Shared Secrets & Certificates
Shared secrets are strings of numbers or text that are commonly referred to as the WEP key. Certificates are another method of user identification used with wireless networks. Just as with WEP keys, certificates (which are authentication documents) are placed on the client machine ahead of time. This placement is done so that when the user wishes to authenticate to the wireless network, the authentication mechanism is already in place on the client station. Both of these methods have historically been implemented in a manual fashion, but there are applications available today that allow automation of this process.
Emerging Authentication Protocols
There are many new authentication security solutions and protocols on the market today, including VPN and 802.1x using Extensible Authentication Protocol (EAP). Many of these security solutions involve passing authentication through to authentication servers upstream from the access point while keeping the client waiting during the authentication phase. Windows XP has native support for 802.11, 802.1x, and EAP. Cisco and other wireless LAN manufacturers also support these standards. For this reason, it is easy to see that the 802.1x and EAP authentication solution could be a common solution in the wireless LAN security market.
802.1x and EAP
The 802.1x (port-based network access control) standard is relatively new, and devices that support it have the ability to allow a connection into the network at layer 2 only if user authentication is successful. This protocol works well for access points that need the ability to keep users disconnected if they are not supposed to be on the network. EAP is a layer 2 protocol that is a flexible replacement for PAP or CHAP under PPP that works over local area networks. EAP allows plug-ins at either end of a link through which many methods of authentication can be used. In the past, PAP and/or CHAP have been used for user authentication, and both support using passwords. The need for a stronger, more flexible alternative is clear with wireless networks since more varied implementations abound with wireless than with wired networks.
Typically, user authentication is accomplished using a Remote Authentication Dial-In User Service (RADIUS) server and some type of user database (Native RADIUS, NDS, Active Directory, LDAP, etc.). The process of authenticating using EAP is shown in Figure 7.6. The new 802.11i standard includes support for 802.1x, EAP, AAA, mutual authentication, and key generation, none of which were included in the original 802.11 standard. “AAA” is an acronym for authentication (identifying who you are), authorization (attributes to allow you to perform certain tasks on the network), and accounting (shows what you’ve done and where you’ve been on the network).
In the 802.1x standard model, network authentication consists of three pieces: the supplicant, the authenticator, and the authentication server.
Because wireless LAN security is essential – and EAP authentication types provide the means of securing the wireless LAN connection – vendors are rapidly developing and adding EAP authentication types to their wireless LAN access points. Knowing the type of EAP being used is important in understanding the characteristics of the authentication method such as passwords, key generation, mutual authentication, and protocol. Some of the commonly deployed EAP authentication types include:
EAP-MD-5 Challenge. The earliest EAP authentication type, this essentially duplicates CHAP password protection on a wireless LAN. EAP-MD5 represents a kind of baselevel EAP support among 802.1x devices.
EAP-Cisco Wireless. Also called LEAP (Lightweight Extensible Authentication Protocol), this EAP authentication type is used primarily in Cisco wireless LAN access points. LEAP provides security during credential exchange, encrypts data transmission using dynamically generated WEP keys, and supports mutual authentication.
EAP-TLS (Transport Layer Security). EAP-TLS provides for certificate-based, mutual authentication of the client and the network. EAP-TLS relies on client-side and serverside certificates to perform authentication, using dynamically generated user- and session-based WEP keys distributed to secure the connection. Windows XP includes an EAP-TLS client, and EAP-TLS is also supported by Windows 2000.
EAP-TTLS. Funk Software and Certicom have jointly developed EAP-TTLS (Tunneled Transport Layer Security). EAP-TTLS is an extension of EAP-TLS, which provides for certificate-based, mutual authentication of the client and network. Unlike EAP-TLS, however, EAP-TTLS requires only server-side certificates, eliminating the need to configure certificates for each wireless LAN client.
In addition, EAP-TTLS supports legacy password protocols, so you can deploy it against your existing authentication system (such as Active Directory or NDS). EAP-TTLS securely tunnels client authentication within TLS records, ensuring that the user remains anonymous to eavesdroppers on the wireless link. Dynamically generated user- and session-based WEP keys are distributed to secure the connection.
EAP-SRP (Secure Remote Password). SRP is a secure, password-based authentication and key-exchange protocol. It solves the problem of authenticating clients to servers securely in cases where the user of the client software must memorize a small secret (like a password) and carries no other secret information. The server carries a verifier for each user, which allows the server to authenticate the client. However, if the verifier were compromised, the attacker would not be allowed to impersonate the client. In addition, SRP exchanges a cryptographically strong secret as a byproduct of successful authentication, which enables the two parties to communicate securely.
EAP-SIM (GSM). EAP-SIM is a mechanism for Mobile IP network access authentication and registration key generation using the GSM Subscriber Identity Module (SIM). The rationale for using the GSM SIM with Mobile IP is to leverage the existing GSM authorization infrastructure with the existing user base and the existing SIM card distribution channels. By using the SIM key exchange, no other preconfigured security association besides the SIM card is required on the mobile node. The idea is not to use the GSM radio access technology, but to use GSM SIM authorization with Mobile IP over any link layer, for example on Wireless LAN access networks.
It is likely that this list of EAP authentication types will grow as more and more vendors enter the wireless LAN security market, and until the market chooses a standard.
VPN Solutions
VPN technology provides the means to securely transmit data between two network devices over an unsecure data transport medium. It is commonly used to link remote computers or networks to a corporate server via the Internet. However, VPN is also a solution for protecting data on a wireless network. VPN works by creating a tunnel on top of a protocol such as IP. Traffic inside the tunnel is encrypted, and totally isolated as can be seen in Figures 7.7 and 7.8. VPN technology provides three levels of security: user authentication, encryption, and data authentication.
- User authentication ensures that only authorized users (over a specific device) are able to connect, send, and receive data over the wireless network.
- Encryption offers additional protection as it ensures that even if transmissions are intercepted, they cannot be decoded without significant time and effort.
- Data authentication ensures the integrity of data on the wireless network, guaranteeing that all traffic is from authenticated devices only.
Applying VPN technology to secure a wireless network requires a different approach than when it is used on wired networks for the following reasons.
- The inherent repeater function of wireless access points automatically forwards traffic between wireless LAN stations that communicate together and that appear on the same wireless network.
- The range of the wireless network will likely extend beyond the physical boundaries of an office or home, giving intruders the means to compromise the network.
No comments:
Post a Comment