Securing Wi-Fi management frames

* Will 802.11w negate need for intrusion prevention systems?

About a month ago, I discussed the currently unsecured status of over-the-air management frames in Wi-Fi networks. These frames are carrying content that is growing more sensitive as capabilities such as fast roaming and radio resource management join Wi-Fi networks, and they traverse the airwaves in the clear in most systems. The emerging 802.11w Protected Management Frames standard aims to extend the 802.11i standard security suite to protect management frames in addition to data frames and is expected in late 2007 or early 2008.

When these capabilities are inherently built into base 802.11 systems (Cisco has its own pre-standard version already), will they diminish the value proposition of third-party wireless intrusion prevention systems? Well, the capability will reduce some basic denial-of-service risks. First, it will extend data encryption algorithms to the unicast management frames running between an access point and client. Special one-time keys known by client and AP will tell the client if deauthentication requests are valid. Without them, it would be easier for a hacker to barrage clients with deauthentication requests using management information sniffed from the air.

I tapped three makers of wireless intrusion detection and prevention systems, who all seemed to support the spirit of 802.11w, though they said they were not directly involved in helping write the standard.

Sri Sundaralingam, director of product management at AirTight Networks, said, “We are supportive of 802.11w, as it will help to make 802.11 more secure. It does not completely eliminate all scenarios of denial-of-service attacks but it does address a good portion of them.”

He added, “All other threats still need to be addressed - rogue APs, client misassociations, ad hoc connections, and MAC spoofing attacks - because 802.11w only addresses [denial of service].”

Both Wade Williamson, director of product management for AirMagnet, and Brian deHaaf, vice president of marketing at Network Chemistry, agreed that they endorse the 802.11w concept. “Protecting management frames would significantly improve the security of 802.11,” said deHaaf.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)