Optical/IP Networks

Unbearable Diversity of Users

There's no way to easily pigeonhole what corporate users see as their major requirement for wireless LAN. That's what Unstrung learned from attending a user roundtable organized by switch startup Aruba Wireless Networks in New York City this Friday.

Security is still a hot-button issue for the IT department and the higher-ups they report to (see Aruba Creates Security Stir if you need any proof of that). But it is by no means the only issue that is on the minds of the techies on the Aruba panel, who all -- incidentally -- run networks using a mix of kit from different vendors.

Brad Noblet, the director of technical services at Dartmouth College, sees a major challenge in adding the capacity he needs for his wireless network while keeping costs down.

Noblet currently has a network of around 600 of Cisco Systems Inc.'s (Nasdaq: CSCO) 350 series APs, a smattering of that firm's 1200 series APs, and about 200 "thin" APs from Aruba.

Noblet reckons that it has cost over a million dollars to install the APs, and now he wants to increase capacity without busting the budget.

"I need to go to somewhere around 1,500 APs," says Noblet. "So the cost of those endpoints becomes crucial to me." Noblet is considering some services for the students that run over the 5GHz 802.11 channels, such as voice-over IP and video. These services are likely to require the extra throughput that the 54-Mbit/s 802.11a standard can provide, but supporting multiple flavors of wireless LAN is also likely to add to deployment costs.

Gary Jenkins, head of network engineering at Sharp Healthcare, says that his biggest headache across the seven hospitals and 40 clinics he deals with is allowing medical staff a "single sign-on" to their applications when logging on the network. A discussion of electronic tokens ensued...

Ahem. But Jenkins really did have a clear picture of the kind of return on investment he gets from wireless LANs. Because of all precautions the IT department has to take when installing Ethernet jacks in a hospital environment, it can cost up to $3,000 to install a single wired connection.

Jenkins says that he can use a single access point to cover an area that used to require 10 Ethernet jacks.

But John Griener, CTO at the not-for-profit organization, Legal Services of New York, finds that security is still one of his big concerns. Mainly because his security staff are actually still leery about him running a public access hotspot in the group's training facility on Broadway.

The more things change...

— Dan Jones, Site Editor, Unstrung

lrmobile_tom mahoney 12/5/2012 | 1:24:20 AM
re: Unbearable Diversity of Users First they are all about security. But maybe not and maybe yes. Maybe they contributed to the 802.11i protocol and maybe they didn't.

What happened to all the stuff on their website about the RADIUS flaw

They dropped the magazine articles




What about the FAQ they posted and removed

Well-known and well-documented weaknesses have always existed in the RADIUS
protocol, with several recommendations published on methods to mitigate these
vulnerabilities (eg. RFC 3579, RFC 2865).
However, relatively few users or vendors have implemented these recommendations,
leaving RADIUS exchanges exposed. In the past, RADIUS ran over networks that
were considered to be secure. Today, the casual use of RADIUS on the same access
networks, the ready availability of inexpensive wireless LAN devices, and the explosion
of network-borne worms and viruses have made even interior networks untrusted.
Aruba has co-authored an IETF Internet Draft that explains the vulnerability, documents
a practical attack against the vulnerability, and provides recommendations to help
improve organizationGăÍs security best practices when deploying wireless. This document
explains ArubaGăÍs position with regard to the published Internet Draft.
The attack documented in the Internet Draft is based on the strength of the RADIUS
shared secret used between a RADIUS client (NAS) and a RADIUS server. If a single
RADIUS packet can be intercepted by an attacker, a dictionary or brute-force attack can
be carried out against the RADIUS shared secret and eventually allow it to be broken.
The time and practicality of breaking the shared secret depends on:
G㡠Length and complexity of the shared secret1
G㡠The ability for the attacker to capture minimum amounts of data and then
move the cryptanalysis offline
G㡠The computing power available to the attacker.
If the RADIUS secret guidelines and recommendations are followed it should be
very difficult to crack a well administered and strong RADIUS secret. However weak
implementations allow cracking to be accomplished in a matter of hours, or days
at the most. Once broken, an attacker can use this information to conduct further
attacks that include breaking 802.11i key exchanges and eavesdropping of wireless
communication through interception of wireless encryption keys.
The key to the attack is allowing an attacker to intercept a RADIUS packet. This can be
done through a variety of methods, the simplest being to find or install a rogue wireless
access point on the internal network. This is not a radical concept - numerous examples
of attempted corporate espionage exist where a member of the janitorial staff was paid
to place and connect a wireless AP in a competitorGăÍs building. Many corporations have
also discovered rogue APs that have been installed by employees who want the mobility
provided by wireless, but are unaware of the security holes that are created. Other ways of
intercepting such communication could be infecting an employeeGăÍs computer with GăúdroneGăą
software that permitted outside control of the computer by an attacker.
The attractiveness of this attack and the motivation behind it comes from the ability of
an attacker to wiretap the communications of an employee from a location outside the
physical walls of the company. This communication could consist of email, file operations,
or voice communication if voice-over-wireless devices are in use.
1 Instead of using a 96 character set per octet, typical implementations will restrict the use to 64 alphanumeric
characters. This simply exacerbates the vulnerabilities.
A number of different strategies may be pursued - individually or in combination - for risk
G㡠The use of IPSEC encryption for RADIUS communication, as detailed in RFC 3579,
mitigates the risk of eavesdroppers being able to intercept RADIUS communication.
G㡠Isolate legacy GăúexposedGăą wireless APs on a VLAN separate from other devices on the
network. Treat this VLAN as a GăúsensitiveGăą network and do not allow open jacks or
client devices to participate in this VLAN.
G㡠Installation of a wireless LAN switching system with centralized authentication
and encryption virtually eliminates the vulnerability. ArubaGăÍs system is an example
of a solution that ontinues to use RADIUS for authentication but leaves sensitive
information such as shared secrets and encryption keys wihin the data center.
Access points, in turn, contain no sensitive information and thus are unable to be
G㡠Implement strong RADIUS shared secrets using the maximum length key available
and including symbols, punctuation, and special characters. Recommended practices
can be found in RFC 2865.
G㡠Use different RADIUS shared secrets for each AP in the network. Even if one device
is compromised, it will not lead to a compromise of every wireless AP in the network.
G㡠Deploy a system to detect, locate, and contain rogue wireless APs. This greatly
reduces the risk of attacks against sanctioned wireless devices, and also eliminates
one of the single greatest threats to enterprise wired network security in general.
Q: What is Aruba submitting to the IETF and when?
G㡠Aruba intends to submit an IETF draft in the form of a GăúBest Current PracticesGăą
document. The title of the draft is GăúRADIUS Vulnerabilities in a Wireless and Wired
G㡠The draft will be submitted at the end of July, or in early August, 2004. Aruba
also has a slot at the radext WG at the IETF 60 San Diego to talk about this
G㡠The IETF draft will be available at the IETF drafts directory at http://www.ietf.org/
ID.html and at the Aruba website http://www.arubanetworks.com
G㡠In addition, one of the authors (Joshua Wright) is also making available to CERT
the draft and a (not-to-be-released) version of the attack tool to help generate the
appropriate advisories for vendors to patch/fix appropriate products.
Q: Who are the authors?
A: The authors are Randy Chou and Merwyn Andrade from Aruba Wireless Networks
and Joshua Wright from the SANS Institute.
Q: Does this break 802.11i and if so how?
A: This vulnerability, if exploited, can expose 802.11i (i.e. both WPA1 and WPA2
independent of the EAP type). However, organizations can take steps to mitigate this
as described in this document. It is important to note that 802.11i and other RADIUS
implementations can be effectively protected against this vulnerability if secured via
one or more of the best practices documented in the draft.
Q: Is this a new attack or an existing vulnerability?
A: This attack has previously been well documented. However, as wireless LANs
have become more widespread in enterprise networks, the existing RADIUS
implementation vulnerabilities are exacerbated and easier to exploit.
Q: Why is Aruba rehashing an old vulnerability?
A: The vulnerability in weak RADIUS deployments is not new. However, this problem is
extremely serious in a wireless environment as the encryption keys are transported
from within the RADIUS protocol.
AUGUST, 2004 -Č 2004 Aruba Wireless Networks 4
Q: Why is Aruba publicizing this vulnerability at this time?
A: This well-known vulnerability was slated for discussions in the IETF and was
publicized in an article that appeared in eWeek Magazine. Aruba is providing this
guidance to clarify our position on the numerous questions that have been posed to
us as a result of the draft being published. ArubaGăÍs position is that public disclosure
and demonstration of this vulnerability will focus corporations on best practices and
strengthen the security of both wired and wireless networks.
Q: It looks as though Aruba is bashing RADIUS. Is this true?
A: Aruba is not bashing RADIUS, but pointing out implementation flaws that have been
overlooked for a number of years. If these are continually left unmitigated they could
result in the serious compromise of data and reduction of confidence in the overall
security of wireless. The potential to mount the ARP poison man-in-the-middle
attack through a rogue AP co-located on the same subnet as the RADIUS exchange
should be an important consideration in secure network design.
Q: Is Aruba suggesting that we abandon 802.1x and RADIUS?
A: Not at all. Both protocols are critical pieces of enterprise wireless security. Aruba is
simply advocating that adequate precautions be taken and improvements be made
to security best practices to avoid disclosure of sensitive information. The problem
is not that RADIUS has become less secure, but that interior networks have become
less secure. The existence of wireless exacerbates the problem.
Q: IsnGăÍt this just self-promotion because your own product isnGăÍt vulnerable to
this attack?
A: ArubaGăÍs success is tied to the success of secure wireless deployments in the
enterprise space. One well-publicized intrusion or eavesdropping attack on a
corporate network is a negative for the entire industry.
Q: How do rogue APs make this problem worse?
A: A rogue AP often provides open, unencrypted access to a network. If the network
attached to the rogue AP also contains legitimate sanctioned APs, they become
vulnerable to various man-in-the-middle attacks based on ARP poisoning.
Q: Why are centralized encryption and authentication schemes not affected?
A: The portion of the network where the vulnerability exists is most likely in the
access network, where users and ports are open. Access networks are generally
where wireless APs and end-user devices connect. Centralized encryption and
authentication schemes do not allow either authentication or encryption to take
place on the access networks, but instead centralize this functionality into a VLAN/
subnet in the datacenter. Here, the network is more secure, since administrators
have much better control over what devices are connected. By not allowing RADIUS
communication or encryption keys to leave the data center, they are not at risk for
Q: Is Aruba the only company that can solve this problem?
A: Aruba is not the only company that can solve this problem G㢠however, Aruba believes
that it can solve this problem in the most cost-effective manner. Centralized wireless
architectures provide greater security and control while keeping operational costs
low. Because Aruba switches collapse hundreds of access points to a single
point of communication with the RADIUS server, this greatly reduces the security
and manageability burden of creating hundreds of pairs of strong keys that have
to be manually rotated. This single factor can reduce a huge OPEX element of the
Q: Is this going to require a hardware upgrade to my network?
A: Not necessarily. A hardware upgrade may provide better protection than what is
in use today, but the recommended best practices described above should provide
sufficient mitigation. As always, these practices should be in accordance with an
organizationGăÍs security policy. Some of these best practices may not be achievable
with only software or configuration changes and may require upgrading to products
with better capabilities.

buford t. justice 12/5/2012 | 1:23:47 AM
re: Unbearable Diversity of Users It's difficult to figure out what you can trust with Aruba

I'm beginning to wonder about other announcements they've made, like HP. I'm yet to see the July announcement that they promised was forthcoming:


Also, has any HP executive confirmed the deal or has it just been Aruba guys making the claim. That seems fishy...

wlanrunner 12/5/2012 | 1:23:46 AM
re: Unbearable Diversity of Users It looks to me like a case where the security issue was probably bigger and worse than everyone has been saying and that key customers and/or partners panicked.

But the damage has been done and removing information from the website or rewriting press releases is not a good sign.

I guess the score is even now. Airespace with MIMO/MISO and Aruba with RADIUS. Who's next?

The question still remains - what are the real risks with wireless and are any of these vendors really doing enough about it?
Sign In