Making WiFi secure for shared use

  • Article

WiFI Hot-spot Security: Accessible and secure

 

The only real answer to creating a secure hotpot is via a
VPN solution.  There are few other
alternatives which make any sense, and none of which have been widely
adopted.  The problems have to do with
disparte WiFi technology and non-existent standard provisioning policies or protocols
to deal with this and to manage this domain.

 

First, not all WiFi hardware has been created equal and not
all WiFi security protocols are created equal. 
WEP is not secure and should not be used, unless backed by a layer-3
security, like IPSec and a frequent re-authentication coupled with a
station-unique encryption key and IV. 
Only enterprise hardware is capable of meeting these requirements, and
they are not suitable for a consumer-grade network like a hotspot. 

 

WPA2 (802.11i) is the only security that can be used on a
network, however, in order to authenticate with WPA, you either need a key
(WPA-PSK) or to use one of the 802.1X authentication methods, which then
becomes more complicated: not every OS supports the same authentication
methods.  Microsoft favors PEAP-MSCHAPv2,
which is a doubly-secure user-name/password authentication protocol.  However, this is only one step of a sign-on process; first the user must acquire (purchase) credentials, etc. which must be done using a connection.  But first, if 802.1X is to be used, a common method must be found, and it must be integrated into the sign-on process.  One
common protocol is EAP-TLS, with a competing EAP-TTLS, but these rely on
certificates, which only complicate matters.  Using certificates is way more trouble than it is worth, even for the enterprise.  In fact, Windows Vista now defaults to attempting PEAP-MSCHAPv2 first, because
people have moved away from certificate-based authentication due to the
complexities.  Certificates just make
things more complicated.

So, when someone wants to connect to your hotspot, how does
it work?  First, they must be able to
connect, so the network must be Open. 
Then, usually, the hotspot redirects all incoming HTTP requests to their
sign-in machine, protected by SSL, to allow for client to sign on and receive
access.  Now what?  They are given access and begin to surf the
net on an unsecure network.  That's not a
good idea.

 

Under a Microsoft technology called WPS (Wireless
Provisioning Service), a provisioning client downloads information from the
secure HTTP server during a simple authentication phase (in which the server is
authenticated, and the client uses default credentials) and facilitated the
connection in such a way as to provision the client to securely connect with
the correct PEAP-MSCHAPv2 authentication strings (a customer-specific username
and password) once sign-up was finished. 
Also, this connection would then work with partner hot-spots, where the
credentials would also be accepted.  It
is a cool technology built into every Windows XP SP2 installation (now almost
the entire world), allows for secure access and has a good license for other
adopters.  Unfortunately, uptake was slow
and this technology was removed from Windows Vista except for the ability to
provision a machine with profiles.  Why
was this so difficult to get people to adopt?

 

Mostly because WiFi networks are part of a larger eco-system
and the technologies are disparate and everyone likes their standard.  People don't want to use your protocol; they
want to use their own, and it has to work with the mobile devices, mobile
phones, etc.

 

This is why there are no elegant solutions- because the
elegant solutions don’t work for everybody.  The best solution is the typical open-none
hotspot (accessible to everyone) with a HTTPS sign-in page and a VPN connection
for security (like Open VPN, but facilitated by the hotspot).  Too complicated?  Unfortunately, there are no good
alternatives.  This is just one case of
the technology getting ahead of the community collective thought process.

However, I still thing that Microsoft’s solution IS very
elegant, and would be an excellent choice.  Plus, is allows for a custom sign-on process
that allows for support information, and a standard user-experience.