Sie sind auf Seite 1von 4

April 2007


SECURING WIRELESS organizations in implementing a family of ITL Bulletins are published by the Information
NETWORKS voluntary industry standards developed by Technology Laboratory (ITL) of the National
the Institute of Electrical and Electronics Institute of Standards and Technology (NIST).
Shirley Radack, Editor Engineers (IEEE) to define the Each bulletin presents an in-depth discussion
Computer Security Division characteristics, the transmission of data, of a single topic of significant interest to the
Information Technology Laboratory and the security of wireless local area information systems community. Bulletins are
National Institute of Standards and networks. In addition to the IEEE 802.11b issued on an as-needed basis and are
Technology and 802.11g standards, NIST SP 800-48 available from ITL Publications, National
also discusses Bluetooth technology and Institute of Standards and Technology, 100
Many users and organizations have found wireless handheld devices such as text Bureau Drive, Stop 8900, Gaithersburg, MD
that wireless communications and devices messaging devices, PDAs, and smart 20899-8900, telephone (301) 975-2832. To be
are convenient, flexible, and easy to use. phones. placed on a mailing list to receive future
Wireless local area networks (WLANs) bulletins, send your name, organization, and
enable users with mobile devices that The IEEE 802.11 standards were based on business address to this office. You will be
operate over radio frequencies to move a security method known as Wired placed on this mailing list only.
from one place to another without being Equivalent Privacy (WEP). Since this
physically connected to a network. method had been subject to several well- Bulletins issued since May 2006:
documented security problems, the ™ An Update on Cryptographic Standards,
Portable computers, personal digital Guidelines, and Testing Requirements, May
assistants (PDAs), and cell phones support concerns about security led the standards
the sharing of data and applications with developers to improve the security ™ Domain Name System (DNS) Services: NIST
network systems and other users with methodology with an amendment to the Recommendations for Secure Deployment,
compatible devices, and provide access to specifications (IEEE 802.11i). June 2006
network services such as wireless email, ™ Protecting Sensitive Information Processed
web browsing, and the Internet. Wireless The amendment introduces new security and Stored in Information Technology (IT)
communications can benefit organizations features to overcome the shortcomings of Systems, August 2006
by reducing their wiring costs. WEP and presents the concept of the ™ Forensic Techniques: Helping Organizations
Robust Security Network (RSN), a Improve Their Responses to Information
wireless security network with three main Security Incidents, September 2006
The mobile devices function within the ™ Log Management: Using Computer and
range of the wireless network, usually components: Network Records to Improve Information
limited to an area such as an office Security, October 2006
building or building complex. Since they - stations (STA) - wireless endpoint ™ Guide to Securing Computers Using Windows
transmit data through radio frequencies, devices such as laptops, and wireless XP Home Edition, November 2006
wireless networks are open to intruders handheld devices such as PDAs, text ™ Maintaining Effective Information Technology
and especially vulnerable to security risks messaging devices, and smart phones; (IT) Security Through Test, Training, and
Exercise Programs, December 2006
unless properly protected. Intruders have
- access points (AP) - network devices ™ Security Controls for Information Systems:
exploited the openness of wireless Revised Guidelines Issued by NIST, January
networks to access systems, destroy and that allow STAs to communicate over
steal data, and launch attacks that take radio frequencies and to connect to another ™ Intrusion Detection and Prevention Systems,
over network bandwidth and deny service network, such as the organization’s wired February 2007
to authorized users. infrastructure; and ™ Improving the Security of Electronic Mail:
Updated Guidelines Issued by NIST, March
Wireless Local Area Networks - authentication servers (AS) - WLAN 2007
Standards and Security components that provide authentication
services to STAs.
The Information Technology Laboratory
(ITL) of the National Institute of Standards Threats to WLANs often involve an
and Technology (NIST) issued Special attacker with access to the radio link
Publication (SP) 800-48, Wireless Network between two STAs or between a STA and
Security: 802.11, Bluetooth and Handheld an AP. The RSN framework, as described
Devices, in 2002. This guide assists in IEEE 802.11i, provides for the creation
2 April 2007
of Robust Security Network Associations the cryptographic keys that are created and Recommendations for Wireless
(RSNAs). RSNAs are wireless used by these protocols. Network Security
connections that provide moderate to high
levels of assurance against WLAN Other issues discussed include the five NIST recommends that organizations
security threats through the use of a phases of operation that occur during RSN adopt the following practices to improve
variety of cryptographic techniques. communications, starting with the the security of their wireless networks:
discovery of a WLAN and ending in the
Who We Are termination of the connection; the types of Ensure that all WLAN components use
The Information Technology Laboratory (ITL) frames used to carry information between Federal Information Processing
is a major research component of the National
RSN components; the flow of frames Standards (FIPS)-approved
Institute of Standards and Technology (NIST)
of the Technology Administration, U.S. between components during each phase of cryptographic algorithms to protect the
Department of Commerce. We develop tests RSN operation; and planning for the confidentiality and integrity of WLAN
and measurement methods, reference data, implementation of the Extensible communications.
proof-of-concept implementations, and Authentication Protocol (EAP). The EAP,
technical analyses that help to advance the which was designed to accommodate the The IEEE 802.11i amendment defines two
development and use of new information use of new authentication methods as they data confidentiality and integrity protocols
technology. We seek to overcome barriers to are developed, should be used by for RSNAs: Temporal Key Integrity
the efficient use of information technology, and organizations for most RSN deployments. Protocol (TKIP) and Counter Mode with
to make systems more interoperable, easily
usable, scalable, and secure than they are
Also discussed are the most common EAP Cipher Block Chaining Message
today. Our website is methods, how organizations can select Authentication Code Protocol (CCMP).
EAP methods appropriate to their The guide discusses both protocols, as
environments, EAP security well as the cryptographic keys created and
NIST SP 800-97, Establishing considerations, and the EAP architectural used by these protocols.
Wireless Robust Security Networks: model and related support requirements.
A Guide to IEEE 802.11i Federal agencies are required to use
A section of the guide focuses on FIPS-approved cryptographic algorithms
ITL recently issued NIST SP 800-97, validation testing of cryptographic that are contained in FIPS-validated
Establishing Wireless Robust Security products as required under Federal cryptographic modules. Only the CCMP
Networks: A Guide to IEEE 802.11i, to Information Processing Standard (FIPS) uses a FIPS-approved core cryptographic
supplement NIST SP 800-48 and to assist 140-2, Security Requirements for algorithm, the Advanced Encryption
organizations in establishing and Cryptographic Modules, and the Standard (AES), as specified in FIPS 197.
maintaining robust security for WLANs certification requirements as applied to Since CCMP provides stronger assurance
using the new security features that were IEEE 802.11 wireless networks. This than WEP and TKIP, federal agencies are
developed for IEEE 802.11i. Written by section also provides an overview of the advised to use CCMP for securing IEEE
Sheila Frankel and Karen Scarfone of security specifications developed by the 802.11-based WLANs. Auxiliary security
NIST and by Bernard Eydt and Les Owens Wi-Fi Alliance, a nonprofit industry protection is required for legacy IEEE
of Booz Allen Hamilton, the guide consortium of WLAN equipment and 802.11 equipment that does not support
includes an overview of wireless software vendors, which conducts a the use of the CCMP. Federal agencies
networking, focusing on the IEEE 802.11 certification program for WLAN products. should consult NIST SP 800-48 for
family of WLAN standards. The The certifications help organizations select specific recommendations for securing
publication explains the basic WLAN interoperable WLAN products that can legacy IEEE 802.11 implementations.
components and architectural models and support RSNs. Recommendations for best
provides an overview of WLAN security, practices related to WLAN security are Select IEEE 802.11 RSN authentication
including a review of the security features summarized, and planned extensions to methods that meet the needs of the
and weaknesses of the IEEE 802.11 IEEE 802.11 are discussed. organization’s computing environments.
specifications, and the features of the
IEEE 802.11i amendment that improve Extensive appendices to NIST SP 800-97 The RSN specified in IEEE 802.11 uses
WLAN security. include an acronym list, references and the EAP for the authentication phase of
other sources of information, as well as a establishing an RSNA. EAP supports a
NIST SP 800-97 introduces the major listing of online resources that provide wide variety of authentication methods,
security-related components that are additional information about IEEE 802.11i also called EAP methods. These methods
defined in IEEE 802.11i and explains the specifications and IEEE 802.11i security. include authentication based on
security features and capabilities passwords, certificates, smart cards, and
associated with the framework for RSNs. NIST SP 800-97 is available from NIST’s tokens. EAP methods also can include
It provides extensive guidance on the website at combinations of authentication techniques,
planning and deployment of RSNs, the such as using a certificate followed by a
steps needed to establish RSNAs, data 00-97/SP800-97.pdf. password, or the option of using either a
confidentiality and integrity protocols, and smart card or a token for authentication.
These options enable organizations to
3 April 2007
integrate the EAP methods with other Integrate existing authentication program facilitates the interoperability of
environments to which a WLAN might technology with the IEEE 802.11 RSN WLAN products that implement IEEE
connect. Organizations have considerable WLAN to the extent feasible. 802.11i systems with similar equipment
discretion in choosing which EAP from other vendors. Federal agencies
methods to employ; however, the choice Although the RSN framework supports the should procure WPA2 products that use
of EAP method should be carefully use of pre-shared keys (PSK), FIPS-approved encryption algorithms and
considered since it can impact the organizations should choose to implement that have been FIPS-validated.
protection provided by an RSN. the IEEE 802.1X standard and EAP for Organizations that plan to use
authentication instead of using PSKs authentication servers as part of their IEEE
Because of the extensible nature of EAP, because of the resources needed for proper 802.11 RSN implementations should
many EAP methods exist, and others are PSK administration and the security risks procure products with the WPA2
being developed. Some EAP methods may involved. IEEE 802.1X and EAP Enterprise level certification. Also,
not satisfy the necessary security authentication requires an organization to because the WPA2 certification is
requirements for WLANs; for example, use an AS, which may necessitate the use expanded periodically to test for
EAP methods that do not generate of a PKI. An organization that already has interoperability with additional EAP
cryptographic keying material cannot be implemented ASs for web, email, file and methods, organizations should obtain the
used for WLANs. In general, the current print services, and other authentication latest WPA2 information before making
EAP methods that can satisfy WLAN needs, should consider integrating this procurement decisions.
security requirements are based on the technology into its RSN solution. Most
Transport Layer Security (TLS) protocol. leading network operating systems and Ensure that WLAN security
A primary distinction between TLS-based directory solutions offer the support considerations are incorporated into
EAP methods is the level of public key needed for RSN integration. each phase of the WLAN life cycle in the
infrastructure (PKI) support required; the establishment and maintenance of IEEE
EAP-TLS method requires an enterprise Ensure that the confidentiality and 802.11 RSNs.
PKI implementation and certificates integrity of communications between
deployed to each STA, while most other access points and authentication servers Each of the phases of the life cycle in
TLS methods require certificates on each are sufficiently protected. planning and implementing IEEE 802.11
AS only. Organizations should use the RSNs has special considerations for
EAP-TLS method whenever possible. The data confidentiality and integrity WLAN security. The five-phase life cycle
protocol, such as CCMP, used by an IEEE model for WLANs, which is briefly
Because some EAP methods have not yet 802.11 RSN protects communications summarized below, is based on the model
been adopted as voluntary industry between STAs and APs. However, IEEE discussed in NIST SP 800-64, Security
standards and new methods are being 802.11 and its related standards do not Considerations in the Information System
developed, organizations are encouraged cover protection of the communications Development Life Cycle.
to obtain up-to-date information on EAP between the AP and AS. Therefore,
methods and standards when planning an organizations deploying RSNs should - Initiation Phase includes the tasks that
RSN implementation, based on IEEE ensure that communications between each an organization should perform before it
802.11. See Appendix C of the guide for AP and its corresponding ASs are starts to design its WLAN solution:
contact information. Additionally, protected sufficiently through the use of developing a WLAN use policy;
organizations should ensure that the cryptography. Also, because of the performing a WLAN risk assessment; and
cryptographic modules implementing the importance of the ASs, organizations specifying business and functional
TLS algorithm for each product under should pay particular attention to requirements for the solution, such as
consideration have been FIPS-validated. establishing and maintaining their security mandating RSNAs for all WLAN
through operating system configuration, connections.
Before selecting WLAN equipment, firewall rules, and other security controls.
organizations should review their existing - Acquisition/Development Phase
identity management infrastructure, Use technologies that have the includes Planning and Design, and
authentication requirements, and security appropriate security certification from Procurement:
policy to determine the EAP method or NIST and interoperability certification
methods that are most appropriate in their from the Wi-Fi Alliance when IEEE - Planning and Design allows
environments. They should then acquire 802.11 RSNs are established. WLAN network architects to specify the
systems that support the chosen EAP technical characteristics of the WLAN
methods, and implement and maintain To implement IEEE 802.11 RSNs, solution, such as authentication methods,
them carefully. See the guide for detailed organizations may need to update or and the related network components, such
guidance on planning EAP replace existing IEEE 802.11 equipment as the firewall rules. The WLAN network
implementations, the available EAP and software that cannot support RSNAs. architects should also conduct a site survey
methods, how organizations can select They may also need to purchase additional to help determine the architecture of the
EAP methods, and additional EAP security equipment. The Wi-Fi Alliance’s Wi-Fi solution and how the WLAN should be
considerations. Protected Access 2 (WPA2) certification integrated with the existing authentication
4 April 2007
infrastructure, including the organization’s Best Practice Recommendations Federal organizations should follow the
PKI. guidance on general security controls that
NIST SP 800-97 summarizes over 50 best are discussed in NIST SP 800-53,
- Procurement involves specifying practice recommendations for WLAN Recommended Security Controls for
the number and type of WLAN security, grouped by the life cycle phase Federal Information Systems, for
components that must be purchased, the for which each recommendation is most minimum management, operational, and
feature sets they must support such as relevant. NIST encourages organizations technical security controls for information
FIPS-validated encryption modules, and to adopt these best practice systems. This publication is available on
any certifications they must hold such as recommendations. RSNs are complex, the web page listed above.
WPA2 Enterprise. involving multiple devices, protocols, and
standards. The recommendations are For information about FIPS 140-2, lists of
- Implementation entails the presented in a way to enable organizations FIPS-approved cryptographic products,
configuration of procured equipment to to manage their WLANs and to take and NIST’s Cryptographic Module
meet operational and security actions that will provide reasonable Validation Program, see
requirements, and the installation and assurance that the WLANs are protected
activation of the equipment on a from most security threats. The
production network, with the appropriate recommendations should be particularly Disclaimer
Any mention of commercial products or reference to
event logging procedures enabled. helpful to organizations that have made a commercial organizations is for information only; it
decision to integrate WLAN technology does not imply recommendation or endorsement by
- Operations/Maintenance includes into their computer networks and want to NIST nor does it imply that the products mentioned
carrying out security-related tasks that an determine the best way to do it. The are necessarily the best available for the purpose.
organization should perform on an recommendations will help those
ongoing basis once the WLAN is organizations that are already managing ITL Bulletins via E-Mail
operational, including patching, periodic WLANs, but are not satisfied with the We now offer the option of delivering your ITL
security assessment, log reviews, and level of security they provide. When they Bulletins in ASCII format directly to your e-mail
incident handling. upgrade, replace, and configure their address. To subscribe to this service, send an
infrastructure, they should enhance e-mail message from your business e-mail
- Disposition encompasses the tasks that security by supporting RSNs and other account to with the message
occur after a system or its components security controls. subscribe itl-bulletin, and your name, e.g.,
have been retired, including preserving John Doe. For instructions on using listproc,
send a message to with the
information to meet legal requirements, More Information
message HELP. To have the bulletin sent to
sanitizing media that might contain an e-mail address other than the FROM
sensitive material, and disposing of NIST publications assist organizations in address, contact the ITL editor at
equipment properly. planning and implementing a 301-975-2832 or
comprehensive approach to information
security. For information about NIST
standards and guidelines that are
referenced in the security guide for
wireless networks, as well as other
security-related publications, see NIST’s
web page