Securing Wireless Applications in the Enterprise


Introduction

The Mobile Reference Application demonstrates that, while solutions evolve for wireless security, interim measures can improve the near-term outlook.

Wireless LANs have grown rapidly in popularity since the IEEE 802.11 standard was finalized. With the increased number of mobile smart devices, new processor technologies have evolved, such as Intel® Centrino® mobile technology, that bring faster processing and better longevity to notebook and tablet PCs.

With advances in wireless technology, such as the IEEE 802.11g standard, the number of Wireless LANs and wireless connected devices will continue to grow. As with all networks, security is a concern, and wireless LANs present their own special security challenges.

Mobile Reference Application is built around a real estate agent scenario as a distributed application, comprised of SQL Server* databases, Web services, and a Windows Forms* client user interface. The client interface provides a console through which a real estate agent can work with property listings.

Mobile Reference Application is meant to be used either in the office or in the field. As a result, it is optimized to utilize wireless 802.11 technology and to respond intelligently as the network connection goes on and off line.

To get the most from this article, it is strongly recommended that you first read "Mobile Reference Model: Tour of the Application", which will walk you through downloading and installing the Mobile Reference Application. In addition, you will be given a tour of the application, which will make you familiar with its operation and construction.

Once you are familiar with Mobile Reference Application, this article will increase your understanding of the wireless access and security upon which the application is based.


Wireless LANs Present Unique Security Issues

Because wireless LANs have no wires, physical security is particularly problematic. This creates many security issues specific to wireless networks, including the following:

    • Unauthorized Network Access. An individual with a wireless network card or device could potentially access sensitive resources through a wireless network.
    • Unauthorized Internet Access. An individual with a wireless network card or device might also "piggy-back" on a wireless network connection to access the Internet, either to surf, or perhaps to engage in malicious behavior.
    • Privacy of Data. Since there are no wires, data transmitted over a wireless network can be intercepted. E-mails, project reports, personal messages, private human resource data, and financial data are, in most environments, transmitted in exactly the same way, and they can literally be captured right out of the air unless protected.

The 802.11 standard provided some responses to these issues. As you will see, the security initially defined in the 802.11 standard did not live up to its design goal. In response, governing bodies such as the IEEE and Internet Engineering Task Force (IETF), as wel l as industry leading manufacturers such as Intel, have contributed to the development of new wireless security technologies to provide better security going forward.


Original Wireless LAN Security Measures Were Problematic

Since there are no wires that need to be plugged in, anyone with a wireless LAN card could potentially use your wireless network without your knowledge or consent. Authentication addresses this security issue by forcing users to identify themselves and to confirm authorization before they are allowed to access resources over a wireless LAN.

Early 802.11 authentication used simple and well-known technologies such as clear-text user names and passwords or digital certificates, but systems often had limitations that made them vulnerable to attack or made them difficult to use. New technologies have been developed specifically to address these limitations and to provide simpler configuration and better integration with network operating systems, software, and devices.

Wireless access points often include a simple security mechanism that allows administrators to create a list of allowed network clients based on the MAC address of the wireless network adapter. In this case, in order to access the wireless network, a client computer would need a network card with a MAC address that had been explicitly allowed. A user without an approved card would not have access to the network. In a network with thousands of clients, however, this solution isn't feasible.


Wired Equivalent Privacy (WEP) is a Solution in Need of Robustness

The IEEE 802.11 standard defines the use of Wired Equivalent Privacy (WEP), which relies on pre-shared keys for access control and privacy. One to four keys (40 to 152 bits in length) are configured on wireless access points (WAPs). In order to use the access points (and the wireless network), the client has to be configured with one of the valid keys, hence the term 'pre-shared keys.'

Clients must have the correct keys configured in the properties for their wireless network card before they can gain access to the wireless network. The keys are indexed, and when encrypted data is transmitted, the index is referenced, indicating which key should be used by the receiving device to decrypt it.

WEP sounds simple and secure enough, but the solution has many drawbacks. First, manually administering lengthy hexadecimal security keys on multiple network devices and client computers is time-consuming, and, once again, not feasible on large networks.




In fact, WEP is not really a mobile solution, and wireless LANs are meant for mobile users. If users travel from one wireless LAN to another, they will need to contact a network administrator and to obtain keys in order to use the wireless LAN at the new location. A similar problem arose as notebook computers became more popular and the concept of the roaming user, traveling from office to office across a corporate internetwork, became a reality.

Static IP address assignments were phased out in favor of automated IP address assignments through DHCP. Unfortunately, the 802.11 standard did not define a key-management protocol, and therefore no automated way to security distribute keys is available. Support personnel or end-users typically manually entered WEP keys1.



As you can see, WEP keys are similar to passwords, except they are lengthy hexadecimal numbers, which makes them more difficult to remember. People tend to write them down so they can remember how to get access to their wireless networks, which is a security problem.

WEP has other security problems, as well. It uses RC4 encryption, which is a stream cipher that is not strong enough in today's world. Studies have proven that keys can be compromised by analyzing captured packets. Additionally, the same keys are continually reused. There is no facility in WEP to regenerate, reassign, or change keys.

This means that if someone does compromise a key, the attack is likely to be successful, since the keys are long-lived. Finally, there are no per-user or per-session keys available in WEP. An excellent resource on this topic is the white paper, "802.11 Key Management Series Part 1: Key Management for WEP and TKIP."

 

1 It is also possible to configure WEP keys in the ROM of some wireless network adaptors. Since these keys must also be manually configured, this solution is not very scalable.


The 802.1X Standard Provides Stronger Authentication Measures

Standards bodies such as the IEEE worked closely with Intel and other key industry companies to develop the 802.1X standard as a means to address the limitations of WEP. The 802.1X standard defines port-based network-access control for 802.11 networks. 802.1X provides authentication and key management for wireless stations.

The 802.1X authentication structure is made up of three components: an authenticator (access point), a supplicant (wireless client), and an authentication server, which is typically a Remote Authentication Dial-In User Service (RADIUS) server.2

An 802.1X access point (authenticator) controls access to network resources by using controlled and uncontrolled ports. The controlled port accesses the entire wireless LAN, and it is only available to authenticated clients. The uncontrolled port is available to unauthenticated clients (supplicants) and is used to allow those clients to communicate with the authentication server.

The client uses Extensible Authentication Protocol over LAN (EAPOL) to communicate with the authentication server. Once authenticated, the client will have access to the controlled port, and therefore, to the resources available on the wireless LAN.

A typical exchange might look like the following:

    • The client/supplicant attempts to connect to the access point/authenticator.
    • The access point sends an EAP Request/Identity message to the client.
    • The client sends an EAP Response/Identity with a re quest to authenticate.
    • The access point forwards this information to the authentication server.
    • The authentication server responds directly to the client with an EAP Request that contains a password challenge.
    • The client responds to the challenge.
    • If authentication is successful, the authentication server sends an EAP Success message to the client.
    • The access point uses the EAP Success message to authorize the client to use the controlled port.

802.1X provides improved data privacy by addressing the vulnerabilities in WEP. In 802.1X, the Temporal Key Integration Protocol (TKIP, pronounced "Tee-Kip) provides added protection for data.

 

2 The 802.1X standard does not specifically restrict authentication to RADIUS servers, other authentication servers may be used. RADIUS is a typical example of an authentication server.


Temporal Key Integration Protocol (TKIP) Addresses WEP Weaknesses

The IEEE 802.11 Task Group i (TGi) was created to deal with the immediate need for better security than WEP in 802.11. The 802.11i draft standard supports an entirely new encryption standard, and it addresses the existing problems using TKIP. TKIP is designed to work on existing infrastructure, meaning you can implement it without replacing all of your wireless access points and network adapters.

TKIP addresses current weaknesses in WEP by doing the following:

    • It uses a new checksum algorithm named "Michael" to defeat forged packets.
    • It uses new sequencing rules to protect against replay attacks.
    • It provides per-packet key mixing with protected keys, and it allows keys to be used safely for a longer period before repeated use compromises security.
    • It provides a re-keying mechanism that provides fresh keys periodically, reducing the threat of attack from key reuse (called collision attacks).

For more information on TKIP, see the white paper "802.11 Security Series Part 2: The Temporal Key Integrity Protocol (TKIP)." TKIP does what it was intended to do; it fixes the security vulnerabilities in WEP, and it works on existing infrastructure. Nevertheless, TKIP still provides weak security. The next generation of wireless security will not be constrained by the limitations of current wireless network devices.


The Future of Wireless Security will Include AES

WEP, and subsequently TKIP, which can be thought of as a patch for WEP, are interim solutions at best. Neither WEP nor TKIP are flexible or robust enough for the environment they attempt to secure.

When security technologies are moved out of the environment for which they were originally designed, they are often not suitable for the new environment. A single padlock is a good security solution for the gate guarding a seldom-accessed corporate archive room in a headquarters basement. You would not want to put that same padlock on the front gate of the corporate office.

The 802.11i draft standard p roposes moving to the Advanced Encryption Standard (AES) for wireless LAN encryption. AES was adopted as the Federal Government encryption standard in November, 2001 (FIPS-197) to replace the Data Encryption Standard (DES). There are currently two proposals for how to use AES in wireless LAN security. More information about this topic is available in the white paper, " 802.11 Security Series Part 3: AES-based Encapsulations of 802.11 Data."

The new encryption standard that comes from 802.11i will likely be a true, long-term solution for wireless LANs. The 802.11i standard is expected to be completed by the end of 2003. AES will require new wireless LAN hardware.


Strategies for Securing Wireless Applications

Now that you have an understanding of issues related to securing wireless LANs, it is worthwhile to review what you can do currently to secure your wireless clients and applications.

Many common security holes in wireless LANs can be easily fixed in a few minutes. Listed below are some of the most common security vulnerabilities found in wireless LANs and their solutions:

    • Not changing the SSID. The Service Set Identifier or SSID is a 32-character unique name attached to the header of packets sent over a wireless LAN. Essentially, the SSID is the name of the wireless network the client connects to. All access points and clients have to be configured with the correct SSID before they can communicate. All WLAN network devices ship with default SSIDs, which network administrators should change to something unique. The SSID does not provide security and can be sniffed out with a wireless protocol analyzer, but you should still change the SSID to prevent interference from devices using their default settings.
    • Not enabling WEP. For all of its flaws, WEP still provides security. Enable WEP, and use the strongest keys allowed on your hardware.
    • Failing to change keys regularly. Remember that one of the key weaknesses in WEP is the way in which it encrypts data, repeatedly using the same keys for that encryption. Administrators of wireless networks should change keys regularly. While this means that administrators must reconfigure all access points and clients, it is the price one should be willing to pay for security. The security requirements for your environment should govern how frequently you change keys.
    • Not securing shares and folders with permissions: If an attacker does gain access to your wireless LAN, be sure your stored data is not compromised. Always use file and share permissions to restrict access to network resources.
    • Failing to change the administrator password. Wireless access points have administrative IDs and passwords (often blank by default) that allow administrators to configure security options such as enabling WEP and setting WEP keys. It is not difficult for intruders to find or guess the default password for the administrative account, so change it to something secure.
    • Not using VPNs for highly sensitive data. VPNs are more secure than wireless LANs. Require that sensitive data be accessed through a VPN.


Conclusion

Wireless LAN security standards are still evolving. The initial security features advocated in the 802.11 standard were not well implemented or tested for wireless LANs. WEP is vulnerable to many types of attacks and is inherently weak because of the way it performs encryption.

Task Group i has developed the 802.11i standard, which should be finalized in 2003. It includes TKIP, which addresses the best-known vulnerabilities of WEP, and it works on existing hardware. The 802.11i standard will also address the future of wireless LAN security and provide a standard for how to use AES to secure wireless LANs.


Source Code and the Rest of this Series

This tutorial is part of a series of tutorials and articles from Intel® Developer Services that demonstrates the principles of cross-platform application development for Occasionally Connected Computing. The series uses Mobile Reference Application to support the business needs of a hypothetical real-estate agent as she works in a single, unified data space from her desktop PC, her laptop, and her PDA, both online and off. The source code for the reference application is freely available for download (follow the link above).


Additional Resources

Intel, the world's largest chipmaker, also provides an array of value-added products and information to software developers:

  • Intel® Software Partner Home provides software vendors with Intel's latest technologies, helping member companies to improve product lines and grow market share.
  • Intel® Developer Zone offers free articles and training to help software developers maximize code performance and minimize time and effort.
  • Intel® Software Development Products include Compilers, Performance Analyzers, Performance Libraries and Threading Tools.
  • IT@Intel, through a series of white papers, case studies, and other materials, describes the lessons it has learned in identifying, evaluating, and deploying new technologies.

如需更全面地了解编译器优化,请参阅优化注意事项