WLAN is mostly defined by the IEEE 802 family of standards. The good news is that adherence to these standards gives unparalleled interoperability. On the other hand, it also requires that the IEEE committees be innovative in areas such as security, which is an area where work is still being done. To bridge the gap between the leading market readiness requirement and lagging security standards, organizations like Wi-Fi Alliance and Cisco (with LEAP and Flexible Authentication via Secure Tunnel [EAP-FAST]) have implemented security mechanisms (with associated specifications). The IEEE security committees are developing standards that will eventually fill the gaps.
Why Do Standards Take More Time?Standardization is always a deliberate effort at coordinating different insights, opinions, and ideas into a cohesive and comprehensive specification. Finalizing the precise language of a standard and reaching consensus takes time. Also, standards need to be relatively static, which means the specifications need to be mature. All this work takes time, but it is worth the effort. |
The Institute of Electrical and Electronic Engineers (IEEE) is, among other things, a standards body. IEEE publishes standards for many types of systems, ranging from power and energy systems to voting systems. The organization is well known for its standards on information exchange between computers?from best practices to IT infrastructure to LAN/MAN standards to portable applications standards. The following are some examples of systems that use IEEE standards:
Binary floating-point arithmetic handling by computers
IEEE-488?standard for instruments to communicate with each other
Versa Module Eurocard (VME) bus, which is an electronic architecture specification for controllers and cards mainly used in the industrial real-time process control world
Portable Operating System Interface (POSIX)
Utility meter reading via telephone
The standards work is done by volunteer committees, which usually consist of experts employed in the computer industry. The committees consider a large amount of input during their standards development work, and they have formal voting procedures. After deliberation, they publish their standards, which are owned by the IEEE and are available to the public. Initially, they charge for the standards, but six months after publication, the standards are available for free download. You can access the standards by visiting http://standards.ieee.org/.
Note
IEEE is not the only standards organization of interest from the WLAN perspective. As you will see later in this chapter, the WLAN domain incorporates standards from the Internet Engineering Task Force (IETF), ETSI, and other standards bodies.
Of interest, of course, is the 802 family of standards that covers the local- and metropolitan-area networks. You can access the current 802 standards at the website http://standards.ieee.org/getieee802/.
The IEEE 802 defines reference architecture for packet-based, shared-medium communications for the LAN/MAN. As shown in Figure 3-1, this standard defines the LAN/MAN Reference Model (RM) and a LAN/MAN Implementation Model (IM) based on the OSI seven-layer model.
Note
Some interesting 802 specifications include the 802.3 Ethernet, the 802.11 wireless standards, and the 802.1x port-based network access control security standard.
Table 3-1 shows the various IEEE and related standards that are relevant to this discussion, including their domain and pertinence.
Specification | Standards Body/Status | Domain | Interest to Security | H/W | Radio |
---|---|---|---|---|---|
802.11: Wireless LAN MAC and Physical Layer (PHY) Specifications | IEEE | Hardware, signaling | Low | Y | Y |
802.11d-2001: Amendment 3 | |||||
802.11a: Wireless LAN MAC and PHY Specifications | IEEE | 5-GHz band PHY layer | Low | Y | Y |
802.11a: Wireless LAN MAC and PHY Specifications and Corrigendum 1 | IEEE | 2.4-GHz band PHY layer | Low | Y | Y |
802.11g: Wireless LAN MAC and PHY Specifications and Amendment 4 | IEEE | Higher data rate extension in the 2.4-GHz band (from a max of 11 Mbps to 54 Mbps) | Low | Y | Y |
802.11h: Wireless LAN MAC and PHY Specifications | IEEE/Draft | Defines mechanisms for Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) that might be used to satisfy regulatory requirements for operation in the 5-GHz band in Europe | Low | Y | Y |
802.15: Wireless Personal Area Networks | IEEE | 802.15.1, 802.15.2, 802.15.3, and 802.15.4 specifications deal with the WPANs, which are derived from the Bluetooth specifications | Low | Y | Y |
802.11i: Wireless LAN MAC and PHY Specifications: Amendment 6: MAC Security Enhancements | IEEE | Specification for enhanced security | High | ||
WPA (Wi-Fi Protected Access) | Wi-Fi Alliance | Authentication, encryption | High | ||
802.1x: Port-Based Network Access Control | IEEE | Authentication framework (using EAP), access control mechanisms, protocols between entities participating in authentication, basis for the WEP | High | ||
802.11f: IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation | IEEE | Exchange information between access points, use of RADIUS protocol, and context handling for faster roaming | Medium | ||
802.11e: Wireless LAN MAC and PHY Specifications: Amendment 7: MAC Quality of Service (QoS) Enhancements | IEEE/In progress | MAC enhancements to support applications that require QoS, such as audio and video over 802.11 WLANs | Low | ||
802.11n | IEEE/High Throughput Study Group (HTSG) starting to work on the standard | Standard for high throughput 108 Mbps to 320 Mbps; plan to concentrate on throughput rather than data transfer rates. ETA: 2005 to 2006 | Low | ||
802.11k: Wireless LAN MAC and PHY Specifications: Specification for Radio Resource Measurement | IEEE/In progress | Defines information (radio and network) for management, maintenance, and enhanced data, which could be the basis for various services | Low | ||
LWAPP | IETF/Experimental | Protocol for routers and switches to manage access points | Low | ||
Extensible | IETF | Original RFC defining an authentication method for the Point-to-Point Protocol (PPP) | High | ||
EAP-TLS | IETF | Adds Transport Level Security (TLS), which is a derivative of SSL, mechanisms to EAP | Medium | ||
Protected EAP (PEAP) | IETF | Addresses gaps in EAP by securing the initial exchange | High | ||
Cisco Wireless EAP or Lightweight EAP (LEAP) | Cisco | Based on mutual authentication between a wireless client and AP, with an access server (usually a RADIUS server) | High | ||
EAP-FAST | IETF/Informational | Adds a mutually authenticated tunnel to EAP and flexibility to use different security mechanisms for credential provisioning, authentication, and authorization. | High |
As you can see, IEEE and IETF play key roles in defining the security standards for WLAN. Note that the work is in progress, and many newer ways of securing WLANs are emerging.
The Wi-Fi Alliance is a nonprofit organization that specializes in the 802.11 WLAN industry. It was formed in 1999 (as WECA?Wireless Ethernet Compatibility Alliance) to address the interoperability of WLANs by certification; the devices that successfully passed the test would display the Wi-Fi CERTIFIED logo. The Wi-Fi CERTIFIED brand carries a high level of interoperability. In the security space, the Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to address the security gaps in the Wired Equivalent Privacy (WEP) offered by the 802.11 specification. You can access the various presentations and other information from the Wi-Fi Alliance website at http://www.wi-fi.org/.
The WPA specification is an essential subset of the 802.11i specification. WEP provided inadequate security, so the Wi-Fi Alliance developed a pragmatic solution that preserves interoperability and compatibility with the eventual 802.11i specification while providing the necessary security. Details of the security gaps in WEP are covered later in this chapter.
The main reason for the WPA specification is that industry requirements preempt the standards work, which needs to be systematic, deliberate, and complete. So the Wi-Fi Alliance developed the WPA as a pragmatic improvement over the current implementations of WEP?pragmatic in the sense that the WPA would require only a firmware upgrade and would be interoperable by virtue of being certified by the Wi-Fi Alliance, while providing the required security features and maintaining the 802.11i compatibility. It was a tough task, indeed.
Looking at the comparison between the 802.11 specification and WPA (and the 802.11i specification), you can see that the various feature sets are evolving. Table 3-2 shows this aggregate comparison of features.
Feature | 802.11/WEP | 802.1x | WPA | 802.11i |
---|---|---|---|---|
Identity | Machine (the WEP key) | User | User | User |
Authentication | Shared key/EAP | UN/PW/PEAP?certificates | UN/PW (with RADIUS) or preshared key | UN/PW (with RADIUS) |
PEAP | PEAP | |||
Integrity | 32-bit Integrity Check Value (ICV) | 32-bit ICV | 64-bit Message Integrity Code (MIC) | CCM |
Encryption | Static keys | Session keys | Key rotation using TKIP | CCMP |
Key distribution | One time, manual | Session keys automatic upon authentication | Automatic, rotation | Automatic, rotation |
Initialization vector | Plain text, 24 bits | Plain text, 24 bits | Extended IV?64 bits with selection/sequencing rules | |
Algorithm | RC4 | RC4 | RC4, AES (optional) | AES |
Key strength | 64-bit/128-bit | 64-bit/128-bit | 128-bit | 128-bit |
Supporting infrastructure | Static ACL | RADIUS infrastructure for user authentication | RADIUS infrastructure for user authentication | Radius infrastructure for user authentication |
Evolutionary/revolutionary | Evolutionary | Revolutionary |
For the next few years, the 802.11i specification will be the standard to implement WLAN. While the standard is being developed, however, as an interim solution, WPA is the required security implementation in a WLAN infrastructure.
Note
The most important WLAN security specification is the 802.11i specification, approved June 24, 2004. The Wi-Fi Alliance is releasing Wireless Protected Access 2 (WPA2) testing and certification to reflect the 802.11i and incorporates the full implementation of 802.11i. The major advancements in WPA2 (from WPA) are the key management/encryption and optional preauthentication mechanisms. Similar to WPA, WPA2 offers two classes of certification: WPA2-Enterprise and WPA2-Personal. Whereas the WPAs-Enterprise requires support for Radius/802.1X-based authentication and Pre-Shared Key, the WPA2-Personal requires only the Pre-Shared Key.
The Wireless LAN Association (WLANA) is a nonprofit association that concentrates on the educational aspects of WLAN. You can achieve various levels of certification, including Certified Wireless Network Administrator (CWNA), Certified Wireless Security Professional (CWSP), Certified Wireless Network Integration (CWNI), and Certified Wireless Network Expert (CWNE). You can find more information at http://www.wlana.org/.