Friday, August 8, 2008

Where's Your End-Point?


Modern wireless networks are fielded with security without thought to where the security ends. Typical 802.11 access points secure the 300-foot or so space between the station and the Access Point (AP). This is fine for a Home network with an AP or router only a few feet away, but inadequate for an enterprise or corporate network where the larger wired or wireless gap to the data center can span floors in a building, or between facilities. If WiMAX or long-haul bridges and repeaters are used (as in Mesh Networks), the distance can be many miles/km. This leaves a huge backdoor that can be sniffed or tapped. This weakness has now made headlines and the risks have been shown to directly translate to major financial cost in the billions due from theft and privacy loss.

To be really secure, encryption should originate from the Datacenter, not each AP. This way, the AP is just a passthrough and can be set to open mode and still pass the encrypted traffic end-to-end, regardless of distance. The WirelessWall software from TLC-Chamonix, LLC is both the cheapest solution and the most secure, since it makes any existing wireless infrastructure sniffer-proof with no new capital equipment.

Access Points: An Open Back Door

Every Access Point on the market is vulnerable because even though encrypted information may go out, unencrypted information goes in. The flawed assumption is that the wire going into the AP is trusted. This makes it easy to tap, sniff or spoof.

Today's standards for WPA2 (Personal or Enterprise) perpetuate the exposure by requiring key material or RADIUS passwords to be stored on the AP itself. This is a vulnerability for AP hacking -- either physical (opening up the AP) or by gaining wireless access to the AP administrative channel and getting Pre-Shared Keys or RADIUS shared secrets). The AP could then spoof the backend or be reprogrammed to broadcast traffic in the clear on another channel. This is particularly true of the Atheros Multiband chipsets that can support many "virtual" APs.

Access and firewall policies are not centralized or standard between AP vendors. These must be replicated on each AP whenever the policy changes, adding to cost and complexity of administration, which means they are less likely to be changed often even though that would strengthen security. Various remote management schemes add another dimension to the exposure.

Centralized Security Management offers the advantage of keeping key material and 802.1X authenticator passwords at the Datacenter rather than on APs at the edge of the security envelope. This model is reflected in the "Split-AP" model in the upcoming IETF CAPWAP standards and used by WirelessWall. It keeps the APs blind to all security profiles.

In summary, WirelessWall is recommended because it follows the CAPWAP Taxonomy guidelines for a Split-AP mode. CAPWAP is a future standard that is not yet ratified and years away from market. WirelessWall provides comparable security-model functionality today as a FIPS 140-2 software solution using AES-CCMP Layer 2 encryption, 802.1X and EAP-TTLS with mutual authentication. It is smart security to keep APs "dumb" -- administrators have less to worry about because they don't expose the data center to compromise at every AP location.

Wireless Warning

T.J. Maxx Data Theft Likely Due To Wireless 'Wardriving'

[article]

You've read the headlines. A small ring of hackers using wireless sniffers stole 45 million credit cards from a single chain resulting in LOSSES IN THE BILLIONS. This should put retailers and any organization using WiFi on notice. That underscores how vulnerable WiFi really is and the stakes. DON'T LET THIS HAPPEN TO YOU.


What many don't know is that EVERY ACCESS POINT ON THE MARKET TODAY IS VULNERABLE AND IMPOSSIBLE TO SECURE. 802.11i (WPA2) was supposed to solve the weaknesses in earlier encryption (WEP). IT DOES NOT. Stronger encryption alone is not enough.


Access Points truly are impossible to secure because of the flawed assumption in the industry that the wire going in is trusted and unencrypted. While acceptable for home wireless, too many organizations have a security perimeter that is a lot farther than a router a few feet from their computers. Access Points used in business and government are often on a different floor, or a different building on campus, and can be connected to the datacenter on a LAN, or worse, by wireless repeaters and bridges that may have poor or no security. Miles of vulneraility and exposure to physical tapping, interception or sniffing.


WirelessWall treats the AP as a conduit, it encrypts all traffic at Layer 2 before it goes into the AP, and it is only decrypted by the trusted user at the end-point. Because it is Layer 2, EVERYTHING above it is secure, without relying on elective, weak or slow application security at Layer 3 or above.


If you're serious about Loss Prevention, choose WirelessWall.