Wayne, N.J. Wireless-LAN access point developer Aruba Wireless Networks will provide recommendations to the Internet Engineering Task Force this week aimed at preventing security breaches in Radius network access servers with WLAN clients. The company said the widespread use of WLANs in enterprise networks is exacerbating security problems in Radius (remote authentication dial-in user service) servers.
Aruba (San Jose, Calif.) said Radius developers have traditionally shied away from implementations featuring strong password protection and Internet Protocol security (IPsec) techniques. "There is a gap in implementation," said chief technology officer Merwyn Andrade.
Andrade said the security breach can occur when a hacker uses a rogue access point and an Address Resolution Protocol poisoning technique to act as a gateway between a Radius network access server and a WLAN client. A hacker could extract and decode the Radius password, then reenter the network to capture encryption keys required to access a corporate LAN through the WLAN access point, thus opening the network to a security attack.
Aruba says its recommendations are designed to head off such problems. The company suggests that network managers implement more complex password techniques and a method for identifying rogue access points. At the same time, managers should have a dedicated virtual-LAN connection to link wireless access points in an enterprise network, Andrade said.
Competing access point (AP) provider Airespace Inc. said it agreed with Aruba's recommendations and noted that many of them are already being implemented. For example, "most access WLAN infrastructure can detect and take rogue APs out of service," said Pat Calhoun, chief technology officer of Airespace (San Jose).
Aruba's recommended use of IPsec is not a popular choice for AP designers, however. System houses believe that IPsec increases processing tasks and slows overall access point performance, Andrade said. But AP performance should not be a concern, he said, because Radius transactions are "infrequent."
Both Aruba and Airespace may make this threat a nonissue. Using different technologies, the pair have developed ways to move Radius authentication tasks out of the access point and into a WLAN switch. Both companies said this strategy would make hacking less of a problem.