Cisco's New Security Play

Cisco Systems Inc. (Nasdaq: CSCO) has just submitted a new security protocol draft to the Internet Engineering Task Force (IETF), designed to protect wireless LAN users from hacker attacks without the need for passwords or certificates.

The EAP-FAST protocol is an offshoot of the Extensible Authentication Protocol (EAP) that deals with fast authentication via secure tunneling (FAST). The protocol was submitted to the IETF on Sunday.

According to Ron Seide, product line manager for Cisco's wireless networking business, the protocol will enable 802.11 users to run a secure network without the need for a strong password policy or certificates on either end of the client/access point connection.

"The key advantage of EAP-FAST is that it does secure tunneling," says Seide. When a client and access point first connect, an encrypted tunnel is set up so that the operational session keys can be securely exchanged over the air before data is transmitted.

Cisco's proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless LAN security mechanism can be vulnerable to dictionary attacks that exploit the challenge/response technique used in LEAP to discover user passwords. Joshua Wright, an information security architect at Johnson & Wales University graphically demonstrated this flaw at an Unstrung conference in October 2003 (see Look Before You LEAP).

Wright has said that he plans to release the "ASLEAP" tool he used in the demonstration for public consumption this month.

Cisco officials say LEAP users that maintain a strong password policy have nothing to fear from dictionary attacks, but they suggest Protected Extensible Authentication Protocol (PEAP) as a potential upgrade path for LEAP (see LEAPing Attack Tools, Batman!). PEAP uses "trusted certificates" on the client device and backend, rather than passwords, to authenticate users on an 802.11 network.

EAP-FAST will become a third option aimed at users that don't want to use LEAP or EAP on their networks. Seide says Cisco will start to offer clients supporting the new protocol next quarter, and he expects third-party support -- via the CCX program -- to emerge over the course of 2004 (see Cisco Bolsters Its WLAN Hand for more on CCX).

As usual, it could take much longer for the IETF to work over the EAP-FAST draft. Merwyn Andrade, CTO of wireless LAN switch startup Aruba Wireless Networks has seen the draft and says that members could focus on technical issues, such as the way a new client and access point initially associate.

Andrade stresses that such technical debates are probably a while away. "This has only been out in the IETF community for two days," he notes.

Andrade also wonders aloud what the new protocol will mean for Cisco's support of its LEAP and PEAP efforts. But Cisco's Seide says the firm will continue to support LEAP and PEAP as well as a number of standard EAP-related protocols.

— DEAP Jones, SEAP Editor, Unstrung