TLS supports per-user, per-session WEP key assignment and mutual authentication between the authentication server and the client. Assuming that good certificate-management procedures are followed, EAP-TLS is one of the most secure forms of EAP, but it also has the highest maintenance requirements--SSL certificates must be installed on all APs, RADIUS server(s), and clients. Since EAP-TLS requires both the client and server to have a certificate, it is not appropriate for sites where the user base changes regularly, such as hotspots.
EAP-TTLS is an extension of EAP-TLS, which provides for certificate-based, mutual authentication of the client and network. Unlike EAP-TLS, however, EAP-TTLS requires only server-side certificates, eliminating the need to configure certificates for each wireless LAN client. Dynamically generated user- and session-based WEP keys are distributed to secure the connection. EAP-TTLS also supports fast reconnection while roaming. Other methods of EAP authentication can be relatively slow and disrupt roaming, since the client must talk to an authentication server on the wired LAN. EAP-TTLS is roughly as secure as EAP-TLS.
PEAP is a direct competitor with EAP-TTLS. PEAP uses tunneled server-side certificates and username/password credentials for client to authenticate to a server. PEAP is supported in Windows XP with Service Pack 1 and is also supported by Cisco's ACU version 5.05 and higher. PEAP supports mutual authentication as well, which adds increased security. Some major differences between TTLS and PEAP are that PEAP has optional support for client-side certificates as well as server-side certificates and that PEAP supports different authentication methods within the tunnel than TTLS. PEAP also supports using the Windows user ID and password as credentials, creating the possibility for single-sign-on authentication (i.e. the user logs onto the machine at the Windows prompt and then never has to explicitly log onto the WLAN). Like TTLS, PEAP supports fast reconnects for roaming and dynamic WEP keying.
These are not the only EAP types, but they are some of the most common, and demonstrate the factors that might be taken into account when considering which EAP type to use. In summary, these factors include:
The strength of the authentication method (e.g. CHAP-style password exchange vs. SSL certificates).
The management overhead (e.g. installing SSL certificates on all clients is a hassle).
Whether mutual authentication is supported, protecting from "rogue" servers.
Whether dynamic encryption key assignment is supported, allowing for much more secure encryption.
Although network administrators outside of China are probably not aware of it, China created the Wireless Authentication and Privacy Infrastructure (WAPI) as an alternative to 802.11's other authentication methods. We have discussed many different methods of securing 802.11, but what makes WAPI different is
that the Chinese government considered making WAPI the only 802.11 encryption and authentication technology that was legal to use in China. 802.11 vendors outside of China protested this decision on two grounds: first, on a practical basis, WAPI would break the worldwide standardization that has made 802.11 so cheap and popular; second, on a philosophical basis, it was widely believed that the Chinese government had built back doors into or knew how to break WAPI, compromising the security that it was supposed to provide.
China was persuaded not to make WAPI mandatory, but responded with a fast-track proposal to the ISO to make WAPI an international standard. After some debate over whether to make WAPI an optional part of the 802.11 standard, the ISO removed WAPI from the standards fast-track, delaying its ratification indefinitely and leaving 802.11i as the eminent 802.11 security solution.
VoIP Over Wi-Fi Demonstrated At 80 MPH Plus
Martyn Levy of RoamAD claims to have tested Voice over Wi-Fi multi-party conference calls at speeds of over 80 MPH. Although 802.11 is not intended for situations where the user is moving at a high speed relative to the access point (speeds greater than about 35 MPH), this test, if successful, demonstrates that 802.11 can be viable in situations that had previously been considered to be the domain of mobile technologies like 3G and 802.16. This is exciting because it narrows the gap between these technologies. Although 3G excels at mobile communications and wide-spread coverage, its data rates are still at least 1/10 those of 802.11 even in the best of circumstances. 802.16 is still largely vaporware, and when it comes to market, it will certainly be more expensive than 802.11. This finding, if confirmed, reinforces Connect802's belief that 802.11 can be used not only in typical corporate installations, but also in large-scale urban environments and even in some mobile installations.
Welcome to our newest channel sales partner: Network Orange !
Network Orange, Inc. sells network test, monitoring and control equipment. They are the Southeast representatives for respected manufacturers of datacom test equipment and they produce the MANTA PTAM SYSTEM family of specialized test products for E9-1-1. Network Orange was founded in 1979 and incorporated in 1981. Initially, Network Orange was the exclusive Florida representative for Atlantic Research Corporation and specialized in protocol analyzers, patch systems and network control equipment. Today they sell and support products that test and manage networks of all kinds: LANs, WANs, Wireless, etc. Network Orange is proud to be a multi-regional sales, service, and support representative for Connect802. Additionally, the company represents respected manufacturers of data communications test equipment such as Teltone, Navtel and NetTest. They also are resell AirMagnet, Bluesocket, and others. Network Orange sells network test equipment and the products needed to connect test equipment to network elements.
MANTA PTAM SYSTEM
Network Orange produces a specialized test system that is installed at an E9-1-1 PSAP for continuous monitoring of important PSAP elements. Hundreds of MANTAPROBE Analyzers are now installed in PSAPs (Public Safety Answering Points) helping service providers detect, diagnose, and resolve problems with E9-1-1 equipment and communications facilities.
"Manta PTAM System", "MANTAPROBE", "MANTATAP", "MANTASERVER" and "Network Orange" are trademarks of Network Orange, Inc.
Wi-Fi Inside the Aircraft? We've Got You Covered !
As part of a fascinating wireless networking project, Connect802 received AutoCAD plans for a transport jet aircraft and was asked to create a network design that would allow coverage inside the airplane while it was parked in the maintenance hangar.
The purpose for the network was to provide connectivity for maintenance workers who might be inside the fuel tanks or deep in the interior of a wing, performing a repair or inspection task. We came through with those proverbial flying colors - when the on-site validation of signal levels exactly met our predictions.