Ten hours later, the pigeon alights on the outstretched arm of - an enemy soldier. Unbeknownst to Rummy, the outpost has already fallen to the invading forces. The enemy soldier composes a response - "Enemy has moved! Send forces to the south!" - and sends the pigeon back. Upon its return, the reply is taken to the Cardinal, a new plan hatched and the kingdom is defeated. An hour before surrender, the Cardinal realizes how the system was compromised and orders Rummy and the pigeon shot.
It's the 21st century and things are little improved on the wireless front. Communications between wireless access points (Rummy) and the corporate network (Cardinal) are unauthenticated (at least W and Rummy had a secret handshake), communications between access points and wireless clients (the outpost) are either in the clear, unauthenticated or easily compromised, and military agencies and some corporations are considering banning all wireless communications from their networks. The pigeons are about to be shot. What's a Cardinal to do?
In last month's overview of the vulnerabilities of wireless networks, we identified the chief culprits responsible for the current weaknesses as flaws in WEP, the wired equivalent privacy protocol, and poor administrative control over the setup of both legitimate and user-imported access points. We also described the use of VPNs as perhaps the only solution to the vexing problems of unauthorized users gaining access to confidential information resources.
Fortunately, the pigeon, er, wireless industry is hard at work on some promising mechanisms to shore up this sorry state of affairs, at least for those access points controlled by IT. Under the aegis of the new 802.1x draft standard governing authenticated and encrypted messages in wireless networks, a whole slew of solutions is making its way to market. With names that sound strangely like bird calls (the ornithological theme of this article) - EAP, PEAP, LEAP (I'm surprised they didn't add the modifier "Simple"; SLEAP would accurately describe the state one enters upon reading the protocol descriptions) - almost all of the new methods rely on greatly improved and encrypted mutual authentication as well as much less crackable, encrypted communications.
The foundation of the various protocols is EAP - the extended authentication protocol. However, instead of going into slumber-inducing detail on each of the EAP variants, let it suffice to say that EAP is a way for each of the players to authenticate each other and then encrypt communications between each other. Thus, the access point can be forced to authenticate itself with the corporate network, the wireless card in the PC with the access point, the access point with the client and, most important, the actual person/user with the corporate network and access point. Consider this in contrast to WEP, in which only the network card and access point authenticate each other and then encrypt communications using an easily cracked method (15 minutes is the most recent record).
EAP was originally designed for dial-in networks and service providers wishing to handle authentication on behalf of different organizations with different authentication mechanisms (SecureID, one-time passwords, etc). For example, if you were an employee of BigCorp and you used UUNET for dial-in access, UUNET's dial-in servers could act as a trusted middleman to BigCorp's authentication server. If BigCorp used SecurID cards, then the UUNET dial-in server would instruct you to enter the code from your card and then pass it on to BigCorp's authentication server. On the other hand, if you were an employee of LittleCorp and LittleCorp used the 'one-time password' method, then UUNET's dial-in server could ask you for your one-time password. This was the 'extended' meaning in EAP - the middleman could support multiple authentication methods.
Notice how the middleman concept maps nicely to the functions of a wireless system. The wireless client becomes the user's PC dialing in and the access point is the network access server. The only new requirements are the addition of an authentication server (like RADIUS) and more secure client software for the PC that 'speaks' EAP and can process requests and responses from the access point. And this is, in fact, precisely what is now being added in 802.1x wireless deployments. 802.1x access points from multiple vendors now support the middleman concept in which the access point can relay authentication and encryption keys between users, clients, access points and authentication servers. Because everyone authenticates everyone else, the false message coming back with the pigeon would have been unmasked immediately and the enemy plot foiled.
Just in case you're ever tested on the evolution of the different EAP variants, here's a quick description. Each of these provides much better security than WEP alone but EAP-TTLS, described below, appears to be the best solution so far:
- EAP-MD5: simple challenge/response method subject to dictionary attacks
- LEAP: Cisco Lightweight EAP, a proprietary solution for Aironet access points
- PEAP: Microsoft's proposed privacy extended authentication protocol
- EAP-TLS: transport layer security; based on SSL, uses a certificate based system; secure but requires difficult and complex certificate management for every single wireless client.
The most recent challenge for the wireless industry has been to make the real-world deployment of EAP-based wireless networks easier to manage and more secure. To this end, the most promising new variant of EAP is EAP-TTLS (EAP-tunneled TLS). Introduced by Funk Software and Certicom, EAP-TTLS retains the full security feature set of its predecessor EAPs but requires no management of client certificates. [See the September issue of SC Online for a review of Funk's Odyssey authentication server - it's well worth the read.]
There's one caveat to all of this and it goes back to the problem of the employee who brings in his own access point on the weekend and plugs it into the Ethernet jack in his office. That access point very likely will have few, if any, of the standard security precautions set up (much less EAP) and will become a wide open back door into the network. There are two solutions to this problem: the first is to scan continuously for new access points with software such as AirDefense. The second, and ultimately the most secure, is for switch ports to become part of the corporate authentication infrastructure and deny access to unauthenticated devices. Thus, any wireless client that manages to sneak into an unprotected access point simply won't get further than the switch port that connects the office Ethernet jack. Notice, by the way, that the switch port itself could be a relay in the EAP framework and fit in very nicely.
Until this complete level of integration arrives, though, vigilance and use of AirDefense will be your best bet for tracking down unprotected access points. Additionally, there are companies out there that have set a new standard for bullet-proof security via the development of integrated, best-of-breed security devices that provide 'decontamination' nodes where traffic can be VPN'd, content-checked, intrusion-proofed and scanned for viruses and malicious web code - all at wire speed.
In the meantime, your official corporate wireless network will be in vastly better shape with the use of EAP in its various flavors. There will also be a lot fewer dead pigeons.
Throop Wilder is co-founder and vice president of marketing for Crossbeam Systems, Inc. (www.crossbeamsystems.com).