Maximum Wireless Security

Funk's Steel-Belted Radius

Funk Software is one of the most widely used RADIUS servers. As a result of the popularity of this product, we have included this segment to show the capabilities of a good RADIUS server product. If nothing else, the following information will give you a baseline from which to judge other products. We thank Funk Software for their kind permission to include their information here.

Overview

"Steel-Belted Radius is an award-winning RADIUS/AAA server that lets you centrally manage all your remote and wireless LAN (WLAN) users and equipment, and enhance the security of your network."

Straight from the data sheet on http://www.funk.com, this brief intro manages to consolidate into a few words the many features and functional aspects provided by their Steel-Belted Radius software.

Funk's product is a functional software package that provides a central point of administration for all remote users, regardless of how they connect. In other words, users will not need separate systems to provide accountability, authorization, and authentication for WLAN, LAN, VPN, dial-up, or Internet-based connections. In addition to multifaceted connection support, this product also supports various operating systems and networking software, including NT/2000, Solaris, and Netware.

In particular, Steel-Belted Radius earns a second look because it provides extra security for WLAN users by increasing the level of security and access by working with existing access points to ensure only authorized users are allowed access. The following will detail the many features of Funk's Steel-Belted Radius.

Central User Administration

Steel-Belted Radius manages remote and WLAN users by allowing authentication procedures to be performed from one database. This relieves you of the need to administer separate authentication databases for each network access or WLAN access point device on your LAN.

Steel-Belted Radius performs three main functions:

• Authentication ” Validates any remote or WLAN user's username and password against a central security database to ensure that only individuals with valid credentials will be granted network access.

• Authorization ” For each new connection, provides information to the remote access or WLAN access point device, such as what IP address to use, session time-limit information, or which type of tunnel to set up.

• Accounting ” Logs all remote and WLAN connections, including usernames and connection duration, for tracking and billing.

When a user connects to the network via a remote access server, firewall, router, access point, or any other RADIUS-compliant network access device, that device queries Steel-Belted Radius to determine whether the user is authorized to connect. Steel-Belted Radius accepts or rejects the connection based on user credential information in the central security database, and authorizes the appropriate type of connection or service. When the user logs off, the network access device informs Steel-Belted Radius, which in turn records an accounting transaction.

Central Hardware Administration

Steel-Belted Radius works with the remote and wireless access equipment and methods you already have in place. Whether you have set up dial-up, Internet, VPN, outsourced, WLAN, or any other form of access, Steel-Belted Radius can manage the connections of all your remote and wireless users. This includes the following:

• Dial-up users who connect via remote access servers from 3Com, Cisco, Lucent, Nortel, and others.

• Internet users who connect via firewalls from Check Point, Cisco, and others.

• Tunnel/VPN users who connect via routers from 3Com, Microsoft, Nortel, Red Creek, V-One, and others.

• Remote users who connect via outsourced remote access services from ISPs and other service providers.

• Wireless LAN users who connect via access points from Cisco, 3Com, Avaya, Ericsson, Nokia and others.

• Users of any other device that supports the RADIUS protocols.

Moreover, Steel-Belted Radius supports a heterogeneous network, interfacing with remote and wireless access equipment from different vendors simultaneously . Steel-Belted Radius automatically communicates with each device in the language it understands, based on customized dictionaries that describe each vendor's extensions to the RADIUS protocol.

Authentication Methods

Steel-Belted Radius not only works with a wide variety of remote and wireless access equipment, but it also makes it possible to authenticate remote and WLAN users according to any authentication method or combination of methods you choose.

In addition to Steel-Belted Radius's native database of users and their passwords, Steel-Belted Radius supports "pass-through" authentication to information contained in the following:

• NT/2000, Unix, and NetWare security systems that you have already established for your LAN, including Windows 2000 Active Directory, NT Domains and Hosts, Unix Network Information Services (NIS) and NIS+, and NetWare NDS and Bindery users, groups, and organizational units. This saves countless hours by allowing you to use the same database to authenticate LAN, remote, and WLAN users.

• Token-based authentication systems such as RSA Security ACE/Server, CryptoCard, and VASCO DigiPass.

• SQL databases, including Oracle and Sybase, for Steel-Belted Radius running on Windows NT and Solaris. Steel-Belted Radius works with your existing SQL table structure, eliminating the need for database redesign, and can authenticate against one or more SQL databases, even if they're from different vendors.

• LDAP directories for Windows NT and Solaris versions of Steel-Belted Radius.

• Any ODBC-compliant database for Steel-Belted Radius for Windows NT.

• TACACS+ for Windows NT and Solaris versions of Steel-Belted Radius.

• Other RADIUS servers for proxy authentication against a RADIUS server at another site.

Steel-Belted Radius can simultaneously authenticate many users. If you are combining authentication methods, you can even specify the order in which each is checked. The result is streamlined administration, as well as one-stop authentication.

Securing Your Wireless LAN

In addition to authenticating wireless LAN users, Steel-Belted Radius also plays a pivotal role in securing their connections. To perform these functions, Steel-Belted Radius supports the following:

• Extensible Authentication Protocol (EAP), the transport protocol specified in the 802.1 x protocol that is used to negotiate the connection between the WLAN user and the access point.

• EAP authentication methods, including EAP-MD-5 and EAP-Cisco Wireless. EAP authentication methods are vendor-developed security mechanisms that secure the credential exchange, data transmission, or both. Steel-Belted Radius fully supports EAP-MD-5 and EAP-Cisco Wireless, including their requirements for key generation and exchange.

In addition, Steel-Belted Radius provides additional security on a WLAN by

• Protecting against rogue access points. Steel-Belted Radius ignores communications from any access point that is not registered with it. This helps prevent network intrusion from illegally installed or used equipment.

• Supporting time session limits, time-of-day restrictions, and other RADIUS attributes, which let you impose additional security constraints on WLAN usage.

For example, you could specify that WLAN access can only occur during business hours, or force re-authentication after a specified amount of time. This allows for more granular and robust security on your WLAN.

Steel-Belted Radius also makes it possible to manage both wireless LAN and remote users from a single database and console, greatly reducing your administrative burden by eliminating the need for two separate authentication systems.

RADIUS Accounting

Steel-Belted Radius logs all authentication transactions, so you'll be able to view the entire history of authentication requests and the resulting responses. If your network access device supports RADIUS accounting, you'll also be able to track how long each user stays connected ”with the additional security of being able to see exactly who's connected at any time and on which port.

Accounting data can be exported to spreadsheets, databases, and specialized billing software. Or, you can choose to log data directly to your SQL database.

System Requirements

Steel-Belted Radius is available in three versions:

• Steel-Belted Radius for Windows NT/2000 runs on Windows 2000 or an NT 4.0 workstation or server. It's administered from Windows 9 x or Windows NT/2000.

• Steel-Belted Radius for Solaris runs on Solaris 2.6, Solaris 7, or Solaris 8 running on SPARC or UltraSPARC. It's administered using a Java-based administration program that requires Netscape 4.03 or later, or Microsoft Internet Explorer 4 or later.

• Steel-Belted Radius for NetWare runs on a NetWare 3.12 or 4. x server. It's administered from Windows 9 x or Windows NT/2000.

In short, a RADIUS server listens for incoming authentication requests from an access point that is acting on behalf of a client computer. The server verifies that the user is in the accounts database, and returns a go/no-go message to the access point, which then determines how much access a client should have (see Figure 12.12). What makes a RADIUS server so universal is that it is standardized. Therefore, if vendor Y builds in RADIUS server support, it should work smoothly with vendor X's RADIUS server. In addition to hardware support, RADIUS servers often include the capability to link into existing user account databases, such as a Windows NT user database or a even a SQL Server database.

In addition to authenticating users, a RADIUS server can be used to authenticate access points. This additional feature forces all existing access points to "log in" before they become part of the network. This means a hacker can't simply plug an access point into some remote hub or switch and expect to be able to immediately use it as a relay point to hack the network. The rogue access point would not be able to communicate with the network because it hasn't been authenticated.

Another benefit of a RADIUS server is its capability to control various aspects of authorization, such as time limits and re-keying schedules. In addition, many RADIUS servers support EAP, which is a way of using anything from smart cards to digital certificates to authenticate a user instead of a username and password.