You are on page 1of 18

White Paper

WLAN Security Today:


Wireless more Secure than Wired
Siemens Enterprise Communications
July 2008

Communication for the open minded


Siemens Enterprise Communications
www.siemens.com/open

Executive Summary
Wireless LAN security has come a long way since the early days and the negative
publicity around the shortcomings of WEP. Recent advances in WLAN technology
and the ratification of key wireless security standards are giving CIOs and network
administrators the high level of confidence in WLAN security that they have always
needed. This whitepaper will explain the key requirements of wireless security and
how the CIO can make sure their enterprise network is protected.
To be effective, WLAN security must address three critical areas;

Data Confidentiality and Integrity,


Authentication and Access Control, and
Intrusion Detection and Prevention

Todays WLAN systems incorporating WPA/WPA2 with AES encryption, in conjunction


with 802.1x authentication, can provide a level of security for WLANs that can
exceed the security of a wired LAN. At the same time wireless intrusion detection
and prevention systems are becoming more capable and easier to manage. Even if
you dont have a WLAN in place, if you do not have a wireless security solution in
place you are vulnerable to malicious attacks.
Siemens HiPath Wireless Manager provides a complete WLAN security solution. It is
WPA/WPA certified to provide AES encryption for data confidentiality and 802.1x for
network authentication. In addition, HiPath Wireless Manager HiGuard provides an
innovative and adaptive solution for wireless intrusion detection and prevention.
HiGuard provides three different operational modes; sensor-less, mixed and
dedicated sensor modes to enable the wireless infrastructure to adapt to the
organizations needs.
By incorporating 802.11i-based solutions as part of a multilayered approach, enterprise network
managers can reasonably ensure WLAN security. Although threat mitigation is an ongoing process,
802.11i and Advanced Encryption Standard (AES) provide WLANs with security as good as that
available for wired LANs.
Source: William Terrill, the Burton Group - December 2004

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 2

Table of Contents
Executive Summary

1.0 The Current State of WLAN Security


1.1 WLAN Security Threats

4
4

2.0 What Makes a WLAN Secure


Data Confidentiality and Integrity
Authentication and Access Control
Intrusion Detection and Prevention
The WLAN Security Policy

7
7
7
7
8

2.1 Data Confidentiality and Integrity


WiFi Protected Access (WPA & WPA2)

8
9

2.2 Authentication and Access Control


How 802.1x Authentication Works

10
10

2.4 802.11i - Bringing it all Together


802.11n Implications for WIDS/WIPS

11
12

2.3 Intrusion Detection and Prevention


WLAN that is more Secure than Wired LAN

12
14

3.0 Siemens HiPath Wireless Security


802.11i Security Made Easy
State-of-the-Art Integrated Intrusion Detection and Prevention

15
15
15

4.0 Conclusion

17

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 3

1.0 The Current State of WLAN Security


Even after a decade of availability and promising commercial successes, security remains the number
one concern for enterprise WLAN deployments. According to Joanie Wexlers 2007 WLAN State-of-the
Market report, just over half (53%) of the global respondents identified security issues as their primary
concern. The good news is that this is a significant decrease from the 2006 study where over 70% of
respondents were concerned about WLAN security. Is the anxiety over WLAN security fact or fiction,
perception or reality? And what recent developments account for the growing comfort with WLAN
security?
Much of the trepidation over WLAN security was due to the nature of WiFi. The 802.11 standard also
known as Wireless Ethernet is based on the principle of a shared medium. While most managers have
felt comfortable enough with the fact that they can physically secure their wired networking medium,
their LAN, they were less comfortable when the network medium is the open air. There was a general
perception that WLANs are inherently insecure, and early implementations reinforced this notion
through well-publicized vulnerabilities and attacks. This perception has been a major problem that has
kept some network managers from implementing wireless LANs altogether.
In spite of network managers reservations, the demand for enterprise wireless connectivity is continually growing as early adopters demonstrate increased productivity and responsiveness, and managers
take notice of the significant TCO savings. As a result, IT organizations are coming under increasing
pressure to ensure that the wireless network is secure. Fortunately, this can be achieved today with a
minimal investment of time and effort.
There are a number of considerations that must be taken into account when deploying a secure
wireless network, but the recent evolution of the technology has done a great deal to simplify this task.
The 802.11i specification introduced by the IEEE has specifically addressed the problems found in the
industrys earlier security initiatives. Furthermore, WLAN infrastructure vendors have designed product
portfolios with enterprise-grade security as one of the core tenets in order to distinguish themselves
from consumer-grade offerings. Siemens is one such vendor, and its HiPath Wireless Portfolio delivers a
robust, standards-based security solution that can assure managers that they can finally take
advantage of all the benefits enterprise WLAN has to offer without exposure to security risks.

1.1 WLAN Security Threats


The very nature of networking means that users can exchange information across a distance and over a
shared medium. The security implication of this is that a hacker does not need to actually walk up to a
server or a users computer in order to gain access to critical files or communications. With wireless
LAN, this threat is especially pronounced, because a hacker doesnt even need to reside in the same
physical location.
Threats to the wireless network initially stem from providing openings like those described below:

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 4

Wireless Security
Threats

Mis-Configured Access
Points

Just as dangerous as an unauthorized rogue access point


is an access point that has been legitimately connected to
the wired network, but improperly or insufficiently configured. For instance, if no security settings were configured,
then such an access point would provide open network
access to anyone.

Ad Hoc Wireless Networks

Operating systems like Windows allow the creation of


networks consisting of multiple wireless clients, without an
access point in between. If one of these computers is
configured to participate in an ad hoc network as well as
connect to the corporate WLAN via an access point, they
could be inadvertently creating an opening for a hacker to
exploit.

Client Mis-associations

In cases where companies are physically near one another,


it is very possible for two wireless networks to have the
same network information. In such a case, a wireless client
will associate with the first access point that it contacts, and
if it belongs to the neighboring WLAN, a security threat can
exist.

Malicious users can often take advantage of the openings presented above, but the following examples
also represent circumstances in which they can create their own openings:

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 5

Rogue access points

An unauthorized access point that has been connected to


the wired network, which can provide malicious or unauthorized users with open access to the LAN.

Honeypot APs

Some hackers will be able to determine the configuration


settings of the wireless LAN, and will plant an access point
with the same settings within range of the network.
Through mis-association, clients can connect to these
honeypots assuming that they are legitimate. Clever hackers can then exploit this by connecting decoy network
resources to the AP so that users login, after which the
hacker can steal passwords or even confidential documents.

AP MAC Spoofing

Wireless client computers can be configured to behave like


legitimate participants in the network. In this manner, a
hacker can mimic an authorized user or even act as a
honeypot AP.

Once a hacker has been able to find a way onto the network whether through an existing opening or
one that they created there are a number of techniques that can be used to actually affect the corporate network:

Unauthorized Client
Access

Hackers continually probe areas for open wireless networks.


If a network has a weak user authentication scheme or
none at all it is very easy for a hacker to obtain access to
the corporate network and take information or launch
attacks on resources in order to cause disruptions.

Denial of Service (DoS)

Because of the way networking devices work, they need to


respond to any client requests. Hackers are able to exploit
this by inundating a network resource with more requests
than it is able to handle. Distributed DoS attacks magnify
this problem by enlisting a number of unknowing computers through hidden code to simultaneously launch
denial of service attacks on a potentially massive scale.

Man in the Middle

If data is unprotected, hackers can intercept messages and


change the content to mislead parties that are communicating, making it seem as if the hacker is actually one of the
parties.

IP Spoofing

By modifying the source IP address contained in the packet


header, a hacker can intercept traffic coming from a legitimately authenticated user and make it appear that the user
is actually using the hackers computer. As a result, all data
and messages coming from a server would go back to the
hacker.

Hijacking

Using software that is secretly installed on the PC of a


corporate user, a hacker can gain control of the computer
to gain access to resources the user is able to see, or to
cause damage to servers and other computers.

90% of WLAN security incidents until 2010 will be the result of misconfigured systems.
Source: Gartner, November 2006

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 6

2.0 What Makes a WLAN Secure


Wireless network security is a big topic. Even more importantly, it is extremely dynamic. New technologies, threats and solutions appear almost every day. This complexity is the reason that many
companies invest heavily in dedicated security infrastructure and highly trained specialists. Every
network application and infrastructure component has a distinct set of security requirements that must
be addressed before managers feel comfortable entrusting it with the enterprises mission critical
information. For wireless LAN, security takes place on two levels: the frame level and the radio
frequency (RF) level. Within this context, enterprise WLAN security requirements essentially fall into
three broad categories, with the first two referring to frame-level security and the third dealing with
RF-level security.

Data Confidentiality and Integrity


The protection of data as it moves across the shared medium is the most familiar aspect of WLAN
security. Confidentiality is delivered through the use of encryption algorithms used to encode information in a manner that can only be decoded and read by the parties for which it is intended. Going handin-hand with encryption are the concepts of data integrity and non-repudiation, which help to prevent
hackers from altering data. Non-repudiation is achieved through the use of a hashing algorithm which
takes a snapshot of each frames content before it is encrypted. Even if a frame were to be decrypted, it
would not be possible for a hacker to alter data contained within and fraudulently re-send the data a
process known as spoofing. Strong data confidentiality and integrity are especially critical for wireless
traffic, as frames can be more easily intercepted and potentially compromised by virtually anyone
in vicinity of the network.

Authentication and Access Control


The mechanisms used to grant authorized users access to the wireless network and the resources
residing on the broader enterprise network are just as important as encryption and integrity. Sophisticated implementations also allow for the definition of access control policies that grant different users
or groups unique security settings and access to different network resources. Robust authentication
and access control measures are especially vital to WLANs because there is little available in the way of
physical separation of unauthorized users from the network. A user can potentially have a laptop
outside of the office premises, and without an authentication mechanism to keep them out, they could
gain full access to the corporate network.

Intrusion Detection and Prevention


Wireless intrusion detection and prevention services (Wireless IDS/IPS) must be able to identify and
remove threats, but still allow neighboring WLANs to co-exist while preventing clients from accessing
each others resources. Intrusion detection and prevention focuses on the radio frequency (RF) level. It
involves radio scanning to detect rogue access points or ad hoc networks to regulate network access.

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 7

Advanced implementations are able to visually represent the network area along with potential
threats, and have automatic classification capabilities so that threats can be easily identified.
Enterprise WLAN security is not one-size-fits-all. While it is desirable to have the most sophisticated
frame-level and RF-level security available, wider considerations mean that this may not always be
possible. Each enterprise must weigh the level of security required against the overall costs. The
solution must be cost-effective, leverage and integrate with existing security technology where
possible, require little administrative maintenance and interaction, and represent an overall implementation cost that is commensurate with the initial capital expenditure. End-users will resist any
implementation that is not transparent. They will expect full access to applications and network
resources, and will not tolerate excessive complexity and/or performance degradation resulting from
the security infrastructure. Even enterprises that have decided not to install WLANs must be concerned
about WLAN security, because rogue APs and ad hoc networks between wireless-enabled laptop
computers can open gaping security holes in an otherwise secure network by allowing access to the
wired LAN from remote locations. Companies that are pursuing enterprise mobility and deploying
WLAN should consider an enterprise wireless security policy (See sidebar The WLAN Security Policy).

The WLAN Security Policy


It is important that organizations develop, educate and enforce an enterprise-wide WLAN security
policy. The policy should outline a framework for the development of installation, protection,
management, and usage procedures. A WLAN security policy must be flexible in terms of the technologies it can support. WLANs enable access by laptops, PDAs, smart phones and more, each with
different features, capabilities and security requirements. This diverse set of clients cannot be secured
with a one size fits all policy. In addition, most WLANs are designed with end-user mobility and
productivity in mind. The challenge for IT staff is to develop security options that support end-user
requirements. Finally, WLAN security policies must integrate with the organizations wired network
security scheme to ensure seamless protection across the organization. While WLANs present unique
security challenges, security is still dependent on controlling who has access to specific information.
Understanding WLAN-specific vulnerabilities and deploying a suite of tools to minimize them enables
organizations to enjoy the mobility and productivity benefits of WLANs without putting businesscritical applications at risk.
An effective WLAN security policy should:

Identify who may use WLAN technology and what type of access is required;
Describe who can install access points and other wireless infrastructure equipment;
Describe the type of information that can and cannot be sent over wireless links;
Describe conditions under which wireless devices are allowed and how they may be used;
Describe the hardware and software configuration for any access device;
Provide guidelines on reporting losses of wireless devices and security incidents;
Provide guidelines on the use of encryption and other security software; and,
Define the frequency and scope of security assessments, audits and report generation.

2.1 Data Confidentiality and Integrity


Until recently, WEP was the IEEEs standard for securing 802.11 traffic. The objectives of WEP were to
provide data confidentiality through the use of RC4 encryption and to prevent unauthorized access to
the wireless network through basic pre-shared key authentication where a common password was

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 8

hard-coded into the access point and the client. RC4 encryption was originally available with a 40-bit
key, but the IEEE later introduced a more robust 128-bit key to enhance data confidentiality. Unfortunately, there were a number of flaws found in the way that WEP addressed confidentiality and
integrity.

To start, encryption keys were statically configured, meaning that if a WEP key were cracked,
someone would be able to decrypt the information until the user reconfigured it, which rarely
happened.

The increased protection of 128-bit RC4 turned out to be misleading, as an exploit was
reported whereby effective encryption strength could easily be brought back down to 40-bit.

Data integrity was poorly addressed with the simplistic CRC-32 algorithm. Therefore, if a user
could crack the WEP key, they could easily modify the data, re-encrypt it, and then send it to
an unknowing user.

The simplistic pre-shared key authentication method used by WEP was not particularly robust
or scalable, requiring separate configuration of each individual wireless device, with no leveraging of existing enterprise user directories or security applications.

WEP remained sufficient to stop casual eavesdroppers from illicitly accessing the network or compromising data ideal for small offices or home use. However, the findings mentioned above as well as
a number of subsequent well-publicized attacks forced the conclusion that WEP did not provide the
level of security necessary for enterprise-wide WLAN deployment.

WiFi Protected Access (WPA & WPA2)


The 802.11i specification was conceived to resolve the issues found in WEP and to expedite the introduction of a more adequate WLAN security scheme for the enterprise market. However, it took a long
time to be approved. The WiFi Alliance (WFA, http://www.WiFi.org) introduced the WPA in late 2002 as
an interim solution to ensure vendor interoperability. WPA was based on a subset of the 802.11i draft.
It improved on WEP by introducing Temporal Key Integrity Protocol (TKIP). While still utilizing RC4
encryption, TKIP utilizes a temporal encryption key that is regularly renewed, making it more difficult
for a key to be stolen and then used to decipher a useful amount of information. In addition, data
integrity was improved through the use of the more robust hashing mechanism, the Michael Message
Integrity Check (MMIC).
WPA did a great deal to address the concerns associated with WLAN security, and can be hailed as an
important step in increasing acceptance of WLAN as an enterprise-ready technology. However,
concerns still existed. To start, TKIP still used the RC4 encryption algorithm, and while the use of
temporal keys mitigated the problem, many felt uncomfortable entrusting their critical data to an
algorithm viewed as less powerful than what was commonly used for wired networks. Because of this,
many companies viewed WPA as a temporary measure meant to bridge the gap between WEP and the
soon-to-be ratified 802.11i standard, and therefore insisted on postponing their deployments. In 2004,
the WiFi Alliance updated the WPA specification by replacing the RC4 encryption algorithm with AES
(Advanced Encryption Standard), calling the new standard WPA2.

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 9

2.2 Authentication and Access Control


Access Control Lists (ACLs) often provided authentication for early wireless LANs. ACLs permit associations by known Media Access Control (MAC) addresses while rejecting connections from all others. This
technique, commonly called MAC Address Filtering, is easily spoofed and became difficult to manage
as networks got larger. When the WFA introduced WPA it included 802.1x authentication, a more
sophisticated mechanism for user authorization and access control by leveraging open standards
authentication tools such as RADIUS (Remote Authentication Dial In User Service, RFC 3597). RADIUS is
a widely deployed protocol for network access authentication, authorization and accounting (AAA).

How 802.1x Authentication Works


802.1x acts as a gate that prevents a wireless client (supplicant) that has associated to an
access point (authenticator) from accessing the corporate network until it has permission. It
uses the EAP (Extensible Authentication Protocol) to authenticate and negotiate keys
between the supplicant and a RADIUS server (authentication server). EAP runs over layer 2
(EAPoL) without requiring IP and therefore includes its own support for in-order delivery and
retransmission. EAP is not so much a messaging protocol as it is a framework that can
supports multiple authentication mechanisms challenge/response, passwords, digital
certificates, etc, depending on the EAP type being used. The current WPA/WPA2 certified
EAP standards are; EAP-TLS, EAP-TTLS, EAP-SIM and PEAP.
EAP-TLS

EAP with Transport Layer Security (EAP-TLS) is the recommended option for
wireless. It is based on the Transport Layer Security (TLS) protocol, which uses
public key cryptography for authentication and negotiation of keys that can be
used to encrypt data. EAP-TLS requires the supplicant and the authentication
server to both verify their identities via public key cryptography (i.e., digital certificates or smart cards). Despite the excellent security, requiring a client certificate
for each supplicant makes the protocol expensive and unpopular.

EAP-TTLS

EAP-TTLS is designed as an extension to EAP-TLS. It uses TLS for server authentication and encryption, but avoids the need for expensive client certificates by
negotiating a second authentication protocol between the supplicant and the
authentication server that is protected by the TLS encryption. The second authentication protocol can be PAP, CHAP, MSCHAP or even another EAP type.

EAP-SIM

EAP-SIM was created for the GSM mobile telecom industry and doesn't really have
a place in WLAN authentication.

PEAP

There are actually two Protected Extensible Authentication Protocol (PEAP) protocols, PEAPv0/EAP-MSCHAPv2 from Microsoft and PEAPv1/EAP-GTC from Cisco. However, for a variety of reasons, the PEAPv0/EAP-MSCHAPv2 protocol is by far more
popular and is often referred to as the PEAP standard. PEAP is similar to EAP-TTLS
in that it creates a TLS tunnel to protect the inner authentication protocol such as
EAP-MSCHAPv2. PEAP provides the second strongest security next to EAP-TLS, but
because it does not require client-side certificates it is easier to use and more
popular.

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 10

RADIUS mediated
Authentication
Process using EAP

2.4 802.11i - Bringing it all Together


The IEEE ratified the final 802.11i WLAN security standard in June 2004. The standard is backward
compatible with WPA and includes the TKIP and 802.1x protocols. Additionally, a stronger frame
encryption and authentication alternative was added that could be incorporated into new hardware
from vendors. The new cryptography was based on the AES (Advanced Encryption Standard) algorithm
that was selected by the U.S. National Institute of Standards and Technology (NIST) in 2000 as the
winner of a competition to find the most secure encryption algorithm. AES is required by U.S. governmental agencies and is considered secure enough that it is used in military applications.
802.11i uses two different authentication methods, and these are available in WPA2 as different
modes, Personal Mode and Enterprise Mode. WPA2 Personal Mode offers a simple solution suitable
for the home and small office environments. It only requires the use of a pre-shared key for user
authentication. Whereas WPA2 Enterprise Mode draws on the same RADIUS-based 802.1x mechanism used in the WPA standard.
Other features of 802.11i are key caching which quickly reconnects users who have temporarily gone
offline and pre-authentication, which allows seamless roaming between access points. Key caching
stores information about the client on the network so that if a station leaves an access point and
returns within the configured timeout, credentials for re-authentication do not have to be entered
again. Pre-authentication refers to the ability of a network to send authentication data between access
points and back to a central controller so that a roaming user does not need to authenticate to each
access point. Both of these features are essential for advanced mobile applications such as Voice over
Wireless LAN (VoWLAN).
Altogether, the enhancements provided by 802.11i finally deliver the level of data confidentiality and
user authentication that enterprises have been demanding. In conjunction with a strong intrusion
detection and prevention solution, 802.11i presents the enterprise-grade security required by enterprises in order to deploy WLAN.

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 11

802.11n Implications for WIDS/WIPS


802.11n is an enhancement to the IEEE 802.11 wireless network standard that includes many new
features to increase transmission speeds, range and reliability compared to 802.11a/b/g. The
enhancements translate to 300 Mbps of raw data throughput and/or double the range compared to
current 802.11a/g technology. Full ratification of the 802.11n standard is expected in early 2009, but
in the interim the WiFi Alliance (WFA) has announced a certification program for products based on the
Draft 2.0 standard. This move by the WFA has allowed wireless infrastructure vendors to move forward
with their 802.11n plans and release 802.11n Draft 2.0 certified wireless infrastructure and a broad
assortment of end-points including laptops, handhelds and smartphones. The growing market availability of 802.11n Draft 2.0 equipment makes it extremely important for CIOs and network administrators to expand the scope of their WLAN security policy to include considerations for the new equipment. The relative newness of 802.11n infrastructure means that many enterprise WIDS/WIPS solutions
are not yet able to detect and mitigate 802.11n based threats. Until comprehensive WIPS/WIDS
solutions are available, it is extremely important that existing intrusion detection systems can at the
very least detect rogue 802.11n APs.

2.3 Intrusion Detection and Prevention


Data confidentiality and authentication are addressed through industry standards, but no standards
exist for wireless intrusion detection and prevention (WIDS/WIPS). Instead, WLAN equipment vendors
and/or specialty wireless security vendors provide enterprise WIDS/WIPS solutions. Different vendors
implement WIDS in their own way, but the basic principles and required equipment are the same. All
WIDS systems need; remote sensors distributed throughout the monitored network, and management
software often called an IDS server. When the system is initially deployed, a detailed description of the
network is programmed into the IDS server as a baseline. In a WIDS solution sensors passively observe
wireless activity and network configuration, reporting any exception back to the central IDS server.
That IDS server is responsible for analyzing reported activity, generating intrusion alarms and an event
log. WIPS solutions take this information and act upon it directly, without requiring manual intervention, by sending disassociation commands to the client, they effectively disconnecting any access to
identified threats such as rogue or honey-pot APs. A WIPS solution needs to be chosen with care. Many
solutions not only fail to detect many types of threats, but can also deliver false positive detections.
This false positive, can cause unnecessary effort for the IT security team but can also lead to a general
distrust of the identification of real threats and thus complacency.

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 12

Dedicated WIDS/WIPS
sensors provide the best
wireless security

WIDS/WIPS solutions can function in one of two different modes time slicing or always on. These two
modes offer varying degrees of security for the enterprise. In a time slicing mode the WIPS solution
does not require dedicated sensors distributed throughout the enterprise, but rather borrows slices of
time from existing access points to take a snap shot listen of the environment. This mode offers the
advantage of lower cost security to the enterprise but also offers a lower level of security. Sophisticated
hacking routines have been known to identify listening patterns and intersplice their activities between
the listening slots, effectively going undetected. This is similar to the escaping prisoner avoiding the
searchlight and thus going undetected.
The more costly, but more effective mode, is to use dedicated sensors on full time listening mode to
detect (and with WIPS prevent) threats. This is the equivalent of leaving all the lights on, so no matter
when the prisoner attempts to escape, he will be seen. Both modes offer their benefits and can even
be used at the same time in different physical parts of the enterprise (depending on risks of say visitor
or customer traffic). A well thought out plan and risk assessment is needed when deciding how to best
implement WIPS for an enterprise.
Enterprises generally have two alternatives when deploying intrusion detection and prevention
solutions. The first is to deploy an overlay solution, which is a specialized network of dedicated equipment completely separate from the WLAN. These solutions tend to provide the most comprehensive
security and the best performance. However, overlay solutions have the disadvantages of adding
operational complexity and cost, forcing the deployment of two wireless networks with no management integration or hardware economies. The other alternative is to accept the integrated IDS/IPS
functionality which most WLAN infrastructure vendors offer with their solution. The problem with this
alternative is that what the IDS solution vendors offer is generally inferior to over-lay products, if not in
features then certainly in performance. WLAN Vendors are now starting to address this discrepancy.
For example, Siemens has fully integrated the industry leading Airtight WIPS solution into its HiGuard
product, deliver world-class WIPS security along with the benefit of reduced overhead and maintenance associated with an overlay solution.

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 13

For an enterprise to protect itself from abuse of its information, it must monitor the events occurring in
its computer system or network and analyze them for signs of intrusion. To do this, the enterprise
must install an Intrusion Detection System (IDS).
Source: Gartner, September 2004

WLAN that is more Secure than Wired LAN


WLAN systems incorporating WPA/WPA2 with AES encryption, in conjunction with 802.1x authentication, can provide a level of security for WLANs that can exceed the security of a wired LAN. Although
there are still exploits possible that can disrupt the communications on the WLAN, the security of the
network and the integrity of the data becomes very difficult to compromise. There are always potential
holes in the system. Most are attributable to human error; an unreported lost laptop, a laptop infected
with a virus, or a compromised username/password combination, can all cause a security breach
despite the integrity of the WLAN.
Wireless Networks do offer an additional physical layer of security when deployed in an all wireless
office environment. By effectively eliminating employee or guest physical access to the network
elements jacks and cables the hidden network becomes more physically secure. Employees can no
longer plug in access points from home, guests cant erroneously misconnect LAN connections in a
boardroom while trying to secure external access. The securing of the WLAN has become an enabler of
the all-wireless future.

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 14

3.0 Siemens HiPath Wireless Security


Siemens has architected its wireless portfolio for enterprise-grade security, with a strong standardsbased approach to data confidentiality and authentication, as well as a unique, powerful intrusion
detection and prevention implementation. The HiPath Wireless portfolio delivers these elements as an
integrated solution, making it cost-effective and transparent.

802.11i Security Made Easy


By implementing the 802.11i standard, Siemens has addressed the security issues pertaining to data
confidentiality and authentication. The fact that this standard is integral to wireless infrastructure and
leverages existing wired security technologies like RADIUS makes the standards-based approach cost
effective and transparent to both end-users and network managers. Beyond this, Siemens has also
taken measures to make it easy to integrate with existing wired LAN security mechanisms like RADIUS
authentication or IPSec VPNs.

State-of-the-Art Integrated Intrusion Detection and Prevention


The HiPath Wireless Manager architecture helps to deliver the most sophisticated RF security, location,
performance optimization, and management capabilities. A unique integrated framework provides
real-time coverage and allows services to leverage one another in a way that separate applications
cannot. HiPath Wireless Manager HiGuard can be deployed in a phased approach. System Administrators can initially deploy HWM HiGuard in a sensor-less configuration, and then gradually introduce
sensors into high-risk areas to run in mixed mode, until the entire enterprise is protected using dedicated sensors for maximum security. HWM enables the wireless infrastructures capabilities to adapt to
the organizations needs.
The HiPath Wireless Manager Server derives information about the WLANs access points, users, and
VNS groups from the HiPath Wireless Controller through its Design Interface. Managers can also
integrate floor plans of the office environment and other data from site planning tools to create a
visual model of the network. The Policy Manager is used to define what behaviors are acceptable for
the network model. Both the network model and the policy are then fed into the HWMA Analysis
Engine. The HWMA Analysis Engine then employs Sensors to monitor the network in real-time. During
Real-time Sensing, information is fed back into the HWMA Analysis Engine for inspection. Devices and
events are evaluated using sophisticated heuristics and are automatically classified. The results feed
into the following applications:

Location Services. HiPath Wireless Manager maintains an up-to-date visual perspective of the
network. This greatly aids the intrusion prevention process by making it possible to physically
find threats. It is also possible for the organization to track mobile corporate resources.

Performance Optimization. The variety of heat maps actually showing the physical makeup of
the RF environment can be used by managers to ensure the greatest coverage area and eliminate potential bottlenecks.

Network Monitoring and Control. All of the events and information generated by the three applications feed into the management interface. The Servers dashboard provides a consolidated
view of the network, and a variety of rich charts, reports, and statistics are available to aid in

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 15

network monitoring and troubleshooting.


The portfolios intrusion detection and prevention capabilities are dramatically extended by the addition of HiPath Wireless Manager HiGuard. It provides the best-in-breed security protection seen in overlay IDS/IPS solutions as well as significant integration with existing WLAN infrastructure and management tools. The HWM HiGuard solution depends on HiPath Wireless Access Points that have been
deployed in dedicated sensor mode, where they focus solely on scanning all channels and frequencies
on the 802.11a, b, and g radios. The information gathered by the Sensors is then sent to the central
HWM Server, which consolidates and analyzes it using sophisticated heuristics. Sensors can then use
precise RF countermeasures to proactively neutralize threats while the rest of the network remains
unaffected. HWM HiGuard is one of the only WLAN security solutions that can detect Rogue 802.11n
APs to prevent unauthorized access to the wireless network.

HiPath Wireless
Manager and
HiGuard

The benefits provided by HiPath Wireless Manager include:

Optimized performance as HiPath Wireless Access Points can devote their attention to delivering consistent network access to users key for voice and other real-time applications.

Enhanced security as sensors can proactively scan all WiFi radio bands and channels to
identify and neutralize the most sophisticated attacks.

Intrusion information is forwarded to a management server that provides robust reporting


capabilities.

Automatic threat classification (member, neighbor, rogue, etc.) and the flexibility to locate
rogues or even deny them access to the network.

Visual representation of signal coverage and device locations through mapped-over floor
plans that can allow staff to find and physically remove suspect devices.

HiPath Wireless Manager not only gives recognized industry-leading intrusion detection and prevention
for a complete wireless security solution, but also sets a new standard in the industry for integrating
IDS/IPS with existing infrastructure and management systems, and is a key step in creating a single
wireless network that supports all mobility applications across the enterprise cost-effectively and easily.
In 2006, the Tolly Group declared that the security features of HiPath Wireless products were proven
best-in-class for performance among both standalone and integrated IDS/IPS solutions (100% success
vs. 65%-75% from competitors).

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 16

4.0 Conclusion
Secure wireless communication is at long last a reality. Industry standards have matured to provide a
comprehensive solution to the WLAN security dilemma, but as with any form of security, wireless
security will have to continually evolve to keep up with the newest and most sophisticated attacks.
Furthermore, WLAN vendors are now looking beyond the IEEE standards for authentication and encryption to ensure that appropriate intrusion detection and prevention capabilities are in place to provide a
complete and layered security solution.
Siemens has developed a security solution that not only addresses the data confidentiality and authentication needs of today, but has also created an open standards-based solution that has the flexibility to
adapt in the future. In conjunction with the sophisticated intrusion detection and prevention capabilities delivered by HiPath Wireless Manager, the HiPath Wireless Portfolio provides a complete, futureready solution that addresses the core tenets of wireless security. Management demands for a cost
effective approach are being met through an integrated security solution that leverages existing
network infrastructure. At the same time, end-users will be satisfied that they have no need to complicate their computing experience in the least. In fact, features like secure fast roaming may actually
simplify user experience.
Many enterprise network managers have resisted the introduction of wireless LAN technology, delaying the opportunity to reap the numerous benefits to be had in terms of productivity, responsiveness,
and TCO reductions. While the absence of an acceptable security standard served as the chief justification for this decision, Siemens HiPath Wireless delivers a secure solution that resolves this problem and
makes the enterprise ready for wireless LAN today. More information about Siemens HiPath Wireless
security solutions is available at http://www.siemens.com/hipath.
Siemens Enterprise Communications is a thought leader and innovator in the enterprise communications industry. We are one of the leading players in the market with full coverage of all the relevant
markets from a strong European base with global reach. Our people have the passion, commitment,
skills and know-how to deliver a broad range of cutting-edge technologies, outstanding products and
professional services. All with the support of an enterprise that has the financial strength to outperform the rest in this competitive and consolidating market.

A properly engineered WiFi security system can not only provide robust security for your wireless users,
it can also act as a platform to better secure wired network segments that have, for too long, relied on
nothing more than physical security to combat abuse.
Source: Network Computing, June 2005

WLAN Security Today: Wireless more Secure than Wired

July 2008 I 17

Munich-based Siemens Enterprise Communications GmbH & Co. KG, a wholly owned subsidiary of
Siemens with more than 15,000 employees, is one of the worlds leading vendors of Open Communications
solutions for enterprises of all sizes. Our products, solutions and services make business processes more
productive, faster and more secure - with any device, network or IT infrastructure.

Communication for the open minded

Siemens Enterprise Communications


www.siemens.com/open

Siemens Enterprise
Communications GmbH & Co. KG
Hofmannstr. 51,
D-81359 Mnchen, Germany
The information provided in this brochure contains
merely general descriptions or characteristics of
performance which in case of actual use do not
always apply as described or which may change as
a result of further development of the products. An
obligation to provide the respective characteristics
shall only exist if expressly agreed in the terms of
contract. Availability and technical specifications
are subject to change without notice. The trademarks used are owned by Siemens Enterprise
Communications GmbH & Co. KG or their respective
owners.