Living without wires
- Article 1 of 33
- SC Magazine, June 2006
Is WPA really the answer to the problem of insecure corporate wireless networks? Maybe, but as Rob Buckley discovers, it's not that simple
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
A hidden WPA2-Enterprise network with full RADIUS and EAP authentication might give access to the complete set of corporate resources. As well as giving network access to a greater range of devices, this technique avoids a forced upgrade of all wireless devices. Only devices that require the highest level of access need be upgraded immediately, the rest can be updated progressively or replaced at the end of their lifespans.
Alternatively, it can avoid all wireless worries, suggests SecureTest managing director Ken Munro, by treating all wireless devices as "dirty" and putting them on their own separate VLAN, away from the rest of the network. Users can then log in using remote access technology, so they have the same security wrappers as geographically distant users.
By segmenting access into VLANs, roles can be assigned to users based on their method of access and location. Hardware vendor Bluesocket's head of channel development and strategy, Jim Calderbank, highlights some of the more advanced capabilities in this technology. "You can specify at the point of installation that VLAN100 is the upstairs floor and access hours are between eight and five," he says. "You can stop someone accessing payroll from the canteen."
While including access control groups like this might seem like an increasing management problem, many of the hardware vendors are now using thin access points to centralise management. These have fewer internal management capabilities and are managed from a central controller. When policies need updating, they can be deployed from the central console to all the access points, rather than to each individual access point.
They can also increase security. Jon Green, director of technical marketing at Aruba Networks, says: "We centralise encryption into one central controller. You don't have access keys and don't have to worry about physical access. Somebody can take one of your access points, take it apart, put their own software on it and will still not get any access to the network that they shouldn't have."
Newer access points can also include their own EAP and RADIUS technology. For example, Bluesocket's access points include what Calderbank calls "inner" and "outer" EAPs. If the access point finds itself dealing with a legacy server, it can act as an intermediary between the client device and the RADIUS server, converting between the different EAP types the two systems can negotiate.
Still, with all these problems, is it worth using WPA at all? Many customers of network hardware vendor Cisco think it isn't. When insecurities were discovered in WEP, Cisco developed proprietary additions to WEP, similar to those implemented in WPA, called "Cisco extensions" or CCX (Cisco Compatible extensions).
Cisco senior security advisor Paul King says most Cisco customers are still using WEP with Cisco extensions. "I don't think you get any extra security. There's no big leap you get by going to WPA."
Others disagree, highlighting the fact that sticking with the Cisco extensions effectively locks all users into Cisco hardware for both infrastructure and client. Roger Edgar, product manager at vendor 3Com, argues that while the new versions of the Cisco extensions are very good, they are also very proprietary, despite Cisco's opening of the APIs.
"Our hardware works with everything that obeys the [WPA] standards. What happens when Vodafone launches its Wi-Fi cellular phone? Will it have CCX support?" he says.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages