Crack the WIP

THE ADOPTION OF WIRELESS

LAN technology by small and medium businesses and enterprise organizations has exploded during recent years. With it has come an equally mounting concern over securing these networks. The 802.11i standards set by the IEEE provide wireless security capable of satisfying the most stringent demands. However, 802.11 is still a complex and immature standard with new vulnerabilities undoubtedly remaining to be uncovered. This article will review available security practices that service providers can employ for their customers in the interim.

First-generation WLAN technology focused primarily on providing basic connectivity and QoS, protecting data payloads and fixing client roaming issues. Managing and enforcing wireless security policies was often an afterthought. Many organizations deployed dedicated overlay wireless intrusion protection systems (WIPS) to address some of the security shortcomings of first-generation WLANs.

WIPS provide significant features such as:

Historically, WIPS have derived much of their intrusion-detection abilities for WLANs by collecting and analyzing unencrypted management frames. The enforcement of WLAN policies by WIPS depends upon the ability of the WIPS to forge or spoof management frames, so that such frames appear to come from the WLAN infrastructure and will be heeded by associated client devices.

Having witnessed WLAN data security evolve from static wired equivalent protocol (WEP) to 802.1x, the first standard set by IEEE, to Wi-Fi protected access (WPA) and finally to IEEE 802.11i/WPA2, the industry consensus is that standards organizations and vendors seem to have adequately addressed for the time being most of the issues around securing user authentication credentials and unicast data encryption. Standardization and development efforts have turned toward improving the performance, protocol attack mitigation, management and control of these wireless networks. The 802.11k, 802.11r and 802.11v IEEE task groups (factions of the larger 802.11 standards body) are addressing further improvements, such as radio resource management, fast secure handoff, network resource discovery and centralized client control. Implementing these features requires that sensitive information about the state of the network itself is shared between the WLAN infrastructure and the entire population of client devices.

The mechanism for sharing these information elements will be new and enhanced 802.11 management frames, delivered via Layer 2 network broadcast and multicast messages, which to date have not been afforded the protection of 802.11i. So, the IEEE has established the 802.11w task group to address extending the protections of 802.11i to broadcast and multicast traffic. This feature is frequently described as management frame protection (MFP).

MFP essentially verifies frames as being unaltered and from a trusted source, and will also automatically encrypt data that is deemed sensitive. Some types of frames, therefore, will be encrypted completely using advanced encryption standard (AES) while others merely will have a message integrity check (MIC) field appended, which will provide assurance that such frames come from an authenticated source and have not been tampered with. With MFP enabled in the infrastructure and on client devices, sensitive network details are kept hidden from attackers, and the source and integrity of management frames can be assured.

The implementation and adoption of MFP has significant implications for manufacturers and integrators of dedicated overlay WIPS. WIPS generally are marketed and deployed as either dedicated overlays on top of existing wireless networks, or as a means to enforce a corporate no wireless policy. Current WIP implementations are not part of the MFP key exchange between client devices and access points. Thus, the protection provided by the MFP will interfere with the dedicated WIPS abilities to effectively monitor (now-protected) management traffic, and could end their ability to issue spoofed management frames to MFPenabled clients.

Now that most manufacturers offer second-generation WLAN infrastructure, often consisting of a centralized switch or controller, they increasingly have been able to claim that WIPS functionality can be provided as effectively, if not better and cheaper, natively on the WLAN infrastructure itself. The major advantage for WLAN makers has been that the customer already has access points deployed that can do double-duty as a radio monitor. This approach saves time and money. With the advent of MFP, WLAN manufacturers could potentially argue that the infrastructure is not only the best place, but the only place that WIPS can be implemented and managed effectively.

Additionally, advanced WLAN equipment can integrate with existing, mature, wired-side Intrusion Protection System (IPS) solutions. This is significant, as a WIPS typically only monitors the network for attacks that are specific to the 802.11 protocol, i.e. something out-of-bounds over the airwaves. If a credentialed user with an authorized wireless device starts launching Layer 3 or higher attacks, the WIPS generally senses nothing amiss, since there was nothing to associate with 802.11 at lower network layers. The ability of the WLAN infrastructure to pull security information and status from existing wired IPS and then apply policy to the wireless side of the network provides a truly integrated security posture. For example, if a customers wireless device is stolen while still in a fully authenticated 802.11 state, only a traditional Layer 3-7 IPS can detect and remediate subsequent attacks against an application server. Advanced WLAN equipment now is capable of checking shun lists generated by a wired IPS against lists of wireless clients and neutralizing an application-layer attack at the wireless level.

As the 802.11w standard for MFP is years away from ratification, certainly nothing is final at this point. Many dedicated WIPS overlay solutions already integrate with leading infrastructure manufacturers to some extent, and some vendors also license their technology to WLAN makers outright. At the very least, dedicated WIPS will continue to provide protection for non-MFP-capable systems for some time to come.

New developments in 802.11-based networking no doubt will continue at a rapid pace. Thus, there are basic approaches that solutions providers can take to ensure that they are providing secure wireless networks to their customers:

Customers considering the deployment of WLANs often dont know what they dont know. Its your job to share your experience and knowledge with the client. Doing so demonstrates the clear added value that you bring to the table.

Edward Carmody is a solutions architect for Dimension Data North Americas Advanced Wireless Solutions practice.

Whipping Security Provisions Into Shape

Reports from In-Stat show that while current WLAN security isnt at its strongest, many companies plan to bolster security efforts over the next several years. Within wireless security, In-Stat has identified two addressable markets: security for portable devices and security to protect network operations and assets in the business premises. Together, these markets are projected to reach $4.4 billion by 2010.

In-Stat says much of the security revenue for business clients will be generated by solutions that protect data when it is transmitted or stored on portable devices, including enterprise platforms that centrally manage and provision encryption applications.

Recent research by In-Stat found the following:

Source: In-Stat, September 2006