Basic Enterprise Mobility – Strategy

Extending the enterprise’s wired LAN to wireless is one of the more straightforward tasks from a network design perspective, but the authentication piece for the Wireless LAN needs to be strictly controlled.  Fortunately, wireless can benefit from the widespread deployment of another technology in the enterprise world – centralized authentication servers.

Many enterprise environments utilize a centralized authentication system to manage their user accounts, with Microsoft Active Directory being one of the most common.  This system can also be leveraged to provide authentication to the Wireless LAN.  Active Directory can serve as an 802.1X authenticator, allowing the wireless network to use EAP technology to authenticate users.  The two EAP methods most worthy of consideration in a WLAN environment are EAP-TLS, and PEAP.

EAP-TLS provides full mutual authentication, using a public key infrastructure to create and manage certificates for both client devices and the authenticating server.  In practice, it will allow users to seamlessly authenticate to the wireless network, because the certificate exchange occurs behind the scenes.  In an Active Directory environment, the certificates used in authentication can be deployed remotely by the Domain Controllers.  This works especially well with laptop users, but can be a challenge with mobile devices that do not have a wired connection to the network.  Certificates can be pushed to mobile devices in several ways, such as by use of a dedicated management WLAN or physical installation via memory cards or barcode scanning, but in a large environment with many mobile devices, it may be wise to look into alternatives.

Fortunately, a worthy alternative to EAP-TLS exists with PEAP authentication.  PEAP provides for similar levels of security to EAP-TLS, but does not rely on client certificates to authenticate devices to the network.  Instead, PEAP uses a more traditional username & password combination.  These credentials can be integrated with an Active Directory environment, allowing administrators granular control over what users get access to the WLAN.  PEAP also mitigates the potentially expensive maintenance cost of managing certificates on mobile devices.

EAP-TLS and PEAP, combined with WPA2-AES, provide the strongest authentication and encryption solutions available in WLAN, and as such should be used to protect any critical data traveling over the network.  While integration with Active Directory is not mandatory, because many organizations have such an environment already deployed, extending its use to cover WLAN authentication is an attractive option.  If your organization does not have a centralized authentication system in place already, the deployment of a WLAN can be a strong motivation to do so.  Several free alternatives to Active Directory also exist, such as FreeRADIUS.  Some enterprise-grade WLAN infrastructure also provides the ability to generate and manage certificates using an internal server hosted on the access point.  Given the easy integration with common authentication systems, and the availability of free alternatives, there really is no reason not to deploy a centralized authentication solution to secure your enterprise WLAN.

Pre-Shared Keys – also known as “Personal” authentication – are generally not appropriate for enterprise environments.  WPA2-AES using pre-shared keys does not have any documented vulnerabilities, but any PSK solution relies on sharing authentication credentials between multiple users and devices.  This can affect the integrity of the network, and doesn’t provide any traceability to activities of users on the network.  It should be avoided in a mission-critical environment.

Depending on the size and business needs of the enterprise, a WLAN can be used in a few different ways:

Basic Mobility – the most common use of WLAN is simply to extend the existing wired LAN to wireless users.  This can have a very positive impact on productivity, allowing users more flexibility throughout the workspace.

Segmented Mobile Data - this type of WLAN is one where the network is dedicated to use of a specific type of data that is segmented from the main enterprise network.  Typical use cases here are in hospitals or retail stores, where compliance regulations provide strict guidance on data protection and segmentation.

Guest Internet Access – common in cafes and large businesses, this type of WLAN typically provides only internet access and is entirely segmented from the enterprise wired LAN.

Wired LAN Replacement - this type of network is becoming a feasible alternative to the hassle of running cable, and will likely continue to grow in popularity as time goes by

These use cases can blend together in any number of ways.  A well thought-out design at the beginning, along with the right hardware planning, can accomidate these uses and even more.

General Strategy

Like other networking strategies, the use of proper segmentation at the Layer 2 level is critical when designing a WLAN.  Your most critical data flows should have their own segment, protected by methods like VLAN segmentation, firewalling, private IP spaces, and routing tables.  Regardless of the authentication and encryption method used for the WLAN itself, properly designing its location within the enterprise wired LAN is critical.

Data encryption in 802.11 is accomplished by a combination of the authentication type with an underlying encryption method.  Use of WPA2-AES encryption should be considered mandatory in any new WLAN deployment.  This encryption technology has no documented vulnerabilities and widespread hardware and software support.  If your enterprise has devices that do not support WPA2-AES, strongly consider replacing them.  When designing a network, its security should not be determined by the weakest link.  Unless there is a business case for doing something otherwise, use the strongest encryption and authentication methods available.

My next post will get into some specifics about these different use cases!

Some History

I will not go into the history of the 802.11 standard in too much detail here, although there are a couple of important points to recognize when thinking about how to deploy a WLAN in your business.  The most important thing to know is this – many of the WLAN security technologies that were being used in deployment until three or four years ago are vulnerable to several well-known attacks.  If your business has a WLAN that has “just been working” for a while – it should probably get some attention.

To elaborate on this a bit further, the most common Wireless LAN encryption method used until late 2003, WEP, has been subject to some very public weaknesses, almost since its inception.  Its temporary replacement, WPA-TKIP, has similar (although not as dramatic) weaknesses, that have been public since at least 2008.

Adding insult to these platform-common weaknesses, some of the alternate, “more secure” based authentication methods advised by vendors have also been picked apart and had their vulnerabilities shown to the world.  I’m looking at you, LEAP.

To sum it up briefly – many networks that people thought were secure in 2003 or 2004 are definitely not secure today.  And unfortunately, WLAN sometimes is treated like a part of the physical infrastructure – if it ain’t broke, don’t fix it!

Current Tech

Fortunately, 802.11 is really starting to come into its own lately, and can be an extremely secure – in some ways more secure – piece of critical infrastructure.  The extremely solid (and so far unbroken) WPA2-AES encryption standard defined by 802.11i has had widespread vendor support since 2007.  And certificate-based authentication methods such as EAP-TLS, PEAP, and EAP-TTLS have similarly experienced a growth in support, among not just desktop OS platforms, but mobile operating systems as well.  And Wireless Intrusion Detection Systems are hitting their stride, ranging from several robust and effective professional solutions from vendors like AirTight, Cisco, and Motorola, to fantastic open-source applications like Kismet.  And robust infrastructure management software is now making the administration of Wireless LANs more simple and effective.

In short, today it is possible to deploy a WLAN that will meet all the use cases an enterprise can throw at it, and that is as secure as a typical wired LAN infrastructure.

In the next post, I’ll cover typical enterprise WLAN use cases, and the strategies for designing and securing them.

I recently had the opportunity to speak with a WLAN network administrator and we briefly discussed the merits of using an integrated RADIUS server on APs vs using an external RADIUS server for authentication. After thinking about it for a few days, I realized that relying solely on the integrated RADIUS server for wireless authentication is rarely a good idea.

• Integrated RADIUS servers on APs are typically minimal servers that are designed to serve a small number of clients. If the WLAN network grows in size, the number of users that will need to be configured could easily exceed the limits of the integrated RADIUS servers.
• Some integrated RADIUS servers do not offer support for accounting services. This can be either a non-issue or a serious disadvantage depending on the purpose of the WLAN.
• Integrated RADIUS servers typically use proprietary local database engines/management interfaces to administer the user database, which makes it difficult to do certain operations like import/export user databases between APs or switch to APs from a different vendor.
• Standalone RADIUS servers offer advanced capabilities such as integrating with LDAP or Exchange servers to provide single sign-on capabilities. Integrated RADIUS servers in APs don’t have such capabilities due to the complexities and necessary protocol support required to interact with other authentication servers.
• Integrated RADIUS servers can only support the EAP methods that are built into it, restricting the set of EAP methods that can be used in the WLAN. Standalone RADIUS servers can typically support a much larger number of EAP methods and therefore provide the WLAN administrator with a great deal of flexibility. Note that APs which are acting only as a NAS are only relaying EAP messages between clients and the RADIUS server and therefore don’t need to have support for the different EAP types built-in.

However, even with all of the advantages a standalone RADIUS server offers over an integrated RADIUS server, there are some compelling advantages of the integrated solution: the integrated server is likely only to fail when the AP itself physically fails, the authentication sequence may be slightly faster since there is no extra hop between the AP and a RADIUS server, and of course it doesn’t require any additional capital expense for your network. In short, the decision between a integrated and standalone server solution should carefully consider short term and long term costs/network growth as well as flexibility in supporting both existing and future requirements of the network.

BUT making things more interesting- this was an “optional” update with XP SP2, until it was finally rolled into XP SP3.  There is a hotfix for XP SP2 machines in order to support WPA2 – KB 893357.

WPA2/AES didnt’ really become widely implemented until 2006, but it was in the 802.11i spec that introduced WPA in 2004.  For a major vendor like MS to not implement it is pretty crazy.  But then again I, as a wireless security professional, didn’t setup a WPA2/AES network in my home until last month.  So maybe they were onto something.

Anyways, if you’re using XPSP2 and a WPA2 network – you need the hotfix, or XPSP3+.  Good luck out there!  I really recommend moving to WPA2/AES, especially considering the improvements in the Nvidia CUDA drivers that are allowing TKIP to be broken in an increasingly short amount of time.

WifiScan – a great wireless discovery application for the platform.  It’s a powerful wireless audit tool that will log all of the discovered networks in range, and plot them to a KML file for visualization in Google Earth.  This application records information such as BSSID, Channel, Security Type, SSID, etc.  Tremendously useful for a discrete wireless network audit!

PortScandroid – a very basic port scanning application for the platform.  It’s not terribly useful for use over the cellular data network due to the filtering applied by T-Mobile, but when using 802.11, it gets the job done.  Doesn’t do any correlation of services to ports, but it performs the basic functions.

ConnectBot – this is a full-functioned SSH client for the platform.  Handy.

androidVNC – a VNC viewer for the Android platform that’s been forked from the tightVNC viewer development project.  Also a handy tool.  This is still in the beta phases and hasn’t been added to the Market yet, but it’s downloadable from the project page.  Easiest way to install it is to navigate to the project page within the phone’s browser and just download the APK package.

I am going to conduct a WarDriving contest between my little Android and a full-fledged laptop running Kismet and an external Wifi antenna to see how the signal discovery compares, but initial tests show the G1 to have a pretty remarkable Wifi range.  I’ll post a followup after I conduct the test.

The Android platform is showing a lot of promise, and for use on a pen-test, these tools could prove to be useful additions to your arsenal – and are certainly more discrete than using a laptop with a big ol’ antenna!

Thanks syn for inspiring me to investigate this – his post about the iPhone wireless toolkit made me wish we had these tools on the Android, and lo-and-behold – we do!