Wireless Security
Lunchtime Learning |
By Lisa Phifer
WPA and WPA2-Enterprise provide robust WLAN access control, but deploying 802.1X can be overwhelming for companies with limited IT staff and budget. From outsource to open source to preshared keys, this tip describes several less complex or costly alternatives.
Outsource 802.1X services
WPA and WPA2-Enterprise use the 802.1X port access control framework to authenticate wireless users. This framework pairs with authentication servers commonly found in corporate networks, like RADIUS servers, Windows Active Directories, RSA SecurID Authentication Managers and Certificate Authorities. Companies that do not have an authentication server and prefer not to install one can outsource this component to a service provider like McAfee or Witopia.
These providers offer managed Wi-Fi authentication services. Instead of consulting your own local RADIUS server, your APs forward 802.1X / Protected EAP messages through a TLS tunnel, across the Internet, to the provider's RADIUS server. That server validates the station's identity and password before granting or denying access to your WLAN. Usernames can be added to and removed from your account through an administrator Web portal.
These services differ in detail -- for example, McAfee uses installed client software or a guest wizard to configure 802.1X parameters, while Witopia relies on self-configuration with an illustrated how-to. McAfee configures your APs with matching WPA-Enterprise parameters, while Witopia has you configure your own APs for WPA or WPA2-Enterprise. Either way, basic setup is easy. By outsourcing 802.1X services, you can achieve "enterprise" security with little more effort than it takes to configure "personal" preshared secrets.
With any managed service, there are recurring fees. Witopia SecureMyWiFi starts at one AP and five users for $29 per year. To cover more than five APs and 20 users ($84 per year), request a price quote. McAfee Wireless Security for Small Business starts at $4.95 per month for one protected network, dropping to $3.99 for five or more networks. Trial downloads, promotions and volume discounts are usually available, so check provider Web sites for current pricing.
Roll your own 802.1X infrastructure
Some companies would rather have their own authentication server, but lack the budget to buy a commercial RADIUS product. Another option to consider is freely-available RADIUS server software like FreeRADIUS or TinyPEAP. But don't kid yourself: rolling your own RADIUS server will require spare hardware, tech savvy and at least a little sweat.
To run FreeRADIUS, you'll need spare time and server hardware running Linux, FreeBSD, OpenBSD, OSF/Unix or Solaris. FreeRADIUS is released under the GNU General Public License, which means that it is free to download and install. When used as a wireless authentication server, FreeRADIUS can process EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP and LEAP access requests. Security policies, server configurations and user credentials are all up to you. But once you've invested the effort, you'll have a flexible RADIUS server that can be used for other purposes, like remote user VPN authentication. Advice on configuring FreeRADIUS for wireless can be found here and here.
Alternatively, TinyPEAP is a special-purpose RADIUS implementation that runs on Linksys WRT54G/GS wireless routers or Win32 systems. When TinyPEAP is installed on a compatible Linksys router, it over-writes factory firmware, creating a router with a very small embedded RADIUS server. When TinyPEAP is installed on a Windows system, is creates a small RADIUS daemon to be consulted by nearby wireless routers. In either case, TinyPEAP supports Protected EAP authentication only, checking 802.1X requests against a local list of usernames and passwords. Although TinyPEAP is not open source, beta binaries are freely available for download.
Skip 802.1X altogether
Companies that find the whole idea of 802.1X overwhelming can use WPA or WPA2-Personal instead. These "personal" measures still represent an improvement over WEP when based on a strong preshared key (PSK).
When PSKs are too short or composed of words found in the dictionary, they can easily be guessed. An attacker simply needs to capture a few packets exchanged by a legitimate user when connecting to the WLAN, then run a dictionary attack tool like CoWPAtty. To prevent this, choose a PSK value that's at least 20 random alphanumeric characters. For best results, use a random password generator and be sure to include numbers and mixed case (e.g., T2adREfasACach64a6Us).
No matter how random or long your PSK might be, every user connected to your WLAN must know that value or have it configured into their system. A configured password makes life easier, because users don't have to remember or correctly type a long random string. But that configured password will be compromised if someone loses a laptop or leaves it unattended. On the other hand, prompting for PSKs increases the chance that users will give them to guests, write them down on sticky notes or otherwise disclose the entire WLAN's password.
Updating your WLAN's PSK at regular intervals can help to reduce risk, but ultimately group passwords can only take you so far. If your company is really concerned about keeping outsiders off your WLAN -- or knowing who is using your WLAN at any point in time -- then upgrade to WPA or WPA2-Enterprise.
>> Read the next tip: Choosing the right flavor of 802.1X
