How to Make Wireless Networks Secure
by Michele Lewington - Managing Director of Network Utilities (Systems) Ltd - Wednesday, 26 March 2003
EAP Authentication Types

Because WLAN security is essential - and EAP authentication types provide the nmeans of securing the WLAN connection - vendors are rapidly developing and adding EAP authentication types to their WLAN access points. Some of the commonly deployed EAP authentication types include:
  • EAP-TLS (Transport Layer Security). EAP-TLS - the security method used in the 802.1X client in Windows XP - provides for certificate-based, mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication; dynamically generated user- and session-based WEP keys are distributed to secure the connection. Windows XP includes an EAP-TLS client.
  • EAP-TTLS. Funk Software and Certicom have jointly developed EAP-TTLS (Tunnelled Transport Layer Security). EAP-TTLS is an extension of EAP-TLS, which provides for certificate-based, mutual authentication of the client and network. Unlike EAP-TLS, however, EAP-TTLS requires only server-side certificates, eliminating the need to configure certificates for each WLAN client. In addition, it supports legacy password protocols, so you can deploy it against your existing authentication system (such as tokens or Active Directories). It securely tunnels client authentication within TLS records, ensuring that the user remains anonymous to eavesdroppers on the wireless link and the entire network to the RADIUS server.
  • EAP-Cisco Wireless. Also called LEAP (Lightweight Extensible Authentication Protocol), this EAP authentication type is used primarily in Cisco WLAN APs, including the Aironet Series. It encrypts data transmission using dynamically generated WEP keys, and supports mutual authentication.
  • EAP-MD-5 Challenge. The earliest EAP authentication type, this essentially duplicates CHAP password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP support among 802.1X devices.
It is likely that this list of EAP authentication types will grow as more and more vendors enter the WLAN security market, and until the market chooses a standard. In general, you may wish to evaluate any EAP authentication type you're considering deploying based on the following functionality:
  • Does it provide adequate credential security?
  • Does it permit mutual authentication of the client and the network?
  • Does it require dynamic encryption keys?
  • Does it support re-keying?
  • Is it easy to manage?
  • Can you easily implement it on your network?
How RADIUS Works in the 802.1X Environment

In the most common 802.1X WLAN environments, the APs defer to the RADIUS server to authenticate users and to support particular EAP authentication types. The RADIUS server handles these functions, and provides crucial authentication and data protection capabilities according to the requirements of the EAP authentication type in use.

Because the RADIUS server plays such as central role in WLAN security -brokering client and AP authentication, and providing and enforcing any other security measures specified by the EAP authentication type - organisations looking to maximise the return on their WLAN investment should seek a RADIUS server that:
  • Supports all existing EAP authentication types
  • Supports multiple vendors' equipment, on a single WLAN, so that the organisation can grow its WLAN by adding whatever equipment meets its requirements (instead of being tied to solutions provided by a particular vendor).
  • Offers the performance and transaction capacity to support large-scale migration to WLAN, as well as increased transactions that accompany additional security techniques such as reauthentication.
A significant development has been the recent introduction of end-to-end 802.1X security solutions that let users securely connect to WLANs and can be easily and widely deployed across the enterprise.

For example, one such product developed by Funk Software secures the authentication and connection of WLAN users, ensuring that only authorised users can connect, that connection credentials will not be compromised, and that data privacy will be maintained.

When used in conjunction with Steel-Belted Radius, Funk Software's RADIUS/AAA server, Odyssey forms a total solution for managing remote access and WLAN users. While Odyssey will handle all WLAN user authentication and security set-up, the integrated Odyssey/Steel-Belted Radius solution enables organisations to:
  • Authenticate WLAN users against SQL, LDAP, or other external databases supported by Steel-Belted Radius.
  • Manage dial-in, firewall, and VPN users in addition to WLAN users from a single database and console.

Organisations which have deferred migrating to WLANs because of security concerns can now safely take advantage of the benefits of WLAN technology by implementing 802.1X WLANs which implement advanced security techniques and which are managed by a RADIUS server.

Extremely secure WLAN access, that is easily managed, is now attainable by using the latest specialist software, supporting the innovative and advanced EAP-TTLS authentication type, to achieve a maximum return from an organisation's WLAN investment.

Network Utilities are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April - 1st May 2003.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th