Since the ratification of the IEEE 802.11i amendment, organisations have been able to take advantage of improved security on wireless networks with WPA2-compliant hardware. However, the protection currently afforded to administrators only applies to data traffic and does not provide any protection for management or control operations on wireless networks.
Enter the IEEE 802.11w Task Group (TG). Approved as an IEEE 802.11 TG in March 2005, TGw is chartered to improve the security of wireless networks by protecting management frames. As other wireless working groups extend the functionality of management frames to include sensitive information including radio resource data, location-based identifiers, and fast-roaming information, it becomes clear that security in wireless networks needs to be extended to management frames as well as data frames.
The IEEE 802.11w TG has several challenges to overcome, however. To protect the confidentiality of management traffic, IEEE 802.11w assumes that the client and the access point have exchanged dynamic key content. This precludes the protection of any management frames prior to the delivery of key content, thus exposing network name (SSID) information and other capability information needed for clients to connect to the network. Maintaining backward compatibility for non-IEEE 802.11w-compliant wireless devices will also be challenging for organisations, limiting the protection afforded by 802.11w until all hardware has been upgraded to support the required functionality.
A TGw solution that can identify spoofed management frames can disregard some malicious traffic used to launch DoS attacks against the network, such as a de-authenticate flood attack. However, mitigating DoS attacks is not the goal of the TG, and appropriately so; even if the AP and client can identify malicious management frames, 802.11w can never mitigate the effectiveness of RF-jamming attacks. Furthermore, the IEEE 802.11w TG has not indicated it intends to provide protection for control frames on the wireless network. Without protection, the attacker can choose from a variety of DoS attacks that exploit various wireless-medium control techniques.
The IEEE 802.11w TG is currently developing the first letter ballot for review by the IEEE 802.11 Working Group. The estimated date for a published IEEE 802.11w specification is April 2008. Thus mechanisms adopted by the working group could change drastically before the final specification is published.
We certainly need the efforts of the IEEE 802.11w TG to protect the future of wireless networks and to preserve the security of new wireless capabilities. Do not expect this protection to come without deployment or management costs, however, or to mitigate the looming DoS issues plaguing wireless networks.
Joshua Wright is a Senior Security Architect for Aruba Networks and an editorial board member of the WVE. When not breaking wireless networks, he practices Aiki-Jutsu, where he tries not to break things. This article appeared in Network World.