Home > Controlling WLAN access on a tight budget
Security School:
EMAIL THIS

Controlling WLAN access on a tight budget

28 Mar 2006 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Wireless Security
Lunchtime Learning
  By Lisa Phifer



Wireless Security Lunchtime Learning

Return to Lesson 3: How to implement secure access
Read the next tip: Choosing the right flavor of 802.1X
Return to Wireless Security Lunchtime Learning
WPA and WPA2-Enterprise provide robust WLAN access control, but deploying 802.1X can be overwhelming for companies with limited IT staff and budget. From outsource to open source to preshared keys, this tip describes several less complex or costly alternatives.

Outsource 802.1X services
WPA and WPA2-Enterprise use the 802.1X port access control framework to authenticate wireless users. This framework pairs with authentication servers commonly found in corporate networks, like RADIUS servers, Windows Active Directories, RSA SecurID Authentication Managers and Certificate Authorities. Companies that do not have an authentication server and prefer not to install one can outsource this component to a third-party like BoxedWiFi or WiFiRadis.

These providers offer managed Wi-Fi authentication services. Instead of consulting your own local RADIUS server, your APs forward 802.1X / Protected EAP messages through a TLS tunnel, across the Internet, to the provider's RADIUS server. That server validates the station's identity and password before granting or denying access to your WLAN. Usernames can be added to and removed from your account through an administrator Web portal.

These services differ in detail -- for example, BoxedWireless supports both EAP-TLS and PEAP/MS-CHAPv2, while WiFiRadis only supports the latter. BoxedWireless is a commercial service, while WiFiRadis is free. Either way, basic setup is easy. By outsourcing 802.1X services, you can achieve "enterprise" security with little more effort than it takes to configure "personal" preshared secrets. However, bear in mind that these services are intended to fill a gap for very small businesses; they are not business-oriented managed security products.

Roll your own 802.1X infrastructure
Some companies would rather have their own authentication server, but lack the budget to buy a commercial RADIUS product. Another option to consider is freely-available RADIUS server software like FreeRADIUS. But don't kid yourself: rolling your own RADIUS server will require spare hardware, tech savvy and at least a little sweat.

To run FreeRADIUS, you'll need spare time and server hardware running Linux, FreeBSD, OpenBSD, OSF/Unix or Solaris. FreeRADIUS is released under the GNU General Public License, which means that it is free to download and install. When used as a wireless authentication server, FreeRADIUS can process EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP and LEAP access requests. Security policies, server configurations and user credentials are all up to you. But once you've invested the effort, you'll have a flexible RADIUS server that can be used for other purposes, like remote user VPN authentication. You can find advice on configuring FreeRADIUS for wireless here.

Alternatively, consider turning a Microsoft Windows Server into a RADIUS server for your WLAN. If you have a spare PC running Windows Server 2003, it can be configured to run Microsoft's Internet Authentication Server (IAS). You can learn how to set up IAS for use with 802.1X here. If you have a spare PC running Windows Server 2008, you can accomplish similar results using Microsoft's new Network Policy Server (NPS). While these solutions are not opensource, they can allow you to roll your own RADIUS server using products and platforms that you already own.

Skip 802.1X altogether
Companies that find the whole idea of 802.1X overwhelming can use WPA or WPA2-Personal instead. These "personal" measures still represent an improvement over WEP when based on a strong preshared key (PSK).

When PSKs are too short or composed of words found in the dictionary, they can easily be guessed. An attacker simply needs to capture a few packets exchanged by a legitimate user when connecting to the WLAN, then run a dictionary attack tool like CoWPAtty. To prevent this, choose a PSK value that's at least 20 random alphanumeric characters. For best results, use a random password generator to include numbers and mixed case (e.g., T2adREfasACach64a6Us). Better yet, if your AP and client support Wi-Fi Protected Setup (WPS), configure a long random PSK by pushing the button on the front of your AP or by typing a client-generated WPS PIN into your AP's GUI.

Furthermore, when using PSKs it's important to assign your WLAN a relatively unusual network name (Extended Service Set Identifier, or ESSID). Why? PSKs can be guessed much faster by contemporary cracking tools when your WLAN uses a common default ESSID. Here again, WPS can be used to configure a good ESSID for you.

No matter how random or long your PSK might be, every user connected to your WLAN must know that value or have it configured into their system. A configured password makes life easier, because users don't have to remember or correctly type a long random string. But that configured password will be compromised if someone loses a laptop or leaves it unattended. On the other hand, prompting for PSKs increases the chance that users will give them to guests, write them down on sticky notes or otherwise disclose the entire WLAN's password.

Updating your WLAN's PSK at regular intervals can help to reduce risk, but ultimately group passwords can only take you so far. If your company is really concerned about keeping outsiders off your WLAN -- or knowing who is using your WLAN at any point in time -- then upgrade to WPA or WPA2-Enterprise.

>> Read the next tip: Choosing the right flavor of 802.1X

BROWSE BY TAG
Wireless Network Security: Setup and Tools,   Wireless LAN Design and Setup,   Enterprise Network Security,   Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,   Information Security Management,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Wireless LAN Design and Setup
A list of wireless network attacks
Wireless Security Lunchtime Learning
An introduction to wireless security
Hunting for rogue wireless devices
A wireless network vulnerability assessment checklist
Lesson 1: How to counter wireless threats and vulnerabilities
Risky Business: Understanding WiFi threats
Wireless Security Lunchtime Learning Entrance Exam
Lesson 1 quiz: Risky business
Study reveals lack of financial wireless computer security
Wireless LAN Design and Setup Research

Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions
Sophos CEO on Symantec, McAfee after Utimaco acquisition
EMC adds configuration management with Configuresoft acquisition
Know when you need IDS, IPS or both
Symantec acquires Mi5 Networks, bolsters Web security
RSA Conference 2009 shines spotlight on security vendor innovation
Oracle to buy Sun Microsystems for $7.4 billion
Entrust to be acquired by investment firm
Enrique Salem takes charge at Symantec
Countdown: Top 5 most important questions to ask endpoint security vendors
Flaw disclosure debate polarizes SOURCE Boston panel

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
evil twin  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary




Search Additional Security Research and Solutions
Find Security Channel Research for Resellers and Partners
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts