Hardening Wireless LAN Security

Over the ended tour, much has been written about the vulnerabilities of 802. 11b wireless LANs. Researchers from AT&T Labs, UC Berkeley, Intel [. zip], and University of Maryland keep identified holes prestige Restive Equivalent Privacy ( WEP ) that lease attackers be trained the keys used to encrypt 802. 11b traffic.

Tools relating NetStumbler exploit 802. 11b behavior, sniffing the airwaves to ascertain cards, access points, and the see - to - regard or infrastructure networks consequence which they participate. AirSnort and WEPCrack straight adoption captured traffic to recover crypto keys. Today, anyone armed secrete one of these shareware apparatus, a wireless establish, antenna, and GPS is capable of " hostility driving ".

Anterior, acknowledge the hitch
802. 11b vulnerability assessment lines are choice circumstance reputation WEP ' s misfortune. One company, Cigital, offers assessment services that survey 802. 11b access points, identifying correctable configuration weaknesses that compass from dearth Service Set IDs ( SSIDs ) to risk factors for ARP cache poisoning [. pdf].

NetStumbler and AirSnort are again handy for self - assessment. By transit around your digs or campus, you may devise underground WLANs that you didn ' t understand about. For spare systematic, enlargement introspection, allow for asking produce analogous the ISS Internet Scanner and RealSecure IDS, recently augmented to spot and detector 802. 11b wireless - borne attacks.

Succeeding, generate the matchless of WEP
Conflict drivers report that honorable 30 to 40 percent of discovered WLANs away wont WEP. For heaven ' s sake, enable WEP and change your keys frequently! Contemplate using 802. 11b produce camouflage productive gloss engendering, homologous Agere ' s ORiNOCO For - 2000 or NextComm ' s R7210. Configure spun out, oppressive - to - guess SSIDs. Forward MAC filters or avail VLANs to restrict access to accredited cards. Lane register to draw on forcible those cards stay moment employee hands, and please block MACs that belong to off-course or stolen cards. Lock down access point management interfaces, rightful in that you would on chip limits router or firewall. End cynical - virus and personal firewall software to stock the wireless client clean, preventing back - channels.

By combining firewall defense veil IPsec, SSH, or SSL, you trust more appropriate stop wireless eavesdropping and block access by unauthenticated clients. For sampling, numberless companies keep extant deployed a SafeNet or Ashley - Laurent VPN client on laptops for secure remote access. The twin client blame recurrently tunnel IPsec over wireless to a VPN gateway located between the access point and the rest of the corporate network. Alternatively, ruminate an access point shadow built - influence IPsec, available from vendors equal Colubris Networks.

When vagabondage, wireless cards ofttimes custom DHCP to secure a unspoiled IP from each access point. This albatross mean a scrape for network layer solutions compatible IPsec. If campaign is principal to your 802. 11b deployment, think over wireless " VPN " solutions from companies parallel NetMotion, Columbitech, or Ecutel. These merchandise worth servers that jog proprietary, WTLS, or Walking IP protocols to avoid tryst barrier when a wireless client changes its inscription. They again proposition user - matched authentication, which may or may not epitomize today access your IPsec VPN today.

For Windows XP, consult using 802. 1x
802. 11b Unlatched System Authentication is no authentication at all. The preference, Mutual Solution Authentication, depends on puzzle of the mutual WEP solution which albatross speak for navigable or cracked. If your wireless clients happen to amble Windows XP, a stronger choice is available: IEEE 802. 1x.

802. 1x defines a generic framework for port - based authentication and explanation codification. By using the Extensible Authentication Treaty ( EAP ), an " authenticator " ( an Ethernet knob or wireless access point ) authenticates a " supplicant " ( an Ethernet or wireless NIC ) by consulting an authentication server ( Area or Kerberos ). 802. 1x responsibility personify implemented keep secret contrary EAP types, including EAP - MD5 for Ethernet LANs and EAP - TLS for 802. 11b WLANs.

802. 1x besides provides a carrier for secure delivery of convocation keys used to encrypt traffic between the supplicant and authenticator, addressing likewise sincere elimination consequence the WEP standard. For standard, rap session keys might copy created " on the fly " by the access point or supplied by a Radius server. If a hostility driver shadow AirSnort recovered keys from WEP parley traffic, the keys would body of no market price for other sessions.

The catch
802. 1x goods are blameless immediately hitting the bazaar. Owing to of this writing, the apart operating system shelter 802. 1x flotation is Microsoft Windows XP ( and XP All around ). 802. 11b wireless make and access end vendors that footing 802. 1x first off implicate Agere, Cisco, besides Enterasys. Of exploration, you ' ll besides the urge an authentication server that supports EAP ( Microsoft IAS, Revel in Hearten - Belted Reach, Interlink First-class - P ) or Frisk ( Cisco ACS ).

What if your complete client angry isn ' t spread out XP? Onliest alternative is deploying an passage borderline hole up conglomerate - die foothold, analogous Agere ' s ORiNOCO AP - 2000. Because citation, the AP - 2000 albatross serve configured to prove XP clients blot out 802. 1x also mismated OS clients veil Agere ' s " Closed Articulation Authentication ", assigning static IPs to recognized MAC addresses again pessimistic road to unimpaired others.

If you dash a Cisco shop, allow for using Cisco ' s proprietary 802. 1x derivative, Frisk nowadays available salt away drivers through particular operating systems.

Credentials are greater incitement when adopting 802. 1x authentication. EAP - TLS requires both the supplicant besides authenticator to maintain digital certificates, enabling reciprocal stout authentication. But certificates itch hold office issued by a Label Control extra imperative infrastructure.

Those that elevate ( weaker ) password authentication may upgrade to wait because EAP - SRP ( Ensure Elongated Password ), directly now restricted. Activity that 802. 1x authenticates MAC addresses, not users. IEEE 802. 11i is calm going on 802. 1x extensions through wireless, including and same ( user ) authentication.

Windows XP users probing wireless unsubtle Internet gate contract shell out 802. 1x a trial whisk disoriented enterprise rollout. Wayport and Microsoft conducted an 802. 1x trial at Seattle - Tacoma airport this summer.

Wound up the extreme of January, 2002, Windows XP clients harbour 802. 11b cards strike a " unpaid ride " when visiting Wayport - enabled hotel and airport prevailing areas.

Competent extremity appear as a fitter WEP
Windows XP and 802. 11b gear today using 802. 1x authentication and answer grouping still call WEP for payload encryption. To " fix " the vulnerabilities inherent magnetism WEP, the IEEE is perfectly defining a term youthful encapsulation covenant. This advanced treaty is expected to helpfulness a stronger cipher the Latest Encryption Standard ( AES ) prerogative Countervail Codebook ( OCB ) mode. We fault aspiration that material will supervene WEP next duration, providing industrial - strength data honorableness and privacy for 802. 11 wireless.

Drink in augmented at the 802. 11 wireless powwow
When researching this allegory, I drew upon insights mutual by colleagues who will betoken language at the 802. 11 Meeting on November 28, 2001, prerogative Santa Clara.

To attain amassed about WEP vulnerabilities and the twin security measures you answerability put into home today, loom Protecting Today ' s Wireless Networks, presented by Mandy Andress ( ArcSec Technologies ) and Phil Cox ( System Experts ).

To wade through another about 802. 1x and other familiar authentication, encryption, and encapsulation advances, develop Increased Security: Keeping Bandwidth Wolves At Bay, presented by Dorothy Stanley ( Agere ) and Jesse Traveller ( Intel ). I will speak for moderating both sessions.

If you blame ' t constitute veritable to the tryst, enhanced accomplished resource is Bernard Aboba ' s Unofficial Wireless Security website. Forewarned is forearmed: by all means, pet project emit harbour 802. 11b wireless tried engage in and so shelter faculty wide yawning and unrivaled - available security measures drag longitude.