A Possible Solution for Secure Wireless Access at CWRU
Last Updated on 2/15/01
This document examines a possible solution for some security problems
related to unauthorized access via wireless and for eavesdropping on wireless
communications traffic. This solution will work for any wireless
communications system, not just IEEE 802.11b networks. This solution
does not address the security problems related to jamming.
This document is of primarily historical interest.
Problem Overview
Security represents an area of great concern with respect
to wireless data communications. Security problems include
unauthorized access, eavesdropping, unauthorized base
stations, and problem client systems.
Unlike a cabled network, wireless communications is
accessible to those who would not have physical access to
the cabled network (for example, from outside the building
or from a lobby or hallway of a building). This creates
two primary areas of concern: unauthorized access to the
network and eavesdropping on communications.
Unauthorized access is a problem because anyone with a
wireless data interface can gain access to the wireless
cell and, therefore, the network. There is no sure way
of preventing someone from gaining access to the wireless
cell. Gaining access is not an extremely difficult problem.
There are some simple measures taken by the product
designers to control access, but they are inadequate to
the task for a moderately determined intruder.
Access to the wireless cell is available anywhere within
the operating radius of the wireless base station (up to
several hundred feet). This is unlike a cabled network
environment where someone must obtain physical access to
a network outlet in order to gain access to the network.
So it will be possible for a wider range of people,
including those who may have no affiliation with the
University, to have access to the network compared to a
cabled system where some sort of physical access is
required. Without some additional protective measures
described below, unauthorized users would potentially
not only have access to CWRUnet but also to the Internet
in general (once they are on CWRUnet, they can get anywhere).
Hackers have already started publishing information about
how to gain access to networks via wireless communications
in locations around the world. One would expect tool sets
to be available to expedite access.
Eavesdropping on wireless communications is also a concern.
Wireless data communication is essentially shared Ethernet,
which means that every member of the wireless cell has
potential access to all the traffic being communicated
within the cell. This is similar to current situation
with shared Ethernet hubs currently in use within CWRUnet,
but dissimilar from the standpoint that it is easier for
an unauthorized person to gain access because no physical
access is required. Such an intruder may even be able to
gain access to the network from outside the building.
Encryption capabilities have been imbedded in wireless
equipment but this method has known problems which allow
hackers to learn the encryption key. Once one has the key,
other users key encrypted communications would be accessible.
Possible Solution
A possible solution to the problems related unauthorized
access might be to make the wireless network external to
CWRUnet. This would be done by placing all wireless access
points in a network address space outside of CWRU's
address space. A VPN (virtual private network) would be
created between the external wireless network and CWRUnet.
Wireless clients would be required to authenticate to
the VPN server in order to gain access to CWRUnet and
beyond.
The eavesdropping problem would be solved using the ability
of the VPN to encrypt traffic between the wireless client
and the VPN server. Note that this security mechanism would
be entirely separate
from the breakable encryption system (WEP) currently integrated
into 802.11b wireless devices.
This additional
security would be obtained at the cost of the processing
power to encrypt the communications and
of the additional equipment and people resources required
to provide the VPN services. There is also increased
complexity for the end user in terms of installing and
configuring the VPN software.
This solution works for wireless access points that participate.
Any wireless access points that do not participate will be
vulnerable to the above mentioned security threats.
Comments and Feedback
We are always interested to hear your comments and feedback regarding
the University network and the Network Engineering and Security group.
Please send your comments and feedback to:
Chet Ramey, Assistant Director, TIS
