Wireless networks are described as both a boon to computer users as well as a security nightmare; both statements are correct. The
primary purpose of this article is to describe a strong security architecture for wireless networks. Additionally, the reader
should take from it a better understanding of the variety of options available for building and securing wireless networks,
regardless of whether all options are implemented. The security inherent with IEEE 802.11 wireless networks is weak at best. The
802.11 standard provides only for Wired Equivalent Privacy , or WEP, which was never intended to provide a high level of
security [1]. For an overview of 802.11 and WEP, see reference [2]. Wireless networks can, however, be highly secure using a
combination of traditional security measures, open standard wireless security features, and proprietary features. In some regard,
this is no different than traditional wired networks such as Ethernet, IP, and so on, which have no security built in but can be
highly secure. The design described here uses predominantly Cisco devices and software. However, unless explicitly stated to be
proprietary, it should be assumed that a described feature is either open standard or, at least, available from multiple
vendors.
Customer needs range from highly secure applications containing financial or confidential medical information to convenience for
the public "hot spot" needing access to the Internet. The former requires multiple layers of authentication and encryption that
ensures a hacker will not be able to successfully intercept any usable information or use the wireless network undetected. The
latter requires little or no security other than policy directing all traffic between the wireless network and the Internet.
Security is grouped into two areas: maintaining confidentiality of traffic on the wireless network and restricting use of the
wireless network. Some options discussed here provide both, whereas others provide for a specific area of security.
The level of security required on the wireless network is proportional to the skill set required to design it. However, the
difficulty of routine maintenance of a secure wireless network is highly dependant on the quality of the design. In most cases,
routine maintenance of a well-designed wireless network is accomplished in a similar manner to the existing administrative tasks of
adding and removing users and devices on the network. It is also assumed that security-related services such as authentication
servers and firewall devices are available on the wired network to control the wireless network traffic.
It is not necessarily the case that one can see the user or device attempting to use the wireless network. This is the most
alarming part of wireless network security. In a wired network, an unauthorized connected host can often be detected by link status
on an access device or by actually seeing an unknown user or device connected to the network. The term "inside threat" is often
used to refer to authorized users attempting unauthorized access. This is the inside threat because they exist within the
boundaries that traditional network security is designed to protect. Wireless hackers must be considered more dangerous than
traditional hackers and the inside threat combined because if they gain access, they are already past any traditional security
mechanisms. A wireless network hacker does not need to be present in the facility. This new inside threat may be outside in the
parking lot. War Driving [3] is the new equivalent to the traditional war dialing. All that is required to intercept
wireless network communications is to be within range of a wireless access point inside or outside the facility.
In a highly secure environment, a best practice is to have the wireless access points connect to a wired network physically or
logically separate from the existing user network. This is accomplished using a separate switched network as the wireless backbone
or with a Virtual LAN (VLAN) that does not have a routing interface to pass its traffic to the existing wired network.
This network terminates at a Virtual Private Network (VPN) device, which resides behind a firewall. In this manner,
traffic to and from the wireless network is controlled by the firewall policy and, if available, filters on the VPN device. The VPN
device will not allow any traffic that is not sent through an encrypted tunnel to pass through, with the exception of directed
authentication traffic described later. With this model, the wireless clients can communicate among themselves on the wireless
network, but there is no access to internal network resources unless fully encrypted from the wireless client to the VPN. This
design may be further secured by configuring legitimate wireless-enabled devices to automatically initiate a VPN tunnel at bootup
and by enabling a software firewall on the devices that does not allow communication directly with other clients on the local
wireless subnet. In this manner, all legitimate communication is encrypted while traversing the wireless network and must be
between authenticated wireless clients and internal network resources.
Many security measures available relate to access controlled through individual user authentication. Authentication can be
accomplished at many levels using a combination of methods. For example, Cisco provides Lightweight Extensible Authentication
Protocol (LEAP) [4] authentication based on the IEEE 802.1x [5] security standard. LEAP uses Remote Authentication Dial-In
User Service (RADIUS) [6] to provide a means for controlling both devices and users allowed access to the wireless
network.
Although LEAP is Cisco proprietary, similar functionality is available from other vendors. Enterasys Networks, for example, also
uses RADIUS to provide a means for controlling Media Access Control (MAC) addresses allowed to use the wireless network.
With these features, the access points behave as a kind of proxy, passing credentials to the RADIUS server on behalf of the client.
When these features are properly deployed, access to the wireless network is denied if the MAC address of the devices or the
username does not match an entry in the authentication server. The access points in this case will not pass traffic to the wired
network behind them. For security, the authentication server should be placed outside the local subnet of the wireless network. The
firewall and VPN devices must allow directed traffic between the access points and the authentication server further inside the
network and only to ports required for authentication. This design protects the authentication server from being attacked
directly.
In addition to authenticating users to the wireless network, the VPN authentication and standard network logon can be used to
control access further into the wired network. In this solution, the VPN client has the ability to build its tunnel prior to the
workstation attempting its network logon, but after the device has been allowed on the wireless network. After the tunnel is built,
specific rules on the VPN and the firewall allow the traditional network logon to occur. A robust VPN solution also treats the
users differently based on the group to which they are assigned. Different IP address ranges are assigned to each group, allowing
highly detailed rules to be created at the firewall controlling access to internal network resources based on user or group needs.
The policy on the firewall must be as specific as possible to restrict access to internal resources to only those clients for whom
it is necessary. Building very specific policy for users' access will also allow an Intrusion Detection System (IDS) to
better detect unauthorized access attempts.
LEAP also provides for dynamic per-user, per-session WEP keys. Although the WEP key is still the 128-bit RC4 algorithm proven to be
ineffective in itself [7], LEAP adds features that maintain a secure environment. Using LEAP, a new WEP key is generated for each
user, every time the user authenticates to use the wireless network. Additionally, using the RADIUS timeout attribute on the
authentication server, a new key is sent to the wireless client at predetermined intervals. The primary weakness of WEP is due to
an algorithm that was easy to break after a significant number of encrypted packets were intercepted. With LEAP, the number of
packets encrypted with a given key can be tiny compared to the number needed to break the algorithm.
When using LEAP for user and device authentication, WEP encryption is automatically enabled and cannot be disabled. However, if
added security is needed, a VPN, as described earlier, can provide any level of encryption desired. Using a VPN as the bridge
between the wired and wireless network is recommended regardless of the underlying vendor or technology used on the wireless
network. IP Security (IPSec) is a proven, highly secure encryption algorithm available in VPNs. By requiring all wireless
network traffic to be IPSec encrypted to the VPN over the WEP-encrypted 802.11 Layer 2 protocol, any data passed to and from
wireless clients can be considered secure. All traffic is still susceptible to eavesdropping, but will be completely
undecipherable.
Aside from WEP and LEAP, some vendors provide other forms of builtin security. Symbol Technologies' Spectrum24 product provides
Kerberos encryption when combined with a Key Distribution Center. Kerberos is more lightweight than IPSec and, therefore, may be
better suited to certain applications such as IP phones or low-end personal digital assistants (PDAs). Other methods of
automating the assignment and changing of WEP keys are also available, such as Enterasys' Rapid-Rekey [8]. Wireless vendors have
realized that security has become of critical importance and most, if not all, are working on methods for conveniently securing
wireless networks. When available, most vendors seemingly prefer to use open-standard, interoperable security mechanisms with
proprietary security being additionally available.
Numerous options are available to secure a wireless network. A highly secure design will include, at a minimum, an authentication
server such as RADIUS, a high-level encryption algorithm such as IPSec over a VPN, and access points that are capable of
restricting access to the wireless network based on some form of authentication. When all the security options are tied together,
the wireless network requires explicit authentication to allow a device and the user on the wireless network, the traffic on the
wireless network is highly encrypted, and traffic directed to internal network resources is controlled per user or group by an
access policy at the firewall or in the VPN.
Figure 1: A Highly Secure Wireless Network
There is no substitute for experience and research when designing a network security solution. Using network security and design
experience to exploit available technologies can further increase security of a wireless network. For example, grouping users into
IP address ranges based on access requirements allows firewall access policy to help restrict unnecessary access. This can be
accomplished using Dynamic Host Configuration Protocol (DHCP) reservations, assigning per-user or -group IP address ranges
to the VPN tunnels or statically assigning addresses. Using a centralized accounts database for all authentication helps avoid
inadvertently allowing an account that has been disabled in one part of the network to access resources through the wireless
network. To use an existing user database for authentication while providing for dynamic WEP keys, use a LEAP-enabled RADIUS server
that has the ability to query another server for account credentials. As with most network designs, a solid understanding of the
available technologies is paramount to achieving a secure environment.
Utilizing all the security described in this article would yield the following design. When a device first boots up, it receives an
IP address within a specified range on a segregated portion of the network. This IP range is based on the typical usage of the
device and is most useful for machines dedicated to specific applications. As a user attempts to log onto a wireless device, a
RADIUS server authenticates both the MAC address and the username of the device. If the user authentication is successful, access
is granted within the wireless network. In order for traffic to leave the wireless network to access other network resources, a VPN
tunnel must be established. Again, the IP address assigned to the tunnel can be controlled based on individual user authentication
to help enforce access policy through the firewall. When the tunnel is established, firewall access policy will restrict access to
resources on the network. Most, if not all, of the authentications required may be automated to use a user's existing network logon
and transparently complete each authentication. This is not the most secure model, but it would be as secure as any single signon
environment.
A secure wireless network is possible using available techniques and technologies [8] [9] [10]. After researching needs and
security requirements, any combination of the options discussed here, as well as others not discussed, may be implemented to secure
a wireless network. With the right selection of security measures, one can ensure a high level of confidentiality of data flowing
on the wireless network and protect the internal network from attacks initiated through access gained from an unsecured wireless
network. At a minimum, consider the current level of network security and ensure that the convenience of the wireless network does
not undermine any security precautions already in place in the existing infrastructure.
[1] "Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications," IEEE Standard 802.11, 1999
Edition.
[2] "802.11," Edgar Danielyan, The Internet Protocol Journal, Volume 5, Number 1, March 2002.
[3] "War Driving," Andrew Woods,
http://www.personaltelco.net/index.cgi/WarDriving,
last viewed August 11, 2002.
[4] "Cisco Aironet® Product Overview," Cisco Systems,
,
last viewed August 11, 2002.
[5] "IEEE Standard for Local and Metropolitan Area Networks?Port-Based Network Access Control,&quto; IEEE Standard 802.1X,
2001.
[6] "Remote Authentication Dial-In User Service," C. Rigney, S. Willens, A. Rubens, and W. Simpson, IETF
RFC 2865, June 2000.
[7] "Security of the WEP Algorithm," Nikita Borisov, Ian Goldberg, and David Wagner,
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html,
last viewed August 11, 2002.
[8] "802.11 Wireless Networking Guide," Enterasys Networks, June 2002,
http://www.enterasys.com/support/manuals/hardware/4042_08.pdf,
last viewed August 11, 2002.
[9] "Wireless LAN Security in Depth," Sean Convery and Darrin Miller, Cisco Systems,
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm,
last viewed August 11, 2002.
[10] "Making IEEE 802.11 Networks Enterprise-Ready," Arun Ayyagari and Tom Fout, Microsoft Corporation, May 2001,
last viewed August 11, 2002.
GREGORY SCHOLZ holds a BS in Computer and Information Science from the University of Maryland. Additionally, he has earned a number
of certifications from Cisco and Microsoft as well as vendor-neutral certifications, including a wireless networking certification.
After serving in the Marine Corps for six years as an electronics technician, he continued his career working on government IT
contracts. Currently he works for Northrop Grumman Information Technology as a Network Engineer supporting Brook Army Medical
Center, where he performs network security and design functions and routine LAN maintenance. He can be reached at:
gscholz@wireweb.net.