Home: www.packetnexus.com
The war over 802.11x security By Rich Santalesa, Enterprise July 10, 2001 3:00 PM PT URL: http://www.zdnet.com/enterprise/stories/wireless/0,11928,2783681,00.html Not long ago, when wireless networking was new and rare, security was an afterthought. The reason? The scarcity of 802.11b cards acted as a form of back-handed security. If no one had an 802.11b card, outsiders couldn't very well scan your setup, right? Now, however, that's changed. Wireless gear is readily available--and cheap--so that almost anyone with a PC can afford a Wi-Fi network card, making security more vital. Why? Ever hear of "war driving"? War driving is the updated version of "war dialing"--popularized in the 1980s by the movie War Games--in which a PC dials number after number attempting to locate other modems. In war driving, you take an 802.11b-equipped notebook, the right software and, well, drive around scanning for 802.11b access points (APs). For example, with a utility like Marius Milner's nicely done Network Stumbler, pinpointing and cataloging any AP in the area is child's play. Network Stumbler scans for networks roughly every second and logs all the networks it runs into--including the real SSIDs, the AP's MAC address, the best signal-to-noise ratio encountered, and the time you crossed into the network's space. If you add a GPS receiver to the notebook, the program even logs the exact latitude and longitude of the AP. Milner didn't create Network Stumbler for any nefarious purpose, but rather to learn more about wireless networking and to aid in public-access wireless networking projects. I use the program myself during wireless network installs to test coverage and APs. Still, those with more devious intentions can use the same tactics to locate unsecured corporate APs behind the firewall. That means everything on the network is potentially accessible. Remember the old saying, "Fool me once, shame on you. Fool me twice, shame on me"? Well, any company that finds its carefully protected network has a wide-open back door when someone sets up a "test" 802.11b AP will likely take steps so it's not fooled again. How so? For starters, by making sure that any use of corporate wireless networking includes Wired Equivalent Privacy (WEP) and authentication systems. In the face of a determined attack, WEP--which isn't perfect by a long shot--makes it more difficult for the attacker to succeed. In the meantime, the IEEE 802.11 Task Group I of the 802.11 Working Group is working on a draft text to "enhance the current 802.11 MAC to provide improvements in security." Although everyone recognizes the need for additional wireless security, the Task Group's conclusions and recommendations have raised concerns. For example, the IEEE 802.11 Task Group I's latest full meeting in May basically settled on making Kerberos authentication mandatory and left open the possibility of requiring new and additional authentication methods (such as RADIUS). Additionally, a motion to remove WEP2, which improves on WEP but doesn't completely address the need for easy, strong encryption, failed. While WEP is acknowledged to have serious problems, WEP2's sliding window algorithm makes breeching more difficult for attackers. WEP2's improvements include 128-bit encryption keys and better encryption algorithms. But since it's based on the same RC4 encryption and key system as WEP, it's vulnerable to the same attacks. But the Kerberos mandate was