Aruba proposes solution to potential wireless security breachWAYNE, N.J. Wireless LAN (WLAN) access point developer Aruba Networks will provide recommendations to the International Engineering Task Force (IETF) Monday (August 2) for preventing a potential Radius server problem that could cause a security breach in wireless-enabled enterprise networks.
The enterprise issue, which surfaced in the wireless sector last week, involves the communication between Radius network access servers (NAS) and Radius clients in a WLAN-enabled enterprise network. In essence, Radius developers have traditionally shied away from IETF implementations that call stronger password techniques and the use of IPSec in Radius-enabled networks. "There is a gap in implementation," said Merwyn Andrade, chief technology officer (CTO) at Aruba.
Since IPSec and weaker keys are used in Radius architectures, Andrade said that an outside hacker can use a rogue access point and an address resolution protocol (ARP) poisoning technique to act as a gateway between a NAS and client on the server. Using ARP, the hacker can then extract and decode the Radius password and then re-enter the network to capture encryption keys required for accessing the corporate LAN through a WLAN access point, thus opening the network to a security attack.
"This is not an 802.11i (the IEEE WLAN security spec) issue," Andrade said. "Hackers can exploit a vulnerability that's been there for years," Andrade added.
To help solve this problem, Aruba will provide a set of recommendations to the IETF that are designed solve the potential security problem. According to Aruba's recommendations, IT managers should implement more complex password techniques and a method for identifying rogue APs. At the same time, Andrade said that IT managers should dedicate a virtual LAN (WLAN) connection for linking wireless access points in an enterprise network.
Aruba competitor Airespace agrees that password, rogue AP, and VLAN techniques described by Aruba should be implemented. But, the San Jose, Calif.-based access point provider also feels that many of these techniques are already being implemented. For example, Airespace CTO Pat Calhoun said that many access points on the market today come equipped. "Most access WLAN infrastructure can detect and take rogue APs out of service," Calhoun said.
Aruba's recommendations also call for the use of IPSec to secure communication between the Radius NAS and clients. "If you really want security, you really might want to use IPSec," Andrade said.
The use of IPSec, however, may not be well accepted by access point designers. As Andrade pointed out, there is a perception at system houses that IPSec, which will increase processing tasks, will slow overall access point performance. According to Andrade, the AP performance issue should not be a concern because Radius transactions are "infrequent", thus easing concerns about performance slowdowns.
But, while it's feasible to make IPSec work, some question whether IPSec will be used in a network. "Running IPSec in a Radius system has been talked about for some time," Calhoun said. "But we've (Airespace) have never run into a Radius server that does it."
Aruba and Airespace may also make this threat a non-issue with their access points handle Radius communications. While implementing different technologies, both companies have developed techniques that push Radius authentication tasks out of the access point into a WLAN switch. By doing this, both companies claim that radius authentication is pushed further into the enterprise network, thus making hacking problems less of an issue.