Why You Need a Robust Security Network

Wireless networks have become the norm for groups as diverse as road warriors, freedom fighters, and soccer moms; all of whom need to stay in touch from their mobile devices while away from their main work stations.  Many of the savviest users of cellular technology are beginning to include firewalls, spam filters and anti-virus (A/V) software to protect these devices, just as they would their main computer.  However, others have not yet realized that the same kinds of protections need to be employed on their digital devices as on their computers.  Even so, the security of the device itself is not the only consideration. The wireless network needs to be secure as well.  Unfortunately, the wireless link is sometimes where these users are most vulnerable to intrusions.

As most users of mobile devices know, there are several options for wireless access from a phone.  This article only deals with the wireless access that is popularly known as ‘hot spot’ access.  I’ll cover the vulnerabilities of other wireless protocols in a subsequent article.

The most common standard for local area networks (LANs) is the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard.  Over the past decade numerous security flaws of its various versions (i.e., b, g, n, etc…) have been identified (Perez, 2004). This article will describe in non-technical terms why companies and home network administrators should upgrade their wireless LANs to a standard that is based on the robust security network (RSN) model.

In keeping with the sustainability & globalization theme of this website, these recommendations are aimed at all computer users and network administrators that seek to secure their networks against cyber intrusions. [Note to readers:  If your eyes glaze over when reading technical information, I recommend jumping to the final section and just reading the final recommendations. ]

The CIA Triad

In order for a wireless network to be secure against intrusion it is necessary to ensure that the data meet certain standards of confidentiality (C), integrity (I) and authenticity (A).  This is sometimes known as the CIA triad.

This is a framework used in information security management that encompasses the physical, logical (i.e., data structure) and organizational frameworks for a company.  It originally emerged from the Organization for Economic Cooperation and Development’s (OECD) Guidelines for the Security of Information Systems and Networks. It has evolved over the years to include a more robust definition known as the Parkerian Hexad (Parker, 2002).

Now the security professionals evaluate:

• Confidentiality – limits on who gets what information
• Possession or Control – holder of confidential information
• Integrity – correct form of original intent of the information
• Authenticity – verifiability of the claim of origin of the information
• Availability – timely access to information
• Utility – Usefulness of information.

Parker characterized these as ‘atomic’ principles because they cannot be broken down any further.  In defining these atomic principles he extended the CIA triad to include these six tests.  To pass the tests, the core technology used by the network has to ensure all of these factors can be met.  Earlier versions of the 802.11 protocol do not pass these tests.

Flaws in the Wireless Standard

Unfortunately for many users around the world that have been subjected to data and security breaches from vulnerabilities in wireless networks, the core 802.11 standard has 3 fatal flaws (Harris, 2010):

• No user authentication
• No mutual authentication between the wireless device and the access point
• A flawed encryption protocol.

Fortunately, there is one 3G standard that was designed specifically by the IEEE working group to address these flaws in previous versions that did not meet a Parkerian Hexad test.  This is the 802.11i standard.

The 3G Fix: 802.11i

To address the three types of flaws inherent in earlier releases of the 802.11 standard the IEEE working group had to consider both 1) how to harden the existing WLAN implementations by improving the effectiveness of the Wired Equivalent Privacy (WEP) protocol and maintaining backward compatibility, and 2) how to design an approach that worked at both the session and the network layer of the Open Systems Interconnection (OSI) reference model.  These layers correlate to the application and Internet layers of the Transport Control Protocol/Internet Protocol (TCP/IP) model. To accomplish this they took a two-track approach.

First, for addressing the issue of backward compatibility, they added the Temporal Key Integrity Protocol (TKIP).   This works with the original WEP to prevent packet sniffing and en route modifications due to weak encryption.  TKIP generates random values used in the encryption process.  This makes deciphering much more difficult for hackers.

Second, they used an entirely new encryption algorithm, the Advanced Encryption Standard (AES).  It uses the Cipher Block Chaining (CBC) mode of AES in conjunction with the Message Authorization Code (MAC).  This configuration is referred to as the CCMP. A detailed technical description of these methods is beyond the scope of this article, but readers who are interested in learning about them are encouraged to do further online research.

On top of these two encryption protocol options sit a new port-based access control standard known as 802.1X.  This allows for user authentication. The previous WEP only provided for system authentication.  In addition to this authentication framework, it also provides for a method to dynamically distribute encryption keys, making it even harder to decode.  An authentication server (usually a RADIUS server), an authenticator (an access point), and a supplicant (a wireless device) must all complete successfully before any communication to and from the wireless device can occur. This constitutes an access control step for the user that is not present in any of the other 802.11 standards.

To address the issue of mutual authentication between a server and a wireless device the 802.1X standard uses the Extensible Authentication Protocol (EAP).  This provides a high level of flexibility for the wide variety of devices that may be found on any network.  Different devices work at different layers of the OSI and TCP/IP models.  For example, Cisco products use a password authentication protocol called the Lightweight Extensible Authentication Protocol (LEAP).  In contrast, Microsoft and other vendors use EAP combined with Transport Layer Security (TLS). One important step in deploying the EAP-TLS approach is that digital certificates must be installed on each device on the network.

Finally, let us address the issue of the flawed encryption protocol used in the original implementations of the 802.11 standard.  Previous releases used the WEP protocol, based on the RC4 encryption algorithm.  RC4 is a symmetric, stream cipher with a variable key size used in the secure socket layer (SSL) protocol.  It was developed in 1987 by Ron Rivest of RSA Data Security.  Unfortunately for users, the source code has since been posted on a mailing list and, hence is easy to decipher by crackers.  According to Harris, “the encryption protocol allows for specific bits to be modified without the receiver recognizing it, and the different encryption components (key and initialization vectors) do not provide enough randomness to the encryption process” (2010). In 802.11i the WEP was replaced with a much stronger cipher, the AES, as noted above.

After the standard was approved in July, 2004, the Wi-Fi Alliance expanded its Wi-Fi Protected Access (WPA) standard to incorporate 802.11i.  This is known as WPA2.

Networks that include a WLAN component that have been upgraded to 802.11i (i.e., WPA2) address each of these Parkerian Hexad issues and hence are characterized as Robust Security Networks (RSNs).

Vendor Products

In September 2004 the Wi-Fi Alliance announced that six manufacturers had been certified for WPA2 products.  Four of these are: Atheros, Broadcom, Intel and Realtek. These manufacturers of modem chips provide the majority of resources for the rest of the vendors creating devices for RSNs (Snyder & Thayer, 2004).

Road warriors that implement the WPA2 at your home work stations can rest assured if you upgrade to the RSN.  This does not, however, address the vulnerabilities you might encounter while on the road.  When connecting to a network on the road, it is always prudent to establish what the standard is. If there is any question about the security of the network you are connecting to, and your information is business sensitive, don’t connect.  Find another network.

If you are purchasing a wireless router for setting up your own home or business wireless network, make sure that it can be configured for the WPA2 (or 802.11i) standard.  If you do not feel confident enough to do it yourself, hire someone to come in and install it for you.

You’ll be glad you did.

_________________________________________________

References:

Harris, S. (2010). CISSP Exam Guide. New York, NY: McGraw-Hill.

Parker, D. (2002). Toward a New Framework for Information Security. In S. Bosworth, & M. E. Kabay, The Computer Security Handbook (4th ed.). New York, NY: John Wiley & Sons. ISBN 0471412589.

Perez, E. (2004). 802.11: How we got here and where we are headed. Bethesda, MD: SANS Institute.

Snyder, J., & Thayer, R. (2004, October 4). Clear Choice Tests. Retrieved December 14, 2011, from Network World.com: http://www.networkworld.com/reviews/2004/1004wireless80211i.html

Read more at SedonaCyberLink