Primer: Link-Layer Security

What is it? Imagine you’re driving to a military base. Before you can even get onto the property, you’re stopped and have to prove that the car is yours and the car itself is allowed to drive on the base, and that the base’s chief of security can personally vouch for the car. Then you’re allowed to go up to the gate and prove your own identity.That’s how link-layer security works. On wireless networks, it doesn’t allow a laptop, handheld or other computing device to send any information over the network until its connection request and password have been accepted.

How’s that different from an ordinary log-in? Even before you log in to a regular wireless or a wired connection, your computer is exchanging information with the network. Mostly it and the nearest switch or router are just identifying themselves, but there’s still a level of communication that a cracker could exploit. Link-layer security doesn’t allow even that.

View the PDF — Turn off pop-up blockers!

So how do you get access? Your wireless device first has to send a request to the nearest access point, which asks for its identification and password. Your device responds, and the access point passes the ID to an authentication server, which accepts or rejects it. If the server accepts the ID, it tells the access point, the access point tells your laptop, and off you go. If not, the only bits your laptop ever sends over the network are its request for a connection.

This technique not only prevents unauthorized people from connecting to the network, it also keeps them from using “man in the middle” and other attacks that may not require the cracker to log in. For a man-in-the-middle attack, a cracker intercepts the communication between two authorized users and slips in his own material, without disrupting the data stream enough for either of the other two to notice. Virtual private networks or other methods can encrypt the stream but not prevent a cracker from connecting, says Richard Rushing, chief security officer for wireless-security vendor AirDefense in Alpharetta, Ga.

What do I have to buy? Not a lot. The primary protocol is 802.1X, which should become a formal standard sometime next year. Many wireless vendors are building the existing version of 802.1X into their products. Microsoft has also built 802.1X support into Windows XP, but if you’re using a different operating system, you may have to buy special software for your laptops. The preferred authentication server is one running the Remote Authentication Dial-In User Service (RADIUS) protocol, but an ordinary domain controller will do the job. If you use handheld scanners or other wireless devices that are a couple of years old, however, you may have to replace them.

What’s the downside? The amount of work to get it running. If you’ve been building out wireless networks, you may have to do some backtracking. You’ll have to set up laptops with the right software and configure them with one of a variety of authentication and encryption algorithms, many of which are not interoperable. If you haven’t already, you’ll have to standardize your access and security products.