A security-minded wireless vendor is suffering ridicule from its peers for alerting the world to a not-very-dangerous security flaw. Aruba Networks claims that an attack on Radius servers is made worse by some wireless architectures, but rivals dismiss it as a red herring.
The attack requires a hacker to connect a device to his victim's wired network, and compromise the Radius server by performing ARP poisoning using tools like Cain & Abel. The device can then act as a proxy between the Radius server and the access point, getting passwords and other data. To protect against this, users should not have encryption carried out at the access point, but at a central switch - such as Aruba's, of course. "This is a known Radius vulnerability in the wired world but is made worse with wireless," said David Callisch, communications director at Aruba.
The story was run by eWeek, and gathered some steam, with other sites headlining it as exposing flaws in the spanking new 802.11i security protocol - which Aruba is incidentally, among the first to implement.
Then the backlash hit. Other vendors, particularly Airespace and Trapeze, pointed out that a vulnerability which requires access to the wired network is a pretty strange one, especially as to poison ARP the hacker would need access to the management VLAN, and therefore be able to do pretty much anything. Getting that access and then concentrating on wireless AP traffic would be like stealing someone's wallet and keys, and then using the wallet to buy a crowbar to get into their house.
"This 'attack' is nothing new," said Dan Harkins, chief security architect at Trapeze Networks, and one of the authors of 802.11i. "It is an attack against poor administration and not against any protocol, not against 802.11i and not even against Radius. It attempts to get access to the Radius conversation between the Radius server and access points and then to try an offline dictionary attack to discover the shared secret. It will only work if the shared secret between the server and AP is weak."
"The IEEE has done a really good job on 802.11i," said Pat Calhoun, chief technical officer of Airespace. "It is a good security solution, so causing additional fear is not good." Even if the vulnerability was a worry, then any system which moves encryption to a central system would be proof against it, he said.
The fact that Radius can be subverted by someone with access to the wired network has been known for some time, says Calhoun. "The assumption made by most IT managers is that the wired network is secure." Calhoun chaired a group discussing Radius security in the 1980s, and co-authored RFC 2869 which describes extensions to Radius, and helped create a proposed replacement called Diameter ("It doesn't stand for anything," says Calhoun," it's just two times Radius"). Running Radius over IPsec is one answer, he says, and IT managers should make sure they are using strong secrets.
"There is nothing clever, innovative, or new in any of this," says Harkins. And in any case, since the attack relies on poor administration and network design, even a centrally-controlled system would be vulnerable "There is nothing specific about [Aruba's] device that prevents it from being deployed anywhere in the network," says Harkins.