Wireless LAN Security

2005 Research In Motion Limited. All rights reserved.

www.blackberry.com

Wireless LAN Security

Contents
Introduction............................................................................................................................................................................ 2 Wireless security.................................................................................................................................................................... 2 BlackBerry 7270............................................................................................................................................................... 2 Security methods.............................................................................................................................................................. 2 Layer 2 security...................................................................................................................................................................... 3 WEP ...................................................................................................................................................................................... 3 TKIP ...................................................................................................................................................................................... 3 802.1x and the EAP........................................................................................................................................................ 3 LEAP ..................................................................................................................................................................................... 4 PEAP..................................................................................................................................................................................... 4 PSK........................................................................................................................................................................................ 5 Layer 3 security...................................................................................................................................................................... 5 VPN....................................................................................................................................................................................... 5 Simple authentication ......................................................................................................................................................... 5 MAC address filtering ..................................................................................................................................................... 5 Related resources.................................................................................................................................................................. 6

2005 Research In Motion Limited. All rights reserved.

www.blackberry.com

Wireless LAN Security Introduction

Introduction
This document explores the security features of the wireless local area network (WLAN) solution and provides an overview of the WLAN security options and architecture supported by the BlackBerry 7270 Wireless Handheld. This document does not make exclusive recommendations or define best practices. You should make carefully considered security decisions for every WLAN installation. See your WLAN infrastructure vendor(s) for details and recommendations. See the BlackBerry Enterprise Server 4.0 Implementation Guide for Wireless LAN for more information.

Wireless security
The BlackBerry 7270 provides a number of different WLAN security options that are compatible with the security policies and environments of most organizations. Implementing the BlackBerry Enterprise Solution (consisting of a BlackBerry Wireless Handheld, BlackBerry Handheld Software, BlackBerry Desktop Software, and the BlackBerry Enterprise Server software) over a WLAN requires differences in infrastructure and architecture. The WLAN solution bypasses the use of the Server Routing Protocol (SRP), a point-to-point protocol that runs over the TCP/IP. A direct connection to the BlackBerry Enterprise Server using the BlackBerry Router replaces SRP connectivity and authentication. The wireless security of the WLAN solution extends the security features of the existing BlackBerry Enterprise Solution. Visit http://www.blackberry.com/products/software/server/exchange/security.shtml for more information on BlackBerry security. Administering WLAN security using IT policy rules With the BlackBerry Enterprise Solution, a system administrator can monitor and control all BlackBerry handhelds from the BlackBerry Manager using wireless IT commands and IT policy rules. The WLAN solution includes WLAN security-specific IT policy rules. See the BlackBerry Enterprise Server 4.0 Implementation Guide for Wireless LAN for more information on WLAN IT policies. See the BlackBerry Enterprise Server Administration Guide for more information on IT policies in general.

BlackBerry 7270
The BlackBerry 7270 is the first BlackBerry device to operate on 802.11b WLANs. The BlackBerry 7270 enables on-site users to wirelessly access email, organizer, and browser-based applications while mobile in the physical environment of their organization. As extensions of enterprise networks, WLANs must be protected from unauthorized use. All wireless client devices should be authenticated before gaining access to the network, and wireless communications between the device and the network should be encrypted. Multiple security methods can encrypt network traffic between a BlackBerry 7270 and a wireless access point or network firewall. Regardless of the WLAN security method(s) used, all communication between the BlackBerry 7270 and the BlackBerry Enterprise Server is strongly encrypted using Triple Data Encryption Standard (Triple DES) or Advanced Encryption Standard (AES) encryption methods.

Security methods
There are two categories of WLAN security technology supported by the BlackBerry 7270. Layer 2 security operates at a low level between the BlackBerry 7270 and a wireless access point. The BlackBerry 7270 supports the following layer 2 security methods:

64 and 128-bit Wired Equivalent Privacy (WEP) Lightweight Extensible Authentication Protocol (LEAP)

www.blackberry.com

Wireless LAN Security Layer 2 security

Protected Extensible Authentication Protocol (PEAP) Pre-Shared Key (PSK)

Layer 3 security operates between the BlackBerry 7270 and a network firewall. When layer 3 security is applied, the BlackBerry 7270 supports virtual private networks (VPNs). You can also apply simple authentication through Media Access Control (MAC) address filtering.

Layer 2 security
WEP
Wired Equivalent Privacy (WEP), the oldest, most prevalent form of WLAN encryption available, was originally designed to bring the same level of security to a WLAN that was available on a traditional wired LAN. WEP uses a matching encryption key at both the access point and the wireless client to secure wireless communication. These keys can be either 64 or 128 bits in length. Only the first 40 or 104 bits are used as the actual encryption key. WEP keys must be distributed to each WLAN client device. In the BlackBerry Enterprise Server, WEP keys can be defined using IT policy rules and delivered to the BlackBerry 7270 during the initial device provisioning using the BlackBerry Enterprise Server wireless IT policy feature. The BlackBerry 7270 must be connected to the administrator computer or the desktop computer during initial provisioning, but IT policy rules can be updated dynamically thereafter. Administrator time is saved when new devices are added to the BlackBerry Enterprise Server, as no additional configuration of WLAN access points is necessary. WEP has a number of weaknesses. It has been shown that WEP keys can be deduced in very little time. WEPencrypted packets can be altered without detection using a man-in-the-middle attack. By modern standards, WEP is not considered a cryptographically strong security solution. Organizations concerned with security often use WEP as their preliminary security method to moderately limit access to their WLAN, but use a VPN as a more secure gatekeeper to the core enterprise network to provide data confidentiality.

TKIP
The Temporal Key Integrity Protocol (TKIP), which is part of the 802.11i WLAN security standard, addresses the shortcomings in WEP without requiring replacement of the existing WLAN hardware. TKIP is more robust than WEP and is not susceptible to the same attacks. TKIP keys are larger than WEP keys (128 bits for the key itself, compared to 40 or 104 for WEP) and are generated dynamically for each session. Where WEP uses a single fixed key for an entire session, TKIP keys are changed automatically for each packet of transmitted data. To prevent man-in-the-middle attacks, TKIP includes a Message Integrity Check (MIC). Transmitted packets that are captured, altered, and resent fail the MIC and are discarded. Because of the dynamic nature of TKIP keys, a secure method of distributing these keys to a wireless client is required. The BlackBerry 7270 supports the use of TKIP with both PEAP and PSK.

802.1x and the EAP

The 802.1x standard defines a generic framework that can be used to authenticate users who want to access a wired or wireless network. 802.1x does not perform this authentication itself; instead it defines an Extensible Authentication Protocol (EAP) that enables a number of authentication methods. There are three main components of an 802.1x environment.

Supplicant: This is the 802.1x/EAP client software running on the WLAN client device. The BlackBerry 7270 has a built-in 802.1x supplicant. Authenticator: This is the access point that acts as a mediator, relaying EAP packets between the supplicant and an authentication server.

www.blackberry.com

Wireless LAN Security Layer 2 security

Authentication server: This is often a Remote Authentication Dial In User Service (RADIUS) server responsible for deciding whether a user should be allowed to access the network. By centralizing authentication with a RADIUS server, access points do not need to be reconfigured each time a new user is added to the WLAN.

When a wireless client first associates itself with an access point enabled for 802.1x security, the only communication allowed by that access point is 802.1x authentication. Using a negotiated EAP method, the supplicant on the wireless client sends its credentials (typically, a user name and password) to the access point (the authenticator), which forwards the information to the authentication server. The authentication server instructs the access point to allow or disallow the particular client access to the WLAN. After a WLAN client has been authenticated successfully, a special algorithm establishes the encryption keys that the access point and the client use. The keys are WEP or TKIP keys, depending on the EAP method used. After the user is authenticated and WLAN encryption keys are established, the client has encrypted access to the enterprise LAN. Using 802.1x for authentication simplifies the administration of WLAN security. Granting or revoking WLAN permissions requires updating the central authentication server. It does not require configuration changes at the access point level. The BlackBerry 7270 supports the EAP methods LEAP and PEAP. If users share a single set of EAP credentials, then the credentials can be sent to each device automatically, using IT policies. In most cases, EAP credentials are unique to each user and an IT policy rule is used only to enable a particular EAP method. Users then need to configure their devices manually with their specific credentials using the device user interface.

LEAP
LEAP, also known as EAP-Cisco Wireless, was developed by Cisco in response to the weaknesses identified in WEP. LEAP uses the 802.1x authentication framework. After authentication, dynamically-generated WEP keys are sent to the WLAN client. To provide added security to basic WEP, these keys change automatically throughout the course of a session. LEAP authentication is based on a user name and password. Passwords are encrypted using a one-way function before being sent to the authentication server. LEAP significantly improves on basic WEP security. However, Cisco announced in 2003 that passwords sent using LEAP are vulnerable to attack, especially when cryptographically weak, or simple, passwords are used. LEAP is fully supported by the BlackBerry 7270.

PEAP
PEAP is an open standard jointly developed by Microsoft, RSA Security and Cisco Systems. It uses the 802.1x framework, and was designed specifically for use with WLANs. PEAP works in two phases. In the first phase, Transport Layer Security (TLS) creates an encrypted tunnel between the supplicant and the authentication server. In the second phase, the supplicant sends its credentials to the authentication server using the TLS tunnel. The two versions of PEAP are PEAPv0 (also known as Microsoft PEAP) and PEAPv1 (also known as Cisco PEAP). In addition, there are a number of second-phase protocols that can be used for the credential exchange. The BlackBerry 7270 is compatible with the Wi-Fi Alliance WPA-Enterprise specification. It supports only the following versions of PEAP:

PEAPv0 PEAPv1 with MS-CHAPv2 as the second-phase method

www.blackberry.com

Wireless LAN Security Layer 3 security

PSK
PSK is a WLAN authentication method used primarily in small office and home environments where it is not feasible to set up a RADIUS server-based authentication infrastructure. PSK uses TKIP to secure WLAN communications, but relies on a single, shared pass phrase of up to 256 bits in length for authorization. All access points and wireless clients must know the PSK pass phrase. The pass phrase can be set and distributed to the BlackBerry 7270 using an IT policy rule. The BlackBerry 7270 implementation of PSK is compatible with the Wi-Fi Alliance WPA-Personal specification.

Layer 3 security
VPN
A VPN differs from the other WLAN security methods in that the access point is not involved in the encryption of data. A VPN provides a strongly-encrypted tunnel between the client device and the core enterprise network. VPN is commonly used by organizations to provide remote users with secure access to an enterprise network. A VPN solution consists of the following two components:

VPN client on the device, which gains access to the network VPN concentrator, which sits on the edge of the enterprise network and acts as the gatekeeper to that enterprise network

Using strong encryption, the client authenticates itself with the concentrator and an encrypted tunnel is created between the two. All network communication between the remote device and the enterprise network is routed through the encrypted tunnel. A common WLAN configuration uses WEP to provide a rudimentary access-control mechanism for the WLAN itself and uses VPN to provide the actual security. In this scenario, the WLAN is configured as an untrusted network; the only other device connected to the WLAN is the VPN concentrator. The BlackBerry 7270 has a built-in VPN client that supports VPN concentrators from Alcatel, Avaya, Check Point Software Technologies, Cisco, Cylink, Lucent Technologies, NetScreen Systems, Nortel Networks, ReefEdge, Secure Computing, and Symantec. If the BlackBerry 7270 has a VPN profile, it logs into the VPN concentrator automatically after connecting to the WLAN. VPN clients must be configured with a number of options (for example, the IP address of the VPN concentrator, user names and passwords, and cryptographic methods to be used). On the BlackBerry 7270, each of these settings is configurable using IT policy rules. Depending on the security policy of your organization, each user name and password can be saved to the device to prevent the user from being prompted for these credentials the first time (or each time) the user connects to the WLAN. The BlackBerry 7270 is also compatible with VPN environments that use two-factor hard tokens for user credentials. When logging into the VPN, users are prompted for their user name and password, at which point they can type the current value from their token.

Simple authentication
MAC address filtering
Every network client (wired or wireless) is assigned a unique 48-bit MAC address. MAC address filtering involves programming the MAC address of every client device that is allowed to access a specific WLAN into each access point. This is the simplest form of WLAN security. MAC address filtering is a very weak form of security. It is a rudimentary form of authentication (MAC address spoofing is a well-known weakness) and does not provide any encryption. Additionally, administering a WLAN

www.blackberry.com

Wireless LAN Security Related resources using MAC address filtering can be labor-intensive, as the MAC address of each new client that wants to access the WLAN must be added to the list of allowed MAC addresses at each access point.

MAC address filtering is used mostly by very simple WLAN client devices that do not support any other form of WLAN security. The BlackBerry 7270 supports a number of WLAN authentication and encryption options. Research In Motion (RIM) does not recommend using MAC address filtering as the only form of protection for a WLAN with the BlackBerry 7270.

Related resources
Resource BlackBerry Enterprise Server 4.0 Implementation Guide for Wireless LAN BlackBerry Enterprise Server documentation BlackBerry site: Security Overview Location http://www.blackberry.com/knowledgecenterpublic/livelink.exe? func=ll&objId=817080&objAction=browse&sort=name

http://www.blackberry.com/knowledgecenterpublic/livelink.exe? func=ll&objId=7963&objAction=browse&sort=name http://www.blackberry.com/products/software/server/exchange/security.shtml

www.blackberry.com

Wireless LAN Security Related resources

Part number: SWD_X_BES(EN)-132.000 *Check with service provider for availability, roaming arrangements and service plans. Certain features outlined in this document require a minimum version of BlackBerry Enterprise Server software, BlackBerry Desktop Software, and/or BlackBerry handheld software. May require additional application development. Prior to subscribing to or implementing any third party products or services, it is your responsibility to ensure that the airtime service provider you are working with has agreed to support all of the features of the third party products and services. Installation and use of third party products and services with RIM's products and services may require one or more patent, trademark or copyright licenses in order to avoid infringement of the intellectual property rights of others. You are solely responsible for determining whether such third party licenses are required and are responsible for acquiring any such licenses. To the extent that such intellectual property licenses may be required, RIM expressly recommends that you do not install or use these products and services until all such applicable licenses have been acquired by you or on your behalf. Your use of third party software shall be governed by and subject to you agreeing to the terms of separate software licenses, if any, for those products or services. Any third party products or services that are provided with RIM's products and services are provided "as is". RIM makes no representation, warranty or guarantee whatsoever in relation to the third party products and services and RIM assumes no liability whatsoever in relation to the third party products and services even if RIM has been advised of the possibility of such damages or can anticipate such damages. 2005 Research In Motion Limited. All rights reserved. The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, BlackBerry and 'Always On, Always Connected' are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries.

Alcatel is a registered trademark of Alcatel. Avaya is a trademark, registered or not, of Avaya. Check Point is a trademark or registered trademark of Check Point Software Technologies Ltd. or its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Lucent Technologies is a trademark or service mark of Lucent Technologies Inc. Microsoft is a trademark of Microsoft Corporation in the United States and/or other countries. RSA Security is service mark, trademark, and/or trade dress of RSA Security. Secure Computing is a trademark of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. Symantec is a registered trademark of Symantec Corporation in the United States. Wi-Fi is a registered trademark of the Wi-Fi Alliance. All other brands, product names, company names, trademarks and service marks are the properties of their respective owners. The handheld and/or associated software are protected by copyright, international treaties and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D,445,428; D,433,460; D,416,256. Other patents are registered or pending in various countries around the world. Please visit www.rim.com/patents.shtml for a current listing of applicable patents. This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. This document is provided as is and Research In Motion Limited (RIM) assumes no responsibility for any typographical, technical or other inaccuracies in this document. RIM reserves the right to periodically change information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements or other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS AFFILIATED COMPANIES AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS. This document might contain references to third party sources of information and/or third party web sites (Third-Party Information). RIM does not control, and is not responsible for, any Third-Party Information, including, without limitation the content, accuracy, copyright compliance, legality, decency, links, or any other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the third party in any way. Any dealings with third parties, including, without limitation, compliance with applicable licenses and terms and conditions, are solely between you and the third party. RIM shall not be responsible or liable for any part of such dealings.

www.blackberry.com