Wireless Security
Lunchtime Learning |
By Lisa Phifer
WPA and WPA2-Enterprise provide robust WLAN access control, but deploying 802.1X can be overwhelming for companies with limited IT staff and budget. From outsource to open source to preshared keys, this tip describes several less complex or costly alternatives.
Outsource 802.1X services
WPA and WPA2-Enterprise use the 802.1X port access control framework to authenticate wireless users. This framework pairs with authentication servers commonly found in corporate networks, like RADIUS servers, Windows Active Directories, RSA SecurID Authentication Managers and Certificate Authorities. Companies that do not have an authentication server and prefer not to install one can outsource this component to a third-party like BoxedWiFi or WiFiRadis.
These providers offer managed Wi-Fi authentication services. Instead of consulting your own local RADIUS server, your APs forward 802.1X / Protected EAP messages through a TLS tunnel, across the Internet, to the provider's RADIUS server. That server validates the station's identity and password before granting or denying access to your WLAN. Usernames can be added to and removed from your account through an administrator Web portal.
These services differ in detail -- for example, BoxedWireless supports both EAP-TLS and PEAP/MS-CHAPv2, while WiFiRadis only supports the latter. BoxedWireless is a commercial service, while WiFiRadis is free. Either way, basic setup is easy. By outsourcing 802.1X services, you can achieve "enterprise" security with little more effort than it takes to configure "personal" preshared secrets. However, bear in mind that these services are intended to fill a gap for very small businesses; they are not business-oriented managed security products.
Roll your own 802.1X infrastructure
Some companies would rather have their own authentication server, but lack the budget to buy a commercial RADIUS product. Another option to consider is freely-available RADIUS server software like FreeRADIUS. But don't kid yourself: rolling your own RADIUS server will require spare hardware, tech savvy and at least a little sweat.
To run FreeRADIUS, you'll need spare time and server hardware running Linux, FreeBSD, OpenBSD, OSF/Unix or Solaris. FreeRADIUS is released under the GNU General Public License, which means that it is free to download and install. When used as a wireless authentication server, FreeRADIUS can process EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP and LEAP access requests. Security policies, server configurations and user credentials are all up to you. But once you've invested the effort, you'll have a flexible RADIUS server that can be used for other purposes, like remote user VPN authentication. You can find advice on configuring FreeRADIUS for wireless here.
Alternatively, consider turning a Microsoft Windows Server into a RADIUS server for your WLAN. If you have a spare PC running Windows Server 2003, it can be configured to run Microsoft's Internet Authentication Server (IAS). You can learn how to set up IAS for use with 802.1X here. If you have a spare PC running Windows Server 2008, you can accomplish similar results using Microsoft's new Network Policy Server (NPS). While these solutions are not opensource, they can allow you to roll your own RADIUS server using products and platforms that you already own.
Skip 802.1X altogether
Companies that find the whole idea of 802.1X overwhelming can use WPA or WPA2-Personal instead. These "personal" measures still represent an improvement over WEP when based on a strong preshared key (PSK).
When PSKs are too short or composed of words found in the dictionary, they can easily be guessed. An attacker simply needs to capture a few packets exchanged by a legitimate user when connecting to the WLAN, then run a dictionary attack tool like CoWPAtty. To prevent this, choose a PSK value that's at least 20 random alphanumeric characters. For best results, use a random password generator to include numbers and mixed case (e.g., T2adREfasACach64a6Us). Better yet, if your AP and client support Wi-Fi Protected Setup (WPS), configure a long random PSK by pushing the button on the front of your AP or by typing a client-generated WPS PIN into your AP's GUI.
Furthermore, when using PSKs it's important to assign your WLAN a relatively unusual network name (Extended Service Set Identifier, or ESSID). Why? PSKs can be guessed much faster by contemporary cracking tools when your WLAN uses a common default ESSID. Here again, WPS can be used to configure a good ESSID for you.
No matter how random or long your PSK might be, every user connected to your WLAN must know that value or have it configured into their system. A configured password makes life easier, because users don't have to remember or correctly type a long random string. But that configured password will be compromised if someone loses a laptop or leaves it unattended. On the other hand, prompting for PSKs increases the chance that users will give them to guests, write them down on sticky notes or otherwise disclose the entire WLAN's password.
Updating your WLAN's PSK at regular intervals can help to reduce risk, but ultimately group passwords can only take you so far. If your company is really concerned about keeping outsiders off your WLAN -- or knowing who is using your WLAN at any point in time -- then upgrade to WPA or WPA2-Enterprise.
>> Read the next tip: Choosing the right flavor of 802.1X
