May 2002 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers.
                                    Powered by NCMS.

This month – WIRELESS Local Area Networks 
The proliferation of wireless networks opens up more security holes.

Accompanying Resource Page for this Story 

Editor's Preface: 

We are fortunate to have our guest, John R. Muir, as the author of this month’s Mfg. Trust feature. John is a well known expert in information security with an extensive industry practice.

John is also the instructor for the NCMS Online Class: Wireless LAN Security, which is available at http://products.ncms.org  under training and education. Together, we developed these online, brief training modules because industry people are bombarded by requests to implement technology that is new to them. These are the tools you need to understand basics well, so you can respond intelligently under pressure.

NCMS is dedicated to helping manufacturers develop robust systems (people, process, and technology) that assure uninterrupted production. We hope you find these resources useful both in your personal and business lives. Aware and educated private citizens are also aware and educated employees!

Don’t forget that there is an extensive page of resources at http://trust.ncms.org, under the Publications Index tab, for this and every other Mfg.Trust feature.

John Sheridan (johns@ncms.org

PS: Wireless networks are now being found in the home as well as the office. I’ll offer a personal home network security tip. I unplug the access point when I leave. But, we can’t do that at work, so read on!

WIRELESS Local Area Networks 

Perhaps the most exciting aspect of wireless LANs is the freedom they affords network users. We can have network and Internet access anywhere we want in our company without having to plug in. We can join meetings with our PCs in while staying on the network. Less exciting, but just as important, many companies find that wireless LANs can save substantial expense by avoiding costly infrastructure wiring. Wireless also permits easy reconfiguration of office spaces.

Wireless LAN Security Issues 

Unfortunately, the architecture of wireless LANs gives rise to a number of serious security issues in certain environments. For example, in the past few months the Lawrence Livermore Labs banned wireless LANs outright, while airlines were warned to use wired LANs at airports to prevent subversion by terrorists.

The most obvious issue, of course, is how to protect data when broadcast in an open space. But there are other issues as well. The rapid advances in wireless technology have unfortunately outpaced security capabilities and left some important vulnerabilities such as denial of service attacks, the possibility of spurious network connections and use by unauthorized persons. For instance:

  1. Denial of service is the risk that the network will be made unusable as a result of being flooded with bogus data 
  2. Privacy is the risk that unauthorized persons will be able to view the data and compromise its value 
  3. Unauthorized access is the risk that by inserting spurious “access points”, an interloper can gain access not only to the wireless network but to the wired network as well 
  4. Finally, there is the problem that occurs with all networks – how do we authenticate the user, and not just the device he is using to access the network? Wireless networks increase the risk of unauthorized persons using authorized equipment.

Security Techniques 

Early wireless systems relied on random “frequency hopping” and fixed identification codes (SSID) for security. Both measures soon proved inadequate and the IEEE soon issued a new standard called “Wireless Equivalent Privacy or WEP.” WEP actually performs two functions:

First, WEP provides a much more secure way for clients to identify themselves to an access point, and significantly, to also authenticate the access point to the clients.

Second, WEP provides the means to encrypt the data flowing between the clients and the access point.

Note that WEP must be configured; it is not operational out of the box. Properly installed, WEP provides a modicum of protection against most security risks. The problem is, significantly less than 50% of all wireless networks have WEP configured! So just taking that one step would make a substantial improvement in wireless LAN security.

Unfortunately, WEP suffers from two significant problems – 1) key management is cumbersome and 2) the cryptographic algorithms are poorly implemented. The lack of central key management creates a large burden on administrators to manually change the identification keys in access points in an effort to maintain security, with the predictable result that the keys are rarely changed. More ominously, an attack that readily subverts WEP security was widely reported in 2001 – researchers were able to demonstrate a quick procedure which made it possible to read protected traffic and inject spurious data.

Thus, the need for a central key repository and management system becomes clear. The “Extensible Authentication Protocol” (EAP) provides this type of functionality by means of a network authentication protocol called RADIUS which stands for “Remote Dial-In Access Server.” RADIUS has been used for almost a decade as a standard network authentication system. In fact, RADIUS is supported by all the major telecommunications equipment vendors including Cisco, 3Com, and others, making it a natural choice to enable centralized key management for wireless networks.

EAP provides good basic security, but there are two ways to improve the level of protection. The first is the use of firewall technology to isolate the wireless network from the wired network. Installing a firewall is a good idea, but is meant to protect the wired network from the vulnerabilities of the wireless network – it doesn’t affect the security of the wireless LAN. The second technology, Virtual Private Networks, securely encapsulates all the traffic between the client and the VPN control point.

It appears that the best protection is a combination of VPN and EAP which provides a scalable, “end to end” solution.

To summarize, frequency hopping and SSID are generally built-in and fairly simple to implement, but don’t provide much security in an enterprise environment. For this reason, these techniques should only be used in very low value or home networks. WEP is better, works at home, but suffers from both security and administration shortcomings and should not be relied upon in major organizations. EAP, which uses the RADIUS protocol to check an authentication server, is much more desirable for large to medium size organizations. Firewalls help protect large wired networks from the insecurities of wireless networks, and are particularly useful for large organizations. VPNS, particularly when coupled with EAP, appear to offer the best level of wireless security for high value wireless networks.

Your Action List 

Now we get to the actions you should take, starting with selecting a wireless LAN system that supports the level of security your organization requires. That should be set forth in a security policy. Although WEP may suffice for some applications, the best bet for most organization is to select a wireless LAN that includes VPN capabilities or has demonstrated compatibility with a VPN vendor you can work with.

As to configuration, this author (and editor) believe you should be arrested if you don’t at least change the default SSIDs. But that is still very weak and you would be much better off getting WEP implemented. Also, don’t forget to secure the management ports to the access points. Now let’s move on to managing the security of your wireless LAN. You can test your vulnerability by using so called “assessment” products that search for hidden wireless LANs and detect problems in known LANs.

You can also impose more continuous control by installing one of several new auditor packages such as the one from IBM. These programs keep logs of abnormal behavior and alert you to potential problems. Part of your auditing should include keeping track of your wireless NIC cards to make sure these devices have not been stolen to enable others to penetrate your network.

If you have Windows XP, you can turn on EAP and setup a RADIUS server to improve key management. Also, you can reduce your exposure by using a gateway or firewall to isolate the wireless network from the rest of your network.

Links

While we were hard at work preparing this issue of Mfg.Trust, it seems that others also had the same good idea. “The Wireless Revolution” is the cover story and theme of the May 21, 2002 dated PC Magazine, which just arrived by mail. We highly recommend this excellent issue, which covers other aspects of wireless use in addition to local area network functions. See http://www.pcmag.com/current_issue/ for more.

Also, don’t forget the extensive links on our Wireless LAN resources page at http://trust.ncms.org , under the Publications Index tab.

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send e-mail to johns@ncms.org 

To unsubscribe please send a blank e-mail message to listmanager@ncms.org with the subject line "unsubscribe mfgtrust".

 
 
Please check out these related sites

Copyright 2004
National Center for Manufacturing Sciences