Requirements
- To provide secure and robust connectivity to enterprise users within the facility to access internal networks and the internet over wi-fi. To provide infrastructure that will be capable of keeping up with and upgradeable to future enterprise wireless technologies and requirements
- To provide Internet access to visitors and guests on a chargeable or free basis. To be able to provide plug and play connectivity to all types of wi-fi users with all types of configurations, wi-fi cards, Operating systems etc., so that there will not be a need to provide any support to enable them to achieve connectivity.
- To secure and protect internal networks from guest users or unauthorized users
Technologies
The original IEEE 802.11 standard provided the following set of security features to secure wireless LAN communication:
• |
Two different authentication methods: Open system and shared key |
• |
The Wired Equivalent Privacy (WEP) encryption algorithm |
• |
An Integrity Check Value (ICV), encrypted with WEP, which provides data integrity |
Eventually, these original security features would not be sufficient to protect wireless LAN communication in some common scenarios—especially large traffic volume environments. The original 802.11 standard has the following security issues:
• |
No per-user identification and authentication |
• |
No support for extended authentication methods (for example, token cards, certificates/smart cards, one-time passwords, biometrics, and so on) |
• |
No support for key management—dynamic, per-station or per-session key management and rekeying |
To resolve these issues, the IEEE 802.1X Port-Based Network Access Control standard was adopted as an optional mechanism to provide authentication for 802.11 wireless LANs. With 802.1X authentication, the following is supported:
• |
Per-user identification and authentication
802.1X uses Extensible Authentication Protocol (EAP), which enforces user-level authentication. In a Windows environment, authentication uses the credentials of a user or computer account in Active Directory. |
• |
Support for extended authentication methods (for example, token cards, certificates/smart cards, one-time passwords, biometrics, and so on)
EAP provides an infrastructure to support arbitrary authentication methods. Windows wireless networking supports EAP-Transport Level Security (EAP-TLS) for certificate and smart card-based authentication and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) for password-based authentication. |
• |
Support for key management—dynamic, per-station or per-session key management and rekeying
The EAP-TLS and PEAP-MS-CHAP v2 authentication processes derive mutually-determined unicast encryption keys. The unicast encryption key is changed periodically either by the wireless access point (AP) or by the Windows wireless client. Key determination attacks can be prevented through frequent rekeying. |
The combination of IEEE 802.11, 802.1X, and the use of either EAP-TLS or PEAP-MS-CHAP v2 authentication provides secure wireless networking in a Windows environment.
IEEE 802.11i is a new standard that specifies improvements to wireless LAN networking security and addresses many of the security issues of the original 802.11 specification. While the new IEEE 802.11i standard was being ratified, wireless vendors agreed on an interoperable interim standard known as Wi-Fi Protected Access™ (WPA). The goals of WPA are the following:
• |
To require secure wireless networking
As described later in this article, WPA requires secure wireless networking by requiring 802.1X authentication, the use of encryption, and the use of unicast and global encryption key management. |
• |
To address the issues with WEP encryption through a software upgrade
WPA solves all the remaining security issues with WEP encryption. As discussed later in this article, WPA requires firmware updates in wireless equipment and an update for wireless clients. Existing wireless equipment is not expected to require replacement. |
• |
To provide a secure wireless networking solution for small office/home office (SOHO) wireless users
For the SOHO, there is no RADIUS server to provide 802.1X authentication with an EAP type. SOHO wireless clients must use either shared key authentication (not recommended) or open system authentication (recommended) with a single static WEP key for both unicast and multicast traffic. WPA provides a preshared key option intended for SOHO configurations. The preshared key is configured on the wireless AP and each wireless client. The initial unicast encryption key is derived from the authentication process, which verifies that both the wireless client and the wireless AP have the preshared key. |
• |
To be forward-compatible with the upcoming IEEE 802.11i standard
WPA is a subset of the security features in the proposed IEEE 802.11i standard. There are no features of WPA that are not described in the current draft of the 802.11i standard. |
A robust enterprise wireless solution must therefore use not only WEP/802.1x technologies, but the more recent WPA/802.1x technologies as well as the future 802.11i, which is yet to be ratified, but is built on the WPA
An external (guest user) on the other hand may be using an old or new wi-fi computer, and it is difficult to predict the type of technologies they may be using. The focus therefore has to be on providing connectivity for all types of configurations, without compromising on security of the internal users and internal networks. The focus is not the security of the guest user, except in a general way.
Architecture of the solution:
The solution will consist of :
-
A Nomadix gateway. This unit is used, one per facility. The specific model depends on the number of users and based on this, a Nomadix HSG model has been selected for this facility. The Nomadix gateway provides plug and play connectivity in the sense that the user (particularly the guest user) need not change his/her IP or Proxy configurations. The Nomadix gateway also provides the ability to provide different IP addresses to different classes of customers, and provide VLAN segregation on the subscriber side as well as the network side. The different IP addresses for different classes of subscribers also provides the ability of specifying “access list rules” in switches and routers which separate various kinds of networks in the enterprise. For e.g, the guest user will not be able to access any internal network, the marketing department may not be able to access the finance department networks and so on. The Nomadix gateway also provides the ability to set the upstream and downstream bandwidth for individual or groups of users
-
Access Points which support multiple SSIDS as well as WEP, WPA and 802.1x and has the ability to be upgraded to future standards. After thorough testing of various brands of Aps with various types of laptops and clients, we have suggested the Cisco 1100 Series access points. For an enterprise application, the Cisco APs have numerous undeniable features and is a strong product
-
A Windows 2003 server with IAS (Radius), Certificate Server and IIS. This will provide the authentication to internal users. The same server could authenticate and authorize guest users or alternatively an external Radius server, which will support enterprise hot spots across the country will cater to the guests
- Internal Users will use WEP/802.1x or WPA/802.1x, with dynamic encryption keys for end to end encryption of the traffic
Miscellaneous Issues:
Internal User laptop configuration will need to be controlled, as old type wi-fi cards may not support all new technologies. Products such as the Intel Centrino or the latest Wi-Fi cards are not a problem. Also the latest security patches from Microsoft need to be applied to the laptops. [These are some of the issues that we have learnt in the exercise that we have done at Orange so far] A procedure by which internal users will get certificates from the Certificate server needs to be put in place. |
