Crack the WIP
November 1, 2006
THE ADOPTION OF WIRELESS
LAN technology by small and medium businesses and enterprise organizations has exploded during recent years. With it has come an equally mounting concern over securing these networks. The 802.11i standards set by the IEEE provide wireless security capable of satisfying the most stringent demands. However, 802.11 is still a complex and immature standard with new vulnerabilities undoubtedly remaining to be uncovered. This article will review available security practices that service providers can employ for their customers in the interim.
First-generation WLAN technology focused primarily on providing basic connectivity and QoS, protecting data payloads and fixing client roaming issues. Managing and enforcing wireless security policies was often an afterthought. Many organizations deployed dedicated overlay wireless intrusion protection systems (WIPS) to address some of the security shortcomings of first-generation WLANs.
WIPS provide significant features such as:
Monitoring, alerting and automated response to security policy violations
Rogue access point detection and mitigation
Policy enforcement, such as allowing corporate clients to connect only to company-sanctioned access points or networks
Intrusion detection for 802.11-specific attack signatures
WLAN performance characterization
Historically, WIPS have derived much of their intrusion-detection abilities for WLANs by collecting and analyzing unencrypted management frames. The enforcement of WLAN policies by WIPS depends upon the ability of the WIPS to forge or spoof management frames, so that such frames appear to come from the WLAN infrastructure and will be heeded by associated client devices.
Having witnessed WLAN data security evolve from static wired equivalent protocol (WEP) to 802.1x, the first standard set by IEEE, to Wi-Fi protected access (WPA) and finally to IEEE 802.11i/WPA2, the industry consensus is that standards organizations and vendors seem to have adequately addressed for the time being most of the issues around securing user authentication credentials and unicast data encryption. Standardization and development efforts have turned toward improving the performance, protocol attack mitigation, management and control of these wireless networks. The 802.11k, 802.11r and 802.11v IEEE task groups (factions of the larger 802.11 standards body) are addressing further improvements, such as radio resource management, fast secure handoff, network resource discovery and centralized client control. Implementing these features requires that sensitive information about the state of the network itself is shared between the WLAN infrastructure and the entire population of client devices.
The mechanism for sharing these information elements will be new and enhanced 802.11 management frames, delivered via Layer 2 network broadcast and multicast messages, which to date have not been afforded the protection of 802.11i. So, the IEEE has established the 802.11w task group to address extending the protections of 802.11i to broadcast and multicast traffic. This feature is frequently described as management frame protection (MFP).
MFP essentially verifies frames as being unaltered and from a trusted source, and will also automatically encrypt data that is deemed sensitive. Some types of frames, therefore, will be encrypted completely using advanced encryption standard (AES) while others merely will have a message integrity check (MIC) field appended, which will provide assurance that such frames come from an authenticated source and have not been tampered with. With MFP enabled in the infrastructure and on client devices, sensitive network details are kept hidden from attackers, and the source and integrity of management frames can be assured.
The implementation and adoption of MFP has significant implications for manufacturers and integrators of dedicated overlay WIPS. WIPS generally are marketed and deployed as either dedicated overlays on top of existing wireless networks, or as a means to enforce a corporate no wireless policy. Current WIP implementations are not part of the MFP key exchange between client devices and access points. Thus, the protection provided by the MFP will interfere with the dedicated WIPS abilities to effectively monitor (now-protected) management traffic, and could end their ability to issue spoofed management frames to MFPenabled clients.
Now that most manufacturers offer second-generation WLAN infrastructure, often consisting of a centralized switch or controller, they increasingly have been able to claim that WIPS functionality can be provided as effectively, if not better and cheaper, natively on the WLAN infrastructure itself. The major advantage for WLAN makers has been that the customer already has access points deployed that can do double-duty as a radio monitor. This approach saves time and money. With the advent of MFP, WLAN manufacturers could potentially argue that the infrastructure is not only the best place, but the only place that WIPS can be implemented and managed effectively.
Additionally, advanced WLAN equipment can integrate with existing, mature, wired-side Intrusion Protection System (IPS) solutions. This is significant, as a WIPS typically only monitors the network for attacks that are specific to the 802.11 protocol, i.e. something out-of-bounds over the airwaves. If a credentialed user with an authorized wireless device starts launching Layer 3 or higher attacks, the WIPS generally senses nothing amiss, since there was nothing to associate with 802.11 at lower network layers. The ability of the WLAN infrastructure to pull security information and status from existing wired IPS and then apply policy to the wireless side of the network provides a truly integrated security posture. For example, if a customers wireless device is stolen while still in a fully authenticated 802.11 state, only a traditional Layer 3-7 IPS can detect and remediate subsequent attacks against an application server. Advanced WLAN equipment now is capable of checking shun lists generated by a wired IPS against lists of wireless clients and neutralizing an application-layer attack at the wireless level.
As the 802.11w standard for MFP is years away from ratification, certainly nothing is final at this point. Many dedicated WIPS overlay solutions already integrate with leading infrastructure manufacturers to some extent, and some vendors also license their technology to WLAN makers outright. At the very least, dedicated WIPS will continue to provide protection for non-MFP-capable systems for some time to come.
New developments in 802.11-based networking no doubt will continue at a rapid pace. Thus, there are basic approaches that solutions providers can take to ensure that they are providing secure wireless networks to their customers:
Invest in 802.11-specific training and tools for your staff. These systems are significantly more complex than standard Ethernet networks, and require new skill sets to design, deploy, secure and operate.
Become knowledgeable and experienced deploying 802.11i-based security solutions.
When architecting a security solution, pay special attention to the capabilities of your clients installed hardware and software, and the interoperability with particular authentication methods and user database stores.
When supporting pre-existing systems, provide a means for your clients to accommodate or migrate any legacy security schemes already in place.
Always thoroughly pilot-test new security architectures before widespread rollout.
Be alert for newly uncovered vulnerabilities in protocols, clients and infrastructures. Subscribe to wireless security mailing lists and keep your clients up to date and well-patched.
Consider the availability of authentication services, compliance requirements, client budgets, mobile device selection criteria, application behavior, and ongoing monitoring and management of the solution.
Customers considering the deployment of WLANs often dont know what they dont know. Its your job to share your experience and knowledge with the client. Doing so demonstrates the clear added value that you bring to the table.
Edward Carmody is a solutions architect for Dimension Data North Americas Advanced Wireless Solutions practice.
Whipping Security Provisions Into Shape
Reports from In-Stat show that while current WLAN security isnt at its strongest, many companies plan to bolster security efforts over the next several years. Within wireless security, In-Stat has identified two addressable markets: security for portable devices and security to protect network operations and assets in the business premises. Together, these markets are projected to reach $4.4 billion by 2010.
In-Stat says much of the security revenue for business clients will be generated by solutions that protect data when it is transmitted or stored on portable devices, including enterprise platforms that centrally manage and provision encryption applications.
Recent research by In-Stat found the following:
In a recent In-Stat survey, more than 70 percent of the respondents say they use WLANs in their businesses.
Between now and 2010, close to 460 million new client devices with wireless capability will ship to business premises, including mobile PCs and Wi-Fi handsets.
In the business premises, mobile PCs with embedded Wi-Fi and business combo Wi- Fi/cellular phones, combined, will comprise 94.9 percent of clients by 2010.
Source: In-Stat, September 2006
Links |
---|
Dimension Data North America www.dimensiondata.com/na |
Read more about:
AgentsAbout the Author
You May Also Like