Wireless Wild West
August 19, 2003
How a WLAN lawman brought peace and order -- using a lot of Funk -- to the chaos of a highly unsecure Wi-Fi frontier.
When various schools and departments at the University of Texas Health Science Center in Houston started setting up ad hoc Wi-Fi wireless LAN's in late 2001, they gave little thought to security. Actually, they gave none.
It was a Wild West show, says senior network security analyst Trey Dismukes. Anybody who wanted to threw up access points wherever they pleased, none of them were linked, and anybody who wanted could use them.
The School of Health Sciences had facility-wide coverage. Two floors of the Nursing School were covered, plus assorted other departments -- almost 50 access points in all by the middle of last year.
Students used the WLANs for e-mail and Web access -- to get to school academic Web sites in particular. Staff not yet connected to a wired network used them for the same things, or they used them to stay in contact when away from their offices, including in meetings.
Was there widespread lawlessness? Did hackers have a field day? "There may have been [hacking] incidents," Dismukes says, "but we'll never know because nobody was monitoring. But we knew it had to be controlled or we most definitely would have the kind of breach that we'd never know about."
So the powers-that-be -- two IT groups at the Center that share responsibility for (wired) network management -- sent Sheriff Dismukes in to establish law and order.
Dismukes took a few months to research WLANs and wireless security and to write a comprehensive security policy. Based on his recommendations, the access points abruptly came under the control of Dismukes' employers. As a first step in cleaning up the situation, he linked all the access points together to enable roaming and configured them to consistently adhere to at least minimal security.
The most he could do at this point was prevent the access points from broadcasting their SSID (Service Set Identifier). It was a long way from a final solution. For one thing, it meant users had to know and type in the local SSID in their client software -- not very elegant. It did, however, prevent just any Wi-Fi client from gaining access to the WLANs.
Next, Dismukes set about properly evaluating and selecting a serious security solution. In the end, he chose Odyssey server and client solutions from Funk Software, including Funk's industrial-strength Steel Belted Radius server.
Dismukes has written (and published at Ars Technica) a thorough but readable primer on WLAN security, including an account of selecting and implementing the solution at the University of Texas Health Science Center.
He chose Funk because he wanted a security/authentication system based on the IEEE's wired network standard, 802.1X, which has been adopted for use in WLANs as well. More specifically, he wanted to use TTLS (Tunneled Transport Layer Security) -- one of several flavors of the 802.1x-specified Extensible Authentication Protocol (EAP).
TTLS, originally developed by Funk, provided the best support for Lightweight Directory Access Protocol (LDAP), a set of protocols for accessing information directories. The Center had already implemented LDAP and Dismukes wanted to use it for ID/Password look-up in conjunction with whichever Remote Authentication Dial-In User Service (RADIUS) server he settled on.There was one other player in contention: AEGIS from Meetinghouse Data Communications. AEGIS, however, did not support LDAP, only Active Directory, Microsoft's Windows directory service. The Funk client software was also easier to configure, and the company provided more attentive pre-sales support, Dismukes says.
The installed WLAN infrastructure at the Center, despite the uncontrolled early roll-out, was all Cisco, which is also the primary vendor for the University's wired network infrastructure.
The client side was and is a different matter: anything and everything goes. As Dismukes points out, few students buy Cisco client cards because they tend to be more expensive than consumer-targeted brands such as LinkSys (now owned by Cisco) or D-Link Systems. Few, as it turned out, were incompatible with the Funk solution, however. As long as they supported 128-bit WEP encryption, which only the oldest and lowest-end cards did not, they were fine.
Dismukes installed a two-box server (one of which he already had), running the Steel Belted Radius software -- two licenses at $10,000 each. He bought 400 licenses for the client software, which works out to about $30 per client.
Although, at this point there are only 100 users accessing the network wirelessly through about 50 access points, Dismukes expects fairly rapid growth. He predicts that the population of users will be up to about 500 by the end of this year and the number of access points to 100.
To end users, the new security is virtually transparent. When they turn on their computers, the local access point automatically sets up an encrypted tunnel from the client to the Funk RADIUS server and sends the user's ID and password -- without the user having to do anything. The RADIUS server presents these credentials in turn to the Center's LDAP server.
If the LDAP server confirms the credentials are authentic, the RADIUS server issues the user a WEP key, which is used for ten minutes before the system transparently swaps it out for a new one after re-authenticating the user. The ten-minute time limit helps prevent brute-force attacks on the encryption keys.
It's not absolutely bullet-proof. If someone finds or steals a user's laptop, they can access the network if they know or can guess the user's Windows User ID and password. It was a conscious decision based on users' presumed impatience with multiple log-on procedures, Dismukes says. "Nothing [in security] is ever perfect," he notes.
Upgrading the firmware on the Cisco access points and installing the Funk client software on user systems was relatively simple if time consuming, but the project, completed in the spring of 2003, did have its share of complexity.
A lot of the difficult issues had to do with interoperability between the Funk and LDAP servers. The task was complicated by the fact that some users needed to log in directly to the LDAP server first.
"Just getting the Steel Belted Radius to talk to the LDAP server was a long and technologically challenging process," Dismukes says.
When he finally solved all the problems, it was "kind of anti-climatic," he says. "I worked so hard, and when we first started turning on the clients, the only difference the user saw was in the tray at the bottom of their screens -- the little icon that before was black now was blue. That was the only thing that showed."
Maybe nothing showed, but law and order now prevails in Houston, and that means settling the WLAN frontier can now begin in earnest.