Wireless LAN security
Cisco LEAPs past the competition
In the past year, you've no doubt read articles warning about the security holes in wireless networks and documenting the flaws in Wired Equivalent Privacy, the standard method for securing 802.11b wireless LANs. We decided it's time to stop crying wolf and time to test solutions to the problem of 802.11b security.
The IEEE 802.11b Task Group I is working on a new standard that provides authentication and encryption for secure wireless networking. Unfortunately, the new standard is still in the draft stages. In the meantime, proprietary products that plug the holes in 802.11b security may be your best bet.
We tested the following products for their security, manageability and suitability for enterprise use: 3Com's Access Point 6000, Avaya's Access Server 1, Cisco's Aironet 350 and ACS, and Colubris' CN 1000. The Blue Ribbon Award goes to Cisco for its superb technical accomplishments and the depth of its systems' capabilities. Cisco beat Avaya in terms of features and management/administration, even though Avaya's outstanding documentation is a compelling, and regrettably unusual, feature.
Numerous 802.11b products claim to provide "extra" encryption. However, in most cases that "extra" encryption is merely the use of a 128-bit static key. Because WEP only specifies a 40-bit key, these companies can get away with claiming that their encryption is "extra." However, it doesn't matter whether you're using WEP in the original 40-bit mode or one of several 128-bit key extensions, because the WEP algorithm is flawed.
How we did it
Scorecard and NetResults
A personal boilerplate
IEEE is working on new standard
WEP's fatal flaw exposed
A closer look at LEAP
Fortunately, our entrants aren't out to fool anyone. All four have delivered viable authentication and encryption mechanisms that go beyond WEP and plug the security holes in the original 802.11b standard. We attempted to hack the systems in their proprietary security modes. Although none of these hacks were successful, keep in mind that the tools used were designed to penetrate WEP, not Extensible Authentication Protocol (EAP), Lightweight EAP (LEAP) or a properly configured VPN. It's safe to say that when properly configured, all four of these entries provide proven security for your wireless networks, at least for now.
This review includes extensive details about Cisco's proprietary technologies and installation routine. Because the details about the other products are similar, only significant or unique differences are noted.
Cisco - old standby/new leader
Cisco's wireless access point is a sleek, dark-gray box with two flip antennas. Instead of a power jack, Cisco uses a "power injector" that sits between your LAN jack and the access point. Most people will want to configure the unit via their browser, but a serial port is available if you'd prefer to use a serial communications program such as HyperTerminal or Telnet. We recommend a serial port because the browser interface can be somewhat buggy, with missing pages and other dead ends.
Installing Cisco's Aironet 350 Wireless LAN Adapter on a Sony VAIO was quick and easy. Windows XP Home Edition found the card and installed the correct driver in 10 seconds. The status and activity lights on top of the antenna indicated that it was installed and functioning correctly. All that was left for us to do was configure the card to work with Cisco's wireless network equipment.
We had to dig through Cisco's documentation, which is Cisco's one sore point. Both the wireless access point and the wireless network interface cards (NIC) have three guides each, for hardware, software and a quick start. That's six documents and 650 pages. 802.11b is just not that complicated. About 120 pages is the upper limit for a product of this complexity, and a document this size should clearly, concisely and effectively communicate its installation, use and troubleshooting.
During installation, you'll be asked which level of security you wish to use: none, EAP or LEAP. None is just that - none.
Although "None" uses 128-bit fixed WEP keys, it's easily cracked. Unless you're just surfing the Internet for Christmas dinner recipes, you probably won't want to trust your sensitive data to WEP.
EAP was developed to support multiple authentication mechanisms. Instead of selecting a specific authentication mechanism at the link control phase, it waits until the authentication phase. This allows the authenticator to request more information before determining the specific mechanism, and provides a means for an external server to provide the authentication mechanisms, while EAP merely acts as a pass-through. EAP is a complex standard, and its complexity means it isn't widely deployed.
LEAP is Cisco's proprietary lightweight implementation of EAP. It ensures mutual authentication using private and public keys (shared secrets), solving man-in-the-middle attacks, sniffing attacks and active attacks.
Cisco's products are fully 802.11b compatible, allowing you to mix secure and nonsecure connections on the same access point. If you want maximum security, you can set up the access point to enforce LEAP-only, but most network administrators will configure it to use both LEAP and 128-bit static WEP connections. Although the non-LEAP devices and their datastreams are vulnerable, the LEAP-enabled datastreams are secure.
LEAP and EAP require a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS enables centralized management of users, and has grown beyond the dial-up stage. By itself RADIUS doesn't offer encryption; it's for authenticating users. Cisco's version is its Access Control Server 2000 Version 2.6. You can configure the access point and cards to use either LEAP Draft 8 or Draft 10, giving you flexibility in environments with older Cisco cards. You can also configure Access Control Server to perform LEAP and media access control authentication. When combined with the user's logon information and periodic reauthentication, Cisco's LEAP provides the iron-clad wireless security you need to protect your corporate data, preventing hackers from accessing your wireless LAN, even with a stolen notebook.
You'll configure the wireless NIC through Cisco's Aironet Client Utility, which allows you to run six commands, change numerous preferences, and run two diagnostics. The Linktest diagnostic is used to assess the performance of the radio frequency link in various locations (helping to eliminate dead spots), while the site survey diagnostic is used to measure signal strength and quality, four times per second (helping to determine the best placement for your wireless access points.
In two tests - one taken about 10 feet from the wireless access point in unobstructed space, and the other about 60 feet from the wireless access point through several walls - Cisco's throughput of 11M bit/sec was extremely good for being on a 2.4-GHz portable phone less than 2 feet from the wireless network interface card (NIC).
Configuration was fairly straightforward. Although we were able to crack the 128-bit static WEP in less than 18 hours, when we switched to an LEAP-enabled RADIUS server 48 hours later, network security was still intact.
Colubris - cool name, cool product
The Canadian company Colubris relies on innovation to make its mark, using embedded VPN technology to enhance 802.11b security. Colubris largely succeeds with its CN1000 Wireless LAN Router (model CN1050 is the current standard), targeted at midsize to large businesses.
Colubris has an intriguing design. Instead of using a different set of wireless electronics for its access point, the top of the CN1000 is a PC card slot into which you slide one of its wireless NICs. Should you need to upgrade your wireless network, instead of having to purchase a new access point, you simply buy an additional NIC.
Setup failed under Windows XP, until updated instructions were discovered on the Web site. If you're using proprietary client management software, here's something you may wish to keep handy: Go to network connections, properties, select the wireless networks tab, and deselect the "use Windows to configure my wireless network settings" box. If you don't, it may later interfere with the proprietary card management software and you may lose some settings.
The CN1000 includes a built-in network address translation firewall and the ability to act as a "router" (gateway, actually) for a hard-wired subnet. However, support for security is the most important feature. The product fully supports VPN pass-through, but the CN1000 is a VPN server. Access control lists can be managed directly on the access point, providing good flexibility for most corporate networks.
Like Cisco's equipment, the CN1000 comes with a real-time link status, a site survey tool and a monitoring tool that helps system administrators plan for the best layout and coverage of wireless LANs. The Web-based management tool gets a Secure Sockets Layer-enabled link (unlike Cisco's), allowing remote administrators to securely manage its VPN capabilities through any SSL browser.
3Com - New exterior, unrefined interior
3Com's design looks the best, from its two-position wireless access point with the flip antenna to the retractable X-Jack antenna on its wireless NIC. X-Jack lets you store the antenna in the wireless NIC when not in use, keeping it in your laptop during transportation. Both were a bit overengineered, though. Because the wireless NIC is easily removed from the PC card slot during transportation, that is preferable to having to fiddle with the retractable antenna. If you're at all bumpy with your equipment, you're better off removing the card before moving your laptop anyway.
Installing 3Com's wireless NIC in XP was a dismal failure. First, an error message said the card failed to properly install, and suggested the use of XP's trouble-shooter, which directed me to uninstall the card, then use the "search new hardware" wizard. The result was the blue screen of death.
When downloading the updated driver from 3Com's Web site, the dreaded "we'll contact you within one to two business days regarding your request" message came up on the screen. Five business days later we still hadn't heard from 3Com.
Rather than trashing a laptop trying to make something work that just wasn't happening, we swapped roles, using the laptop as the hacker machine and the Pentium III workstation as a "client" by using my PCI to PCMCIA adapter card. The results were better, although 3Com took a big hit in "ease of use/setup" category. There's little excuse for not having a valid XP driver. At press time, the drivers were still not available.
To its credit, 3Com's Dynamic Security Link technology is similar to Cisco's LEAP. One benefit of Dynamic Security Link is that it increases the number of simultaneous users from 65 to 255. Furthermore, you don't have to manually enter the 128-bit keys when using Dynamic Security Link - it automatically generates new keys and distributes them to the client each session. While this is great for encryption, you'll still need to provide for message- and user-authentication for iron-clad security.
It took 60 seconds to set up 3Com's Access Point 6000.
However, implementing the full range of security took much longer, not only for the access point but also for each client. 3Com's browser-based Configuration Management System was better than the one offered by Colubris, and its HTML-based documentation was complete and well organized. In all, 3Com's product has some neat technology, but the entire package needs some tweaking, especially in terms of setup.
Avaya - Mirror Image, with a twist
Avaya's wireless NICs looked identical to those from Colubris, and Avaya confirmed that they were the same Orinoco cards. That's about where the similarities ended, as Avaya's Access Server 1 is a slick tool for managing corporate-level wireless security. It includes RADIUS software that runs on any workstation plugged into the hard-wired LAN, and employs automatic key generation and distribution.
Avaya's documentation was very good, with plenty of room set aside in the form of tables to record the system parameters administrators in large corporate environments should never commit to memory.
The AS Manager provides the full range of management and diagnostic utilities you'd expect for a top-of-the-line corporate offering, along with the ability to manage most functions through SNMP/Telnet.
VPNs and RADIUS servers are proven technologies that properly implement a variety of key exchange systems, and Cisco's LEAP + Access Control Server combination is a winning solution for midsized to large corporations. I would trust my corporate data to them before I'd go with an unproven technology, even if it significantly reduces administrative overhead.
One of these days someone will figure out how to distribute secret keys to the access point and the clients in a manner that's secure yet fully automatic. In the meantime, if you're worried about security, make the investment and use proven security methods.
Cisco's Aironet 350 and Access Control Server 4.6 combination was the most mature product, working seamlessly with all versions of Windows we tested (NT 4.0, 2000 Pro and XP Home), while offering superb management tools. As a result, Cisco edged out Avaya's Access Server 1 to win our Blue Ribbon Award.
Back to top
Janss is the president of Jansys Information Systems, a consulting firm specializing in IS technologies for small businesses. He can be reached at email@example.com.
How we did it
Our testing methods ecplained.
IEEE is working on new standard
The scope of IEEE's 802.11b Task Group I is "to enhance the 802.11 Medium Access Control to enhance security and authentication mechanisms."
A personal boilerplate
Before personal firewalls became a commodity, life was different for the network security staff.
WEP's fatal flaw exposed
Wired Equivalent Privacy vulnerabilities came to light more than a year ago in October 2000.
A closer look at LEAP
How Lightweight Extensible Authentication Protocol works.
Review: Putting 802.11b to the test
Cisco's Aironet access point knocks us out in the 802.11b arena, but others aren't far behind.
Network World, 02/05/01.
Small businesses warming to 802.11b
The 802.11b may never become a household name, but it's not just for the enterprise anymore, either.
Checking out George's and Heddy's invention
Until recently, wireless products for the LAN environment were proprietary and rather pricey. All that changed with the IEEE's 802.11b standard.
Network World, 04/16/01.
Security hole exposed in 802.11b wireless LANs
A security weakness in the encryption standard used within IEEE-based wireless LANs has been uncovered.
Network World Fusion, 08/06/01.