Cisco releases WLAN security protocol
Cisco Systems Inc. announced the availability of a protocol that's designed to defeat brute-force dictionary attacks that capture users' passwords in its wireless LAN products. The company urged end users and systems administrators to download the related patch from its Web site. Joshua Wright, a systems engineer and deputy director of training at the SANS Institute in Bethesda, Md., developed an automated dictionary-attack tool last year that could be used against Cisco's Lightweight Extensible Authentication Protocol, known as LEAP while working at Johnson & Wales University in Providence, R.I. Wright released the attack tool last week, according to Cisco. A dictionary attack is a method in which an attacker runs millions of passwords against a database until a match is eventually found.
Chris Bolinger, manager of wireless LAN product marketing at Cisco, said the company's new protocol defeats dictionary attacks by sending credentials through an encrypted tunnel. The patch is relatively easy to install, Bolinger said, and it updates wireless LAN client software on a notebook or laptop computer.
Cisco announced the availability of the protocol, called the Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), and made it available to the Internet Engineering Task Force in February.