The wireless security balancing act

Vendors are creating a dizzying array of Wi-Fi security choices, but standards compliance won’t necessarily protect you.

Wireless LANs have been billed as the great security wasteland. But thanks to the 802.11b Wi-Fi community’s frenetic activity in the last year, an abundance of good security choices now exist, with more on the way.

Wi-Fi security efforts have focused on encryption and authentication, with users essentially getting two choices for locking down WLANs. They can use IP Security (IPSec)-based VPNs or build security architectures around pending Wi-Fi-specific security standards. Within the Wi-Fi standards are more choices.

With such options, corporate users can secure any WLAN, even for sensitive data. “Don’t wait for the Holy Grail, or you’ll lose an opportunity to invest in an architecture that could be of tremendous benefit,” says O.J. Wolanyk, CIO for Memorial Health System in Springfield, Ill.

Wolanyk is overseeing a $30 million, three-year project that will let doctors carry patient data on portable devices while making their rounds, connecting to patient medical records and research sites via an 802.11b network. He relies on an IPSec VPN created by ReefEdge’s Wi-Fi authentication server to protect network access while providing Triple-DES encryption.

Wolanyk and other early adopters tell peers not to be scared off by ongoing work on Wi-Fi security standards. Within the next year or so, standards will be final, standards-compliant products will be shipping, and de facto winners of competing underlying security technology will have emerged. Upgrading existing equipment and tossing out the old is typical in the Wi-Fi world users point out.

After all, security isn’t the only part of Wi-Fi that could make the access points and client-side antenna network cards obsolete. Speed also is an issue, with the migration from 11M bit/sec with 802.11b to 54M bit/sec with 802.11a or 802.11g, says Thomas Gaylord, CIO of the University of Akron in Ohio. His approach is to go with one vendor, Cisco, for all access points and to rely on Cisco’s assurances of future compatibility. He has begun to mix in faster, more secure Aironet 1200 access points (capable of being upgraded to 802.11a, 802.11g and the emerging Wi-Fi security standards) with older Aironet 340 and 350 models. As to the wireless clients, he will rely on a future feature that would autodetect software/firmware versions and upgrade to new versions if necessary, he says.

“That’s how we see ourselves protecting our investment: using a blended or dual [access point] environment,” Gaylord says.

The good news, too, is that many vendors are building 802.11 products with speed and security-upgrade paths in mind. And they are pricing this gear low enough to be fully depreciated over two to three years – rather than five years as some more expensive equipment requires. This makes a replacement budget feasible – at least for access points – should you need to swap out to standards-compliant equipment, users and vendors agree. For instance, access points are priced from $100 to $1,000 and 802.11 PC cards cost $50 or less.

Moreover, standards work is fairly far along. Should you decide to buy now, you comfortably could predict which security choices will win in the long run. Yet, vendors are not making Wi-Fi security choices easy to understand nor packaging their products with basic security defaults. The onus is on you to learn about the choices in authentication and encryption protocols, and how to implement them.

IPSec VPNs, WPA and 802.11i

Wi-Fi security is a maze of choices. On the one side, security vendors and users are addressing Wi-Fi security with tried-and-true IPSec VPNs. On the other side, Wi-Fi developers are working feverishly to add strong native security support into 802.11 networks.

While effective, using an IPSec VPN for wireless security has several drawbacks. For one, it is limited to IP traffic, and it carries all the complications of wired IPSec, such as configuration complexity and the requirement of client-side code. Native Wi-Fi security support will win in the longer term for enterprise WLANs, analysts say, with VPNs coming in handy for some circumstances. For example, a road warrior on a Starbucks public 802.11 network always will need a VPN to tunnel into the corporate network, says Michael Sutton, director of engineering for wireless consultancy iDefense.

As positive as standards development is, the pace of Wi-Fi security developments is creating a bewildering number of interim solutions. Two overlapping 802.11 security protocols are in the barrel. One is Wi-Fi Protected Access (WPA), which the Wi-Fi Alliance vendor group announced last October.The first WPA-certified products are expected to become available later this year based on the first WPA-certified chipsets, which began shipping during NetWorld+Interop in late April.

WPA replaces the 802.11 Wired Equivalent Privacy (WEP) protocol, much lambasted as weak thanks to its short and static encryption keys. With a firmware upgrade that overwrites WEP, WPA offers stronger encryption (see story below, Wireless encryption that grows on you.” ). It also adds authentication protocol 802.1X, an IEEE wired-world standard adapted for Wi-Fi.

The other choice is the IEEE’s 802.11i, the ultimate goal of Wi-Fi security work. 802.11i includes all elements of the WPA standard while upgrading to stronger encryption. 802.11i is expected to be completed early next year, with portions (such as the stronger encryption) ratified as early as the end of this year, vendors say. Products that claim all or partial 802.11i compliance might begin to ship before 802.11i’s ratification, with observers estimating availability of fully compliant products in second-quarter 2004.

The Wi-Fi Alliance intends the WPA as an interim standard while the wheels of the IEEE slowly turn on 802.11i. Vendors promise WPA will be compatible with 802.11i.

Go take an EAP

Between encryption and authentication, you’re on more treacherous ground with authentication. The 802.1X authentication standard used in WPA and 802.11i (and sometimes directly named as a supported standard by vendors) holds a secret black hole for compatibility. It relies on the IETF Extensible Authentication Protocol (EAP), an extension of PPP. At least five incompatible flavors of EAP can be used with 802.1X, including a proprietary version from Cisco. These EAP options are in various stages of development, from draft mode to widely available.

For proper authentication, the client and access point must use the same EAP version. Sutton warns that you could buy products that tout compliance with WPA or 802.11i but won’t talk to each other.

If you choose an EAP that doesn’t gain de facto standard status, the access point will be to other EAP clients what a two-hole electrical outlet is to three-pronged plugs. Converting Wi-Fi clients to a de facto standard before they’ve fully depreciated could be a drain of resources, both time and money. And for newer versions of EAP, interoperability is sketchy, even among two devices using the same flavor as testing at NetWorld+ Interop showed. (See related story, “Wireless security is rising, but it’s not fully baked yet” .)

Analysts are watching the EAP wars closely and have laid bets on which efforts will be the long-term winners.

Each EAP option has advantages and disadvantages.

Microsoft’s variant, EAP-Transport Layer Security (EAP-TLS), is widely available. Microsoft supports the protocol in all versions of Windows XP and has released a free Windows 2000 EAP client. EAP-TLS requires certificates for clients and servers. Because of this, some users perceive this implementation to be more secure than other EAPs. However, the client-server certificate requirement also means EAP-TLS needs certificate management, such as the use of a trusted certificate authority and the ability to revoke certificates quickly.

Cisco’s EAP variant, the popular Lightweight EAP (LEAP), is proprietary – its biggest downfall. LEAP, released in 2000, provides username/password authentication, based on the Windows logon. Certificates are not required, but until recently Cisco access points and clients were. If the WLAN was available to a variety of 802.11 clients, you had to buy LEAP client-side “supplicants,” as EAP client code is called, from vendors such as Funk Software and Meetinghouse Data Communications for about $40 per seat. That’s a pricey proposition for organizations with thousands of clients, especially compared with the free EAP-TLS supplicants from Microsoft. Cisco is trying to encourage more widespread support of LEAP on clients through a LEAP licensing program it now offers to chipset vendors. In February, Cisco announced licenses with eight such vendors, including Intel for its Centrino Mobile Technology, which will embed LEAP in a variety of laptops.

The third EAP variant is EAP-Tunneled TLS (EAP-TTLS), developed by Funk and Certicom, and turned over to the IETF. Now an Internet draft last updated in February, EAP-TTLS is an enhancement of EAP-TLS, with support for advanced authentication methods such as tokens. A variety of Wi-Fi vendors have signed on to support EAP-TTLS.

The fourth EAP choice, Protected EAP (PEAP), is a Cisco-Microsoft-RSA Security option developed to counter the momentum EAP-TTLS gained as Wi-Fi vendors embraced it, Sutton says. He characterizes PEAP as like EAP-TTLS, but controlled by the big guys.

PEAP uses certificates in a fashion similar to Secure Sockets Layer (SSL) with browsers. The client presents a certificate to the server, but does not require one from the server in return. Once the client authenticates to the server with a certificate, it “builds the encrypted tunnel then it does EAP in the tunnel to authenticate the client – a two-step authentication process like SSL,” says Chris Bolinger, a product manager with Cisco’s wireless networking group. Microsoft has included PEAP in XP service pack releases and, as it does for EAP-TLS, offers a free Win 2000 client.

Vendors also often support the fifth EAP, EAP-MD5. However this older EAP is rarely used, Sutton says, and he does not see it growing in popularity.

He is placing his bets on PEAP, with its backing by Cisco and Microsoft, as the big winner. Cisco and Microsoft “saw the writing on the wall” and realized that their versions of EAP would not become de facto standards, Sutton says. Still, for Cisco houses, LEAP could remain a strong contender for years, particularly once it becomes available in more clients.

So WLAN security boils down to three choices:

• Use one of the public domain EAPs, hoping you picked the eventual marketplace winner while taking on the pain of certificate administration.
• Go with LEAP, which requires using Cisco access points and either dictating a limited variety of clients to users or buying all the clients for them. (All 802.1X authentication methods require the use of a server that supports Remote Authentication Dial-In User Service and this, too, would need to understand LEAP.)
• Use a VPN, sidestepping 802.11 security altogether, at least until it matures.

Security choices

The University of Akron made the LEAP choice because it didn’t force the use of certificates, Gaylord says. The university has standardized on IBM ThinkPad clients using Cisco’s Aironet wireless LAN adapters, but Gaylord looks forward to more adapter choices as they emerge. He augments LEAP with VPNs, used to access printers and other more restricted LAN resources.

California Lutheran University in Thousand Oaks has sidestepped EAP for now. Unlike the University of Akron, it does not want to dictate laptop or LAN adapter card choice. “We looked at Cisco’s LEAP, but the problem is we’ve got students and faculty bringing in all sorts of different laptops,” says Zareh Marselian, director of technical services. “We want to remain open as a heterogeneous environment.”

A rollout for the dormitories will follow. Marselian uses ReefEdge’s Wi-Fi authentication server, which supports simple username/password authentication from the browser without requiring client code. He also segmented off the Wi-Fi network so users can’t move from it to the wired network and restricted use to Internet and e-mail access – the two most critical services that users wanted from a mobile connection. California Lutheran is rolling out wireless connectivity to 12 campus buildings, about 40 classrooms. A rollout for a dormitory will follow.

And certainly, you could go with IPSec VPNs entirely – at least until the 802.11 standards have matured and de facto EAP winners emerge, as was the choice for Memorial Health System. Besides ReefEdge, Wi-Fi authentication vendors that support IPSec VPNs include Bluesocket, Fortress Technologies and Vernier Networks.

As Memorial’s Wolanyk says, using an IPSec VPN lets him give his users – the doctors – the mobile network services they desperately need, while he watches security developments. “We plan, probably in 18 months to two years, to have to revisit our choices to ensure we have the best solution in place, or to modify, or upgrade,” he says.

For those wanting the untethered LAN today, such a temporal attitude is wise.