Securing an Enterprise WLAN

Enterprise IT managers have good reasons to be make sure corporate WLANs are secure. While their users want to access applications from anywhere - from headquarters, campuses, multi-tenant facilities and branch offices, IT managers want stringent security to ensure that only authorized people can access a network's resources. Using standard, strong authentication and encryption techniques protects a company's resources against misuse.

Data Encryption Protocols

Wi-Fi Protected Access (WPA and WPA2)

WPA was created to address the weaknesses found in WEP. It does this by:

Improving how RC4 is implemented by increases the initialization vector (IV) from 24-bits to 48-bits. This makes a WPA protected message harder to crack.
Changing the encryption key with every 802.11 packet using the Temporal Key Integrity Protocol (TKIP). This avoids the same key staying in use for weeks or months as they do with WEP. This is similar to changing the locks on a house each time you leave.
Implementing the Message Integrity Code (MIC) also known as "Michael". It uses a checksum technique where it checks the validity of an 8-bit MIC within the packet, and by testing the 802.11 packet's 4-byte integrity check value (ICV).

For authentication, WPA uses a combination of open system and 802.1x authentication. Initially, the wireless client authenticates with the AP, which authorizes the client to send frames to it. Next, WPA performs user-level authentication with 802.1x. WPA Interfaces to an authentication server, such as RADIUS in a large WLAN environment. In homes and small office WLAN, where an authentication servider is not available, WPA operates in "Pre-shared Key mode". Pre-shared Key is used much like WEP -- you key in a pass phrase [called the master key] in both the wireless device and AP In the association process, if the password matches, then the AP allows access to network and a new key is generated.

WPA was designed to be a software upgrade to WEP, so most older wireless devices should be upgradeable to WPA via a firmware update. In order to take advantage of WPA, all network devices must be upgraded. Microsoft supports WPA in XP, however it does not mean it enables XP to run WPA in the operating system allowing you to avoid the need for new WPA-capable equipment or a firmware update. As Microsoft spells out in its WPA document: "Wireless network adapters must have their firmware updated" to make use of WPA's functionality.

802.11i (WPA2)

802.11i (also known as WPA2) has all the abilities of WPA and adds the requirement to use Advanced Encryption Standard (AES) for encryption of data. AES provides enough security to meet the needs for the Federal Information Processing Standard (FIPS) 140-2 specification, which is required by many government agencies. The downside is that AES support may require new hardware for many existing WLANs, as it needs a dedicated chip to handle the encryption and decryption.

It will not replace WPA, however, which will continue to be available for homes and small businesses that don't need the advanced encryption or RADIUS authentication. 802.11i/WPA2 products will be backwards compatible with WPA products, assuming they have the means to support AES.

Client Authorization Access

802.1x Port Control

802.1X defines a management protocol that wireless devices use to request LAN port access. It uses the Extensible Authentication Protocol Over Wireless protocol (EAPOW), (based on the Extensible Authentication Protocol originally defined for dial-up access). The client must first connect with an AP. Then the client sends an "EAP Start" message. This kicks off a flurry of management messages that ends with "EAP Success" or "EAP Failure" (see Figure, below).

Throughout most of the 802.1X exchange, the AP ("the authenticator") relays EAP messages between the client ("the supplicant") and a RADIUS server ("the authentication server"). When the client is asked to supply its identity, the authenticator relays it inside a RADIUS Access-Request. Based on the client's identity, the RADIUS server issues a RADIUS Access-Challenge, the content of which the authenticator relays to the station. And so on, until the RADIUS server makes a decision to accept or reject the access request.

This 802.1X framework consolidates decision-making at the RADIUS server, so that MAC addresses no longer have to be individually configured into every AP. It also allows clients to identify themselves with credentials other than a MAC address, e.g. Windows login followed by CHAP challenge. Once the RADIUS server issues an EAP Success, an EAPOW Key exchange is performed. This provides the AP and client with secret session keys to be used by WEP or WPA to encrypt traffic sent over the WLAN.

Deploying 802.1X port access control requires support on all three devices involved in this exchange: supplicant software on the client, authenticator support in AP firmware, and an 802.1X-compatible authentication server. All three devices must support the same versions of 802.1X and the same authentication methods, and that's where 802.1X deployment can be challenging. There are variations of EAP that support different kinds of authentication. Still, xxchanging dynamic, automatically-generated per-session keys with 802.1X is a driving force in providing secure access in large WLANs.

RADIUS

The Remote Authentication Dial In User Service (RADIUS) protocol (RFC 2865) was originally defined to enable centralized authentication, authorization, and access control (AAA) for Serial Line Internet Protocol (SLIP) and Point to Point Protocol (PPP) dial-up sessions -- like those made to a dial-up Internet Service Provider. Instead of requiring every Network Access Server (NAS) to maintain a list of authorized usernames and passwords, RADIUS Access-Requests were forwarded to an Authentication Server, commonly referred to as an AAA Server (AAA stands for authentication, authorization, and accounting). This made it possible to create a central user database, consolidating decision-making at a single point, while allowing calls to be supported by a large, physically distributed set of NAS.

When a user connects, the NAS sends a RADIUS Access-Request message to the AAA Server, relaying the user's name and password, port, NAS identity, and a message Authenticator. The AAA Server uses the packet source, NAS identity, and Authenticator to determine whether the NAS is permitted to send requests. If so, the AAA Server tries to find the user's name in its database. It then applies the password and other attributes carried in the Access-Request to decide whether access should be granted to this user.

Depending upon the authentication method being used, the AAA Server may return a RADIUS Access-Challenge message that carries a random number. The NAS relays the challenge to the remote user (for example, using CHAP). The user must respond with the correct value to prove its asserted identity (supplying a password), which the NAS relays to the AAA Server inside another RADIUS Access-Request message.

If the AAA Server is satisfied that the user is authentic and authorized to use the requested service, it returns a RADIUS Access-Accept message. If not, the AAA Server returns a RADIUS Access-Reject message and the NAS disconnects the user.

When an Access-Accept message is received and RADIUS Accounting is enabled, the NAS sends a RADIUS Accounting-Request (Start) message to the AAA Server. The Server adds an accounting record to its log and acknowledges the request, whereupon the NAS activates the user's session. At the end of the session, a similar RADIUS Accounting-Request (Stop) message is exchanged so that accounting records will reflect the actual session duration and disconnect reason.

WLANs that use 802.1X Port Access Control, the wireless device plays the role of the Remote User and the AP plays the role of the Network Access Server. Once associated, the client sends an EAP-Start message to the AP. The AP requests the client's identity and relays it to an AAA Server inside the RADIUS Access-Request User-Name attribute. The AAA Server and client complete the authentication process by relaying RADIUS Access-Challenge and Access-Request messages through the AP. Depending upon the EAP type, messages may be carried inside an encrypted Transport Layer Security (TLS) tunnel.

If the AAA Server issues an Access-Accept message, the AP and client complete a handshake to generate session keys used by WEP or TKIP to encrypt data. At that point, the AP unblocks the port and the client can send data and receive data to and from the network. If the AAA Server issues an Access-Reject message, the AP disassociates the client. The clientcan try to authenticate again, but the AP prevents it from actually sending data through the AP into the network. The client can still listen to data sent by other clients -- that is the nature of a network using radio wave, and underscores the importantance of encrypting data sent over the air.

Managing Nodes

SNMPv3

The Simple Network Management Protocol (SNMP) is the Internet standard protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network. It is part of the Internet protocol suite. The Internet Engineering Task Force (IETF) recognizes SNMPv3 as the current standard version of SNMP as of 2004. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

SNMP is based on the manager/agent model consisting of a manager, an agent, a database of management information, managed objects and the network protocol. The manager provides the interface between the human network manager and the management system. The agent provides the interface between the manager and the physical device(s) being managed.

The manager and agent use a Management Information Base (MIB) and a relatively small set of commands to exchange information. The MIB is organized in a tree structure with individual variables, such as point status or description, being represented as leaves on the branches. A long numeric tag or object identifier (OID) is used to distinguish each variable uniquely in the MIB and in SNMP messages.

The MIB at the management station contains network management information extracted from the MIBs of all the managed entities in the network. A management station gets and sets objects in the MIB, and an agent notifies the management station of significant but unsolicited events called traps. All message exchanges between the management station and its agents take place using SNMP.