In this installment of Chuck's Corner, I'm going to chat with you about VPNs and 802.1x, two mechanisms that provide security for Wireless LAN's. Each mechanism is intended to provide a different type of security. Standards for both do exist.
"Security" is a very broad term often loosely used in blanket statements. The term "security" can bear many definitions and mean many different things. When talking about networking and computers, security usually implies protection from eavesdropping and the protection of a network and it's resources from undesirable access. In other cases the term security may be used in reference to the prevention of unauthorized users gaining access to specific portions of a network and network resources. Lastly, the term security may also mean the security measures in place such as, user authentication, access authorization, and/or the privatizing information.
An ultimately secure network is one that has NO connection to the outside world-a group of computers that are essentially turned off. Obviously, this is an unwanted solution; therefore, the challenge becomes finding the ultimate, wanted solution for your customers. Finding the ultimate solution means strategically developing the answer to the following question, "How can we provide access to a customer's critical network resources while reasonably protecting the entire network and all its resources?"
Wireless Local Area Networks (WLANs) are developing into commodities. Implementation costs are rapidly coming down and WLAN technology is becoming increasingly viable. WLANs can be defined as valuable commodities because they provide real time, seamless access to computing resources efficiently, inexpensively, and easily. The only definitively infirm WLAN component to date, unfortunately, is security, which has simply not kept up with the rising growth curve.
Let's revisit some key infirm WLAN components as they relate to WLAN security.
Are they who they say they are?
802.11b networks don't authenticate users; they authenticate hardware such as the wireless adapter itself. Hardware authentication is done through a mechanism called an Access Control List. Each Access Point (AP) has a table containing MAC addresses of wireless adapters authorized to use the AP. When a RF card attempts to associate, the AP checks the card to see if it is on the list. If the RF card is recognized as authorized on the list, access is granted. If APs are identifying and authorizing cards (hardware), not users, how do we know the card being authorized by the AP is in the hands of an authorized user? We do not know. For example, an authorized card may be stolen, however, such is not known until the card is reported stolen. MAC addresses can also be "spoofed" by knowledgeable hackers. If a hacker uncovers or knows the MAC address, he/she can make a card look just like another by altering the MAC address reported to the AP by the card in question. Avoiding this requires some intense programming. Regardless, both examples are known weaknesses of the access control list.
802.11b networks do not control access to different resources. They cannot provide any kind of policy-based access.
Wired Encryption Privacy (WEP) has not been able to meet the needs of many corporations. WEP relies on a shared key. The problem with this is flawed in such a manner that the key can be cracked with a sufficient data sample.
Let's review. We've inspected the facts and it appears that 802.11b networks don't seem to provide the required protection schemes needed to secure a network and it's resources. However, there are some mechanisms nearing that can fix many of the weaknesses mentioned. How your customers will make use of the secure measures that are nearing is simply dependent upon the level of security they need and/or demand.
What's New? 802.1x!
Let's talk about 802.1x. 802.1x is a new standard promoted by the IEEE (Institute of Electrical and Electronics Engineers, Inc., www.ieee.org) to provide port-based authentication for any IEEE network. Notice it's called 802.1x and not 802.11x. It's designed for any IEEE based network be it wired or wireless in nature.
802.1x authenticates users, not hardware. With 802.1x a user must provide a user id and password. This user id and password is then matched against a server such as a RADIUS server. 802.1x is already available in WinodwsXP and has been implemented in several wireless Access Points. The IEEE 802.11 Committee through Task Group I (802.11i) have been working on using 802.1x as part of the upcoming security enhancements to the 802.11 standard.
802.1x,however, is an "all-or-none" type of access control. An authenticated user has access to the entire network, not just authorized portions. Although 802.1x itself lacks encryption, it does support key exchange. Upon authentication, 802.1x provides for keys to be automatically exchanged between the client and AP. The actual encryption mechanism itself is external. 802.1x is only found in WindowsXP and CE.NET. 802.1x remains to be implemented in other platforms. 802.1x does not need a lot of CPU power on the client. This standard can be easily implemented on most platforms including DOS. It is not processor intensive.
For networks in which everyone gains accesses to the same resources and in which the level of encryption provided is acceptable, 802.1x is a great fit. Being part of the upcoming 802.11i standard helps as well. As the standard evolves, vendors may be providing firmware updates for existing products that comply with the standard.
Virtual Private Networks
Let's talk about another security mechanism, VPN or Virtual Private Network. VPN's have actually been around for a few years. Microsoft has provided VPN support dating back to Windows95. Virtual Private Networking got its start as a way to interconnect business sites via the Internet while maintaining a secure connection. VPNs came to be for purely economic reasons. Traditionally, the only way to interconnect geographically disbursed locations was to use a private network. Remember, private networks and VPNs are not the same. Private Networks, while secure due to their privacy nature, were very expensive. Leased lines interconnected only the sites themselves.
A less expensive alternative has been to use Frame Relay Networks. Frame Relay Networks, although less expensive, remain more expensive than DSL and ISDN access. In general, the problem in connecting via the Internet is the total lack of security. VPN was created to provide this security.
A VPN creates a "tunnel" between each remote site and the host site allowing for communication. A VPN server is needed at the host site to terminate the "tunnel" as well as to provide the authentication and encryption. All traffic passing through the "tunnel" is encrypted. The end result is the sites appear to be connected as if they are on the same Local Area Network (LAN)
The more significant difference being, the traffic is protected by robust encryption techniques. Many times the encryption technique is IPSec, which is considered secure by government standards. Other types of VPNs support simpler mechanisms such as PPP or L2TP. These are just as flexible, but not quite as robust. Windows98 and PocketPC2002 use PPP. Implementing a VPN on a DOS client is not as straight forward. Many DOS clients don't have the CPU power to implement IPSec. Many DOS clients also don't have enough memory or storage to accommodate the files needed.
VPN users are required to have a login id and password. This, many times, may be the same as a given user's Windows Login and Password. The VPN server authenticates this and then creates the "tunnel". For wired networks, the VPN server can also control access to different resources based upon the login.
VPNs can also be used to secure wireless networks. Most Wireless LAN Access Points can pass VPN traffic. However, any unencrypted traffic not going to the VPN server is unprotected. Usually the wireless network would be isolated from the rest of the network and any access to the network would be through the VPN server. Ideally, an organization should look to install Access Points that contain their own VPN servers. An access point that contains its own VPN server does not need to be isolated. This type of AP can be attached directly to the WLAN. It is important to note that only those clients running VPN software and bearing the correct login will be allowed access. On a final note, because all traffic is encrypted using robust mechanisms, the WLAN connections cannot be sniffed.
Choices such as this, critical in nature, are not simple choices made without strategic planning. The choices you and your customers make with respect to 802.1x or VPN will come down to the level of security needed. Does your mission critical information call for the full authentication and encryption provided by a VPN, possibly proprietary in nature? Or, does your mission critical information call for more standards based 802.1x, which is not quite as secure but more easily implemented and managed? If security is of utmost importance and all platforms are Windows based, a VPN is advisably the solution of choice. Regardless, experience teaches all of us that careful planning is the key.