You are on page 1of 4

April 2007

ADVISING USERS ON INFORMATION TECHNOLOGY
Bulletin
SECURING WIRELESS organizations in implementing a family of ITL Bulletins are published by the Information
NETWORKS voluntary industry standards developed by Technology Laboratory (ITL) of the National
the Institute of Electrical and Electronics Institute of Standards and Technology (NIST).
Shirley Radack, Editor Engineers (IEEE) to define the Each bulletin presents an in-depth discussion
Computer Security Division characteristics, the transmission of data, of a single topic of significant interest to the
Information Technology Laboratory and the security of wireless local area information systems community. Bulletins are
National Institute of Standards and networks. In addition to the IEEE 802.11b issued on an as-needed basis and are
Technology and 802.11g standards, NIST SP 800-48 available from ITL Publications, National
also discusses Bluetooth technology and Institute of Standards and Technology, 100
Many users and organizations have found wireless handheld devices such as text Bureau Drive, Stop 8900, Gaithersburg, MD
that wireless communications and devices messaging devices, PDAs, and smart 20899-8900, telephone (301) 975-2832. To be
are convenient, flexible, and easy to use. phones. placed on a mailing list to receive future
Wireless local area networks (WLANs) bulletins, send your name, organization, and
enable users with mobile devices that The IEEE 802.11 standards were based on business address to this office. You will be
operate over radio frequencies to move a security method known as Wired placed on this mailing list only.
from one place to another without being Equivalent Privacy (WEP). Since this
physically connected to a network. method had been subject to several well- Bulletins issued since May 2006:
documented security problems, the ™ An Update on Cryptographic Standards,
Portable computers, personal digital Guidelines, and Testing Requirements, May
assistants (PDAs), and cell phones support concerns about security led the standards
2006
the sharing of data and applications with developers to improve the security ™ Domain Name System (DNS) Services: NIST
network systems and other users with methodology with an amendment to the Recommendations for Secure Deployment,
compatible devices, and provide access to specifications (IEEE 802.11i). June 2006
network services such as wireless email, ™ Protecting Sensitive Information Processed
web browsing, and the Internet. Wireless The amendment introduces new security and Stored in Information Technology (IT)
communications can benefit organizations features to overcome the shortcomings of Systems, August 2006
by reducing their wiring costs. WEP and presents the concept of the ™ Forensic Techniques: Helping Organizations
Robust Security Network (RSN), a Improve Their Responses to Information
wireless security network with three main Security Incidents, September 2006
The mobile devices function within the ™ Log Management: Using Computer and
range of the wireless network, usually components: Network Records to Improve Information
limited to an area such as an office Security, October 2006
building or building complex. Since they - stations (STA) - wireless endpoint ™ Guide to Securing Computers Using Windows
transmit data through radio frequencies, devices such as laptops, and wireless XP Home Edition, November 2006
wireless networks are open to intruders handheld devices such as PDAs, text ™ Maintaining Effective Information Technology
and especially vulnerable to security risks messaging devices, and smart phones; (IT) Security Through Test, Training, and
Exercise Programs, December 2006
unless properly protected. Intruders have
- access points (AP) - network devices ™ Security Controls for Information Systems:
exploited the openness of wireless Revised Guidelines Issued by NIST, January
networks to access systems, destroy and that allow STAs to communicate over
2007
steal data, and launch attacks that take radio frequencies and to connect to another ™ Intrusion Detection and Prevention Systems,
over network bandwidth and deny service network, such as the organization’s wired February 2007
to authorized users. infrastructure; and ™ Improving the Security of Electronic Mail:
Updated Guidelines Issued by NIST, March
Wireless Local Area Networks - authentication servers (AS) - WLAN 2007
Standards and Security components that provide authentication
services to STAs.
The Information Technology Laboratory
(ITL) of the National Institute of Standards Threats to WLANs often involve an
and Technology (NIST) issued Special attacker with access to the radio link
Publication (SP) 800-48, Wireless Network between two STAs or between a STA and
Security: 802.11, Bluetooth and Handheld an AP. The RSN framework, as described
Devices, in 2002. This guide assists in IEEE 802.11i, provides for the creation

and associated with the framework for RSNs. and smart card or a token for authentication. and secure than they are Also discussed are the most common EAP Cipher Block Chaining Message today. and the Standard (AES).pdf.nist. components and architectural models and support RSNs. maintaining robust security for WLANs certification requirements as applied to Since CCMP provides stronger assurance using the new security features that were IEEE 802. federal agencies are developed for IEEE 802. starting with the the security of their wireless networks: discovery of a WLAN and ending in the Who We Are termination of the connection. methods. include an acronym list. Written by section also provides an overview of the advised to use CCMP for securing IEEE Sheila Frankel and Karen Scarfone of security specifications developed by the 802.11 RSN authentication including a review of the security features summarized. These options enable organizations to . validation testing of cryptographic that are contained in FIPS-validated Establishing Wireless Robust Security products as required under Federal cryptographic modules. the types of Ensure that all WLAN components use The Information Technology Laboratory (ITL) frames used to carry information between Federal Information Processing is a major research component of the National RSN components. Protocol (TKIP) and Counter Mode with to make systems more interoperable.11i. implementation of the Extensible communications. technical analyses that help to advance the which was designed to accommodate the The IEEE 802.11 IEEE 802. The The certifications help organizations select specific recommendations for securing publication explains the basic WLAN interoperable WLAN products that can legacy IEEE 802. password.11-based WLANs. Establishing considerations.11i security. easily usable. as specified in FIPS 197. Wireless Robust Security Networks: model and related support requirements. specifications.11 wireless networks. planning and deployment of RSNs. smart cards. Our website is http://www. EAP methods appropriate to their The guide discusses both protocols. EAP security well as the cryptographic keys created and NIST SP 800-97. Auxiliary security NIST and by Bernard Eydt and Les Owens Wi-Fi Alliance.gov. security-related components that are additional information about IEEE 802. The EAP. Recommendations for best provides an overview of WLAN security.11 are discussed.11 uses WLAN security.S. and the features of the IEEE 802.11i amendment defines two development and use of new information use of new authentication methods as they data confidentiality and integrity protocols technology. the guide consortium of WLAN equipment and 802. Only the CCMP Networks: A Guide to IEEE 802. between components during each phase of cryptographic algorithms to protect the Department of Commerce. and planning for the confidentiality and integrity of WLAN and measurement methods. NIST SP 800-97 is available from NIST’s tokens. or the option of using either a confidentiality and integrity protocols. U. focusing on the IEEE 802. proof-of-concept implementations.itl.11i also called EAP methods. which conducts a the use of the CCMP. the flow of frames Standards (FIPS)-approved Institute of Standards and Technology (NIST) of the Technology Administration. to Information Processing Standard (FIPS) uses a FIPS-approved core cryptographic supplement NIST SP 800-48 and to assist 140-2.nist. the Advanced Encryption organizations in establishing and Cryptographic Modules.11i and explains the specifications and IEEE 802. organization’s computing environments.11 implementations. and planned extensions to methods that meet the needs of the and weaknesses of the IEEE 802. We seek to overcome barriers to are developed. reference data. communications.11i Federal agencies are required to use A section of the guide focuses on FIPS-approved cryptographic algorithms ITL recently issued NIST SP 800-97.2 April 2007 of Robust Security Network Associations the cryptographic keys that are created and Recommendations for Wireless (RSNAs). a nonprofit industry protection is required for legacy IEEE of Booz Allen Hamilton. and Authentication Protocol (EAP). as well as a establishing an RSNA. data 00-97/SP800-97. Security Requirements for algorithm. A Guide to IEEE 802. the http://csrc.11 equipment that does not support includes an overview of wireless software vendors. EAP supports a NIST SP 800-97 introduces the major listing of online resources that provide wide variety of authentication methods. and organizations for most RSN deployments. Federal agencies networking. and the EAP architectural used by these protocols.11 certification program for WLAN products.11i. should consult NIST SP 800-48 for family of WLAN standards.gov/publications/nistpubs/8 such as using a certificate followed by a steps needed to establish RSNAs. as environments.11i amendment that improve Extensive appendices to NIST SP 800-97 The RSN specified in IEEE 802. scalable. references and the EAP for the authentication phase of other sources of information. practices related to WLAN security are Select IEEE 802. EAP methods also can include It provides extensive guidance on the website at combinations of authentication techniques. Network Security connections that provide moderate to high levels of assurance against WLAN Other issues discussed include the five NIST recommends that organizations security threats through the use of a phases of operation that occur during RSN adopt the following practices to improve variety of cryptographic techniques. This than WEP and TKIP. how organizations can select Authentication Code Protocol (CCMP). include authentication based on security features and capabilities passwords. These methods defined in IEEE 802. should be used by for RSNAs: Temporal Key Integrity the efficient use of information technology. certificates. We develop tests RSN operation. RSNAs are wireless used by these protocols.

and other authentication latest WPA2 information before making EAP methods that can satisfy WLAN needs. which is briefly Because some EAP methods have not yet 802. In general. them carefully. and cryptographic modules implementing the importance of the ASs.11 RSNs.11 RSN protects communications summarized below. the IEEE 802.11 and its related standards do not Considerations in the Information System developed. WLAN network architects to specify the systems that support the chosen EAP technical characteristics of the WLAN methods. organizations are encouraged cover protection of the communications Development Life Cycle. Security standards and new methods are being 802. The WLAN network implementations. the current print services.11 RSNs are established. connections. IEEE 802.1X and EAP Enterprise level certification.11 AS only. organizations should obtain the used for WLANs. file and methods. such guidance on planning EAP replace existing IEEE 802. and implement and maintain To implement IEEE 802. They should then acquire 802. such as consideration have been FIPS-validated.3 April 2007 integrate the EAP methods with other Integrate existing authentication program facilitates the interoperability of environments to which a WLAN might technology with the IEEE 802. because of the resources needed for proper 802. which may necessitate the use expanded periodically to test for EAP methods that do not generate of a PKI. Protected Access 2 (WPA2) certification integrated with the existing authentication . solution. used by an IEEE model for WLANs. IEEE discussed in NIST SP 800-64. such as CCMP. such as authentication methods. methods and standards when planning an organizations deploying RSNs should . organizations should ensure that the cryptography.11i systems with similar equipment discretion in choosing which EAP from other vendors. The five-phase life cycle protocol. Use technologies that have the includes Planning and Design. See the guide for detailed organizations may need to update or and the related network components. and other security controls. planning and implementing IEEE 802. architects should also conduct a site survey methods.Acquisition/Development Phase identity management infrastructure. not satisfy the necessary security authentication requires an organization to because the WPA2 certification is requirements for WLANs. See Appendix C of the guide for AP and its corresponding ASs are starts to design its WLAN solution: contact information. Organizations should use the RSNs has special considerations for EAP-TLS method whenever possible. because of the performing a WLAN risk assessment. security requirements are based on the technology into its RSN solution. The data confidentiality and integrity WLAN security. leading network operating systems and Ensure that WLAN security A primary distinction between TLS-based directory solutions offer the support considerations are incorporated into EAP methods is the level of public key needed for RSN integration. and others are PSK administration and the security risks procure products with the WPA2 being developed. the choice Although the RSN framework supports the should procure WPA2 products that use of EAP method should be carefully use of pre-shared keys (PSK). Most Transport Layer Security (TLS) protocol. Some EAP methods may involved.Planning and Design allows environments. The Wi-Fi Alliance’s Wi-Fi solution and how the WLAN should be considerations. Also.11 RSN WLAN products that implement IEEE connect. firewall rules. protected sufficiently through the use of developing a WLAN use policy. and authentication requirements. Also. and security appropriate security certification from Procurement: policy to determine the EAP method or NIST and interoperability certification methods that are most appropriate in their from the Wi-Fi Alliance when IEEE .11. organizations should review their existing . Federal agencies methods to employ. protection provided by an RSN. However.11 RSNs. PKI implementation and certificates integrity of communications between deployed to each STA.1X standard and EAP for Organizations that plan to use authentication instead of using PSKs authentication servers as part of their IEEE Because of the extensible nature of EAP. FIPS-approved encryption algorithms and considered since it can impact the organizations should choose to implement that have been FIPS-validated.11 equipment as the firewall rules. while most other access points and authentication servers Each of the phases of the life cycle in TLS methods require certificates on each are sufficiently protected. Therefore. however. should consider integrating this procurement decisions. Organizations have considerable WLAN to the extent feasible. for example. is based on the model been adopted as voluntary industry between STAs and APs.Initiation Phase includes the tasks that RSN implementation. Before selecting WLAN equipment. to obtain up-to-date information on EAP between the AP and AS. Additionally. how organizations can select They may also need to purchase additional to help determine the architecture of the EAP methods.11 RSN implementations should many EAP methods exist. establishing and maintaining their security mandating RSNAs for all WLAN through operating system configuration. each phase of the WLAN life cycle in the infrastructure (PKI) support required. organizations specifying business and functional TLS algorithm for each product under should pay particular attention to requirements for the solution. email. use an AS. 802. based on IEEE ensure that communications between each an organization should perform before it 802. the available EAP and software that cannot support RSNAs. and additional EAP security equipment. An organization that already has interoperability with additional EAP cryptographic keying material cannot be implemented ASs for web. the establishment and maintenance of IEEE EAP-TLS method requires an enterprise Ensure that the confidentiality and 802.

html . To have the bulletin sent to sanitizing media that might contain an e-mail address other than the FROM sensitive material. they should enhance e-mail message from your business e-mail .nist.Procurement involves specifying practice recommendations for WLAN Recommended Security Controls for the number and type of WLAN security. operational. the web page listed above. WPA2 Enterprise. and level of security they provide.nist. The recommendations are For information about FIPS 140-2. and standards. see NIST’s web page http://csrc. For information about NIST standards and guidelines that are referenced in the security guide for wireless networks. with the appropriate recommendations should be particularly Disclaimer Any mention of commercial products or reference to event logging procedures enabled. for components that must be purchased. For instructions on using listproc. log reviews. NIST encourages organizations technical security controls for information FIPS-validated encryption modules. activation of the equipment on a from most security threats.Disposition encompasses the tasks that security by supporting RSNs and other account to listproc@nist. it decision to integrate WLAN technology does not imply recommendation or endorsement by .gov/cryptval/140-2. This publication is available on any certifications they must hold such as recommendations. including the organization’s Best Practice Recommendations Federal organizations should follow the PKI. and feature sets they must support such as relevant. .htm. subscribe itl-bulletin. including preserving John Doe. configuration of procured equipment to to manage their WLANs and to take and NIST’s Cryptographic Module meet operational and security actions that will provide reasonable Validation Program. but are not satisfied with the We now offer the option of delivering your ITL security assessment. planning and implementing a 301-975-2832 or elizabeth.4 April 2007 infrastructure. organization should perform on an recommendations will help those ongoing basis once the WLAN is organizations that are already managing ITL Bulletins via E-Mail operational.. upgrade. and your name. send an infrastructure. The are necessarily the best available for the purpose. and disposing of NIST publications assist organizations in address. guidance on general security controls that NIST SP 800-97 summarizes over 50 best are discussed in NIST SP 800-53. have been retired.gov/publications/index. the for which each recommendation is most minimum management.Implementation entails the presented in a way to enable organizations FIPS-approved cryptographic products. grouped by the life cycle phase Federal Information Systems. contact the ITL editor at equipment properly. and to adopt these best practice systems.lennon@nist. More Information message HELP. and configure their address.gov. replace. send a message to listproc@nist. periodic WLANs. involving multiple devices.Operations/Maintenance includes into their computer networks and want to NIST nor does it imply that the products mentioned carrying out security-related tasks that an determine the best way to do it. comprehensive approach to information security.g.gov with the message occur after a system or its components security controls. as well as other security-related publications. RSNs are complex. lists of . The production network. including patching. To subscribe to this service.gov with the information to meet legal requirements. When they Bulletins in ASCII format directly to your e-mail incident handling. and the installation and assurance that the WLANs are protected http://csrc. e. protocols. helpful to organizations that have made a commercial organizations is for information only. see requirements.