Tech Primer

WLAN Security

How vulnerable is WiFi authentication?

Like any network, wireless LAN must be secured to ensure data integrity and protection of privacy. The first step is for enterprise decision-makers to understand the nature and extent of wireless LAN security risks, as well as the solutions that currently exist to address areas of vulnerability. Srikant Patil, director, solutions group, South Asia, Intel India, describes WiFi vulnerability thus: 'Employees can install 'rogue' wireless LAN access points that can expose corporate networks to security breaches, which means that useful corporate data can be stolen, or chances are that intruders could inject viruses into the corporate network.'

Can a WiFi network be secured by SSID and WEP?

SSIDs (Service Set Identifiers) are widely used by Indian enterprises and they constitute the first basic level of defence. They segment a WLAN into multiple networks, each with its own identifier. To access one of these networks within a WLAN, the client and access point devices need to be configured with the appropriate SSID. An attacker can compromise SSID by using SSID discovery tools.

Wired Equivalent Privacy (WEP) was originally designed to provide encryption and authentication as part of the 802.11 standard. It uses a 64-bit share key encryption algorithm, which utilises a key, or sequence of numbers entered by the user, to protect information travelling on the radio link. Says Devendra Kamtekar, principal consultant, Cisco Systems India and SAARC, 'WEP authenticates the client, and not the user sitting with the wireless client using clear text format which can be intercepted at the access point. If an enterprise has hundreds of users it will need that many keys which raises the issue of key management. WEP's other problem is bad packet integrity checking that could let an interloper insert or modify data in transit without being caught.' Jethin Chandram, head, IMG project management at Wipro adds that if a static WEP key implementation is compromised, hackers could sniff user-IDs and passwords, and log in to corporate networks causing any level of damage to infrastructure and data.

Is there an interim solution?

A Virtual Private Network (VPN) over WEP-based WLANs is a proven enterprise solution for remote access that offers protection against attacks. Some enterprises are using 802.1x that uses physical characteristics of the WLAN infrastructure to authenticate devices that are attached to a port, and to deny access to the port when authentication fails. It employs dynamic keys, rather than the static key as used in WEP authentication. One such WiFi security standard is Remote Authentication Dial-in User Service, or RADIUS. The wireless client contacts the access points, which in turn communicates with the RADIUS server on the enterprise LAN that then verifies the client's credentials to determine whether the device is authorised to connect to the LAN. If the RADIUS server accepts the client device, the server sends data, including security keys, to the access point to enable a secure connection with the client.

Some enterprises are using a combination of security standards such as LEAP (Lightweight Extensible Authentication Protocol) from Cisco that is configured in the notebook, and the wireless AP. LEAP is a password-based algorithm that converts the password into a secret key value so that wireless eavesdroppers cannot sniff authentication or see the user's password transmitted across the wireless link.

What about WPA?

A stronger security solution was designed and called WiFi Protected Access (WPA), which is a subset of the 802.11i draft standard, and is certified by the WiFi Alliance. WPA is a security standard that solves the encryption issues of WEP by utilising TKIP (Temporal Key Integrity Protocol), that implements rapid re-keying by generating a new encryption key every 10,000 packets. WPA also includes the authentication benefits of 802.1x. Implementation of WPA will make it possible for enterprises to protect their campus WLAN with scalability, without deploying VPN/firewall technology.

For more information see http://www.wi-fi.org/OpenSection/secure.asp