On Securing Wireless LANs and Supporting Nomadic Users with Microsoft’s IPSec Implementation

Wireless LANs, like the IEEE 802.11 WLANs, are more vulnerable than their wired counterparts. The IEEE 802.11 specification includes an encryption protocol, WEP (Wired Equivalent Protocol), but this protocol inhibits severe weaknesses: there is no automatic key distribution protocol and WEP’s security itself has been shown to be seriously flawed. As a result, many of today’s IEEE 802.11 networks are relatively easy for outside attackers to break into. Predictions point at the fact that home and small to medium-sized office WLAN environments will be of great importance in the near future of the wireless market. A security system taylored for them and their “average” users should include a series of particular features: strong security, simplicity of installation and use, password management policies, user roaming capabilities and no special software or hardware requirements. The approach presented in this paper1 consists in building a Virtual Private Network (VPN) over the WLAN, using IPSec as underlying security protocol. The proposed configuration solution performs Mobile Node authentication, automatic IPSec policy configuration and automatic generation of IPsec authentication keys (IKE’s “Preshared Keys”). In order to support nomadic users, a policy negotiation protocol has been developed that allows to dynamically adjust the IPSec policies in mobile devices and the security gateway of a WLAN. The approach has been validated for the Windows 2000 / XP operating system with a prototypical implementation that is available for free download [2]. 1This work has been supported with a grant from Micosoft Research, Cambridge, UK.