Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > RF/Microwave

Addressing the WLAN security standard issues

Posted: 01 May 2002 ?? ?Print Version ?Bookmark and Share

Keywords:wlan? 802.11b? lan? network security? it management?

Until recently, WLAN products were used primarily in certain vertical marketssuch as retail, education and health carewhere mobile users with a need for LAN access were satisfied with data-transfer rates of 2Mbps or less.

Even though most WLANs were extensions of wired LANs, the proprietary nature and slow speeds of WLANs forced organizations to manage WLANs as unique entities. To make WLANs more "mainstream," customers pressed vendors to develop a high-speed WLAN standard that would encourage interoperability, reduce prices and provide the bandwidth needed by today's business applications.

WLAN in Asia

Market research company, IDC Asia Pacific, estimated that the WLAN market in the region was worth about $45 million in the year 2000 but projects this to grow at a compound annual growth rate of 51 percent to approximately $350 million by 2005.

Cisco Systems was one of the early pioneers in these public WLAN deployments through the Cisco Mobile Office initiative. Through this initiative, Cisco is working with technology, application and service providers as well as systems integrators to offer mobile business professionals with secure, high-speed network access to the Internet and their corporate resources anytime, anywhere, effectively extending the enterprise beyond the office and enhancing it with mobility.

WLAN hot spots, powered by Cisco Systems, are being set up all over Asia Pacific including countries such as Australia, China, Hong Kong, Korea, Singapore and Taiwan.

Various standards

Most of the WLAN products and solutions offered today comply with the IEEE 802.11b standard, which transmits data at speeds of 11Mbps in the 2.4GHz band. The IEEE 802.11a standard has a data rate of 54Mbps and operates in the 5GHz spectrum. Products compliant with this standard are just coming to market today.

Today, an emerging standard being defined by the IEEE deals with WLAN security. Proposed by a group of companies led by Cisco Systems and Microsoft, 802.11i is based on LEAP, Cisco's proprietary security mechanism on its WLAN products.

The IEEE 802.11b standard includes components for ensuring access control and privacy but these components must be deployed on every device in a WLAN. The two mechanisms for providing access control and privacy on WLANs: service set identifiers (SSIDs) and wired equivalent privacy (WEP).

However, SSIDs and WEP have inherent flaws, which include:

Hardware theft: It is common to statically assign a WEP key to a client, either on the client's disk storage or in the memory of the client's WLAN adapter. When this is done, the possessor of a client has possession of the client's MAC address and WEP key and can use those components to gain access to the WLAN. If multiple users share a client, then those users effectively share the MAC address and WEP key.

When a client is lost or stolen, the intended user or users of the client no longer have access to the MAC address or WEP key and an unintended user does. It is next to impossible for an administrator to detect the security breach; a proper owner must inform the administrator. When informed, an administrator must change the security scheme to render the MAC address and WEP key useless for WLAN access and decryption of transmitted data.

Rogue access point: The 802.11b shared-key authentication scheme employs one-way, not mutual, authentication. An access point authenticates a user, but a user does not, and cannot, authenticate an access point. If a rogue access point is placed on a WLAN, it can be a launch pad for denial-of-service attacks through the "hijacking" of the clients of legitimate users.

Addressing security threats

To address such security concerns, a WLAN security scheme should have a base authentication on device-independent items such as usernames and passwords, which users possess and use regardless of the clients on which they operate and support for mutual authentication between a client and an authentication (RADIUS) server.

What is needed is a WLAN security solution that uses a standards-based and open architecture to take full advantage of 802.11b security elements, provide the strongest level of security available and ensure effective security management from a central point of control. Central to the 802.11i proposal are the following elements:

Extensible Authentication Protocol (EAP), an extension to Remote Access Dial-In User Service (RADIUS) that can enable wireless client adapters to communicate with RADIUS servers

IEEE 802.1X, a proposed standard for controlled port access

When the security solution is in place, a wireless client that associates with an access point cannot gain access to the network until the user performs a network logon. When the user enters a username and password into a network logon dialog box or its equivalent, the client and a RADIUS server (or other authentication server) performs a mutual authentication, with the client authenticated by the supplied username and password. The RADIUS server and client then derive a client-specific WEP key to be used by the client for the current logon session. All sensitive information, such as the password, is protected from passive monitoring and other methods of attack. Nothing is transmitted over the air in the clear.

? Fredy Cheung

Asia-Pacific Core Technology Director

Cisco Systems Inc.

Article Comments - Addressing the WLAN security standar...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top