Securing the wireless LAN

Wi-Fi and wireless LANs are the rage today, with most new notebooks and PDAs having built-in features to access WLANs. However, despite the eagerness of users, security remains a huge concern when it comes to WLANs. Dhananjay Ganjoo describes the security issues that WLANs face and the solutions

True mobility does not come easy. Not if it has to be combined with high security and seamless roaming. Making sure that you provide uninterrupted service as you securely roam across 802.11a and b, multiple access points, and subnet boundaries is a daunting task by itself, but add a huge dose of high security to it and you realise the complexities go deeper.

First generation wireless LAN (WLAN ) systems were all about basic standards, connectivity and end-user benefits. But the entry of second generation WLAN systems has brought about a strategic change and the onus is on enhanced standards, addressing security, quality of service (QoS) and interoperability in enterprise-wide roaming. And, of course the undergrid is all about optimal pricing, performance and control.

And today security is way on top of these requirements.

True mobility comes at a price

Modern business requires mobility and always-on connectivity. Hence, WLANs, now a standard feature in many PDAs and notebooks, are being deployed widely, particularly in hospitals and universities, in homes, and in thousands of hotspots in coffee shops, hotels, and airports. Even India is not immune to the WLAN revolution and more and more hotspots are coming up everyday.

But the freedom mobility brings comes with a price: wireless networks do not respect the boundaries of solid walls or locked doors; movement sensors and security cameras cannot detect unwanted guests on your network. Unchecked, this kind of unrestricted access leaves corporations wide open to attack and theft of corporate data.

Today, organisations are looking at a security strategy that encompasses wireless even if they don’t have a plan to deploy wireless; but ‘free agents’ or ‘rogue’ access points could exist in the enterprise and effectively put the network at risk.

A ‘free agent’ is a wireless device that has been connected to the network without the permission or knowledge of the IT department. A well-meaning employee, who we’ll call ‘Bob’ has some knowledge of IT and goes down to his local computer store and buys a cheap wireless solution. Bob plugs the wireless device in under his desk. While Bob did not do this for nefarious purposes, he has exposed the corporation to a security risk. The radio signal from Bob’s access point does not stop at the walls to his office. It extends out into the street where someone could easily sniff out the traffic and potentially break into the network.

A ‘rogue’ access point is one that has been installed specifically for nefarious purposes inside or outside the office. The ‘rogue’ access point pretends to be part of the corporate network with the intention of intercepting traffic such as authentication information from wireless users. Armed with this information, someone could potentially break into the network.

Gartner Group estimates that there are over 10 million WLAN users globally, with that number doubling in 2004 and a Gartner study suggested that enterprises could expect a 22 percent productivity improvement. But going by the actual deployment and faith reposed in WLAN, one realises the main hindering factor is security.

Behind the scenes

Enterprises are increasingly realising that by adding a wireless node to the corporate network they must also include appropriate security precautions and good security practices.

A typical ratio of WLAN clients to access points is 10:1, although this varies between technologies and vendors. Overlapping access point cells of coverage are created when multiple access points exist around the floor or building, creating a single coverage area for mobile users.

In the first generation of WLANs, the world of wireless data networking was dominated by proprietary niche products that targeted specific vertical markets. The development and wide vendor acceptance of WLAN IEEE 802.11 standards has changed this, and resulted in increased availability of PC and PDA interface cards and plummeting prices.

Standards such as 802.11a and b delivered speed and connectivity, and end-users loved it. However, the standards did not solve everything—and in fact, the first standards were found to have many shortcomings. Worse, the deployment of access points and security mechanisms was done in an ad hoc fashion, leaving IT departments with issues on a number of fronts.

First generation challenges

The security exposures of using WLANs have been well documented, including identifying non-secure access points (APs) by ‘war-driving’ and ‘war-chalking’, the inadvertent insertion of free agent access points and the malicious insertion of rogue access points.

Wired Equivalent Privacy (WEP), the primary security mechanism that shipped with most WLAN products, has also proven to be non-secure and opens up the network to unauthorised access, session hijacking, eavesdropping, and other threats.

Limited secure mobility (WLAN users cannot generally move between subnets without re-authenticating themselves with the network) and lack of access and bandwidth controls, and no QoS for multimedia applications and IP telephony are the other hurdles.

WLANs are becoming increasingly difficult to manage—a problem exacerbated by the lack of adequate security, access, and bandwidth controls. For example, if there is no ability to control users from hogging wireless bandwidth, overall WLAN performance is impacted and audit trails are non-existent. Sometimes, even knowing where the access points are physically located is a challenge.

An outsider is blocked from seeing the internal WLAN because the outside APs operate at the same carrier frequency as the internal ones and offer a higher signal strength to the outsider, thereby in effect, ‘jamming’ the internal signal for the outsider. The disadvantage of this approach is that it is not only expensive, but it cannot be 100 percent effective.

Second generation WLAN

Second generation WLAN is an attempt at creating a secure architecture to put IT back in control. The foundations of second generation WLAN solutions that meet the needs of enterprises consist of standards. The IEEE 802.11 committee has responded to the needs of second generation WLAN users by undertaking the development of a number of new standards, which complement IEEE 802.11a and 11b. Most notable among these is 802.11i, which establishes robust WLAN infrastructure for security.

Other standards being finalised address WLAN QoS to allow IP telephony and multimedia application support, and multi-vendor interoperability of roaming handovers across access points.

Second generation challenges

All these standards present a challenge of determining which standard to use when and where. Ideally, the 802.11 device would be able to sense what the AP is running (802.11a, b, g, d, and/or h) and be able to dynamically switch to connect to it. The AP may run both 802.11a and b simultaneously, or be configurable to 2.4 or 5 GHz depending on the desired coverage area or local interference. 5 GHz has more attenuation when going through walls and windows. In the end, devices should be able to roam seamlessly from one standard to another (e.g., 802.11a - b).

Layered architecture is the solution

Enterprises need one standards-based secure WLAN architecture that supports WLANs as an inherent manageable and secure part of their infrastructure. The requirements of such an architecture must address the issues associated with first generation WLAN systems, recognising that a layered approach to WLAN functionality, including security, is required to meet the varying needs of enterprises.

WLAN architecture, based on a layered approach both physically and functionally will allow the optimal distribution of functionality and security for performance and low total cost of ownership.

Access points compose the first layer of second generation WLAN architecture, providing wireless connectivity to roaming mobile users equipped with notebooks, PDAs, and telephones. These access points are designed to evolve to support new wireless standards and technologies that allow more effective use of the radio spectrum and provide security over the radio link. Adding functionality to access points above the first or second layer (even if feasible) has a significant impact on TCO, because of the highly distributed nature of AP deployment. In addition, certain functions, such as enterprise-wide roaming (and ultimately seamless roaming across enterprise and public domains), can be better handled in more centralised devices that support multiple APs.

The second layer of this architecture is wired Ethernet networking, which has support for Power over Ethernet, VLAN segmentation and QoS capabilities. APs are connected to Ethernet switches, which provide Power Over Ethernet (using the draft standard IEEE 802.3af). These Ethernet switches are either dedicated to WLAN aggregation or are shared with the wired LAN network with segregation provided via virtual LANs.

The advantage lies in the fact that the enterprise has the choice of where and how it wants to integrate WLANs into the basic wired Ethernet technology. It also allows a common Power over Ethernet technology to be used consistently over wired and wireless environments.

The third layer provides networking and application-aware security at Layer 3 to 7 of the OSI model. And the WLAN security switch interfaces to the enterprise and to policy management , including directories and policy servers, which constitute the fourth layer of the architecture.

This four-layered WLAN architecture provides a high degree of flexibility while meeting the needs of the enterprise for secure WLAN access. It is complemented by access control, which authenticates all users and authorises which network resources are accessible for both the wireless and wired portions of the network.

The author is national sales manager, Nortel Networks India. He can be contacted at dganjoo@nortelnetworks.com