Product and Software: This article applies to all Aruba Mobility Controllers and ArubaOS versions.
Aruba brings two things in reference to KeyGuard security that is being used on Symbol devices:
· The Aruba WLAN infrastructure can support Symbol/Motorola devices that are running KeyGuard security without requiring any client (Symbol device) side configuration changes.
· The Aruba WLAN infrastructure improves the security posture of the network that consists of Symbol devices that run KeyGuard.
How does KeyGuard work?
KeyGuard is a variant of WEP security, where the Symbol devices are configured to use WEP using a preshared key. The same preshared key is also configured in the WLAN infrastructure. If the WLAN infrastructure happens to be Symbol's, during the 802.11 association exchange, the infrastructure tells the device (using proprietary flags) that it can support KeyGuard in addition to WEP. The Symbol device then, instead of doing standard WEP encryption with the seed (pre-shared) key, starts doing WEP encryption with a per-packet key that is derived from the seed (preshared). The mechanism to do per-packet key is derived from the Temporal Key Interchange Protocol (TKIP) methods, except that no Message Integrity Check (MIC) is performed. The idea was to provide better-than-WEP security in the pre-802.11i and pre-WPA days. In those days, the concept of MIC (what really prevents WEP from being hacked) did not exist. So, cracking WEP and KeyGuard (which is WPA without MIC) are almost equivalent tasks, because they both rely on one preshared key and no MIC. You can find publicly available tools to do so, even on YouTube.
How does Aruba support Symbol devices that run KeyGuard without any client-side configuration changes?
Symbol devices that run KeyGuard are actually configured for WEP 128 (with a preshared key). So, if the Aruba infrastructure is given the same key, the devices will connect and start running WEP 128.
How does Aruba improve the security posture?
Aruba assumes that WEP and KeyGuard can be compromised and puts in security controls to ensure that even after WEP is compromised, the network is protected. This protection is achieved with a built-in, per-user, role-based firewall that inspects every packet sent from a WEP or KeyGuard device. If the traffic coming in does not meet security policy, the traffic is dropped. Further, if an attack is detected using the built-in wireless IPS, the hacker is blacklisted from the network. The Aruba approach also meets the controls and requirements specified in the PCI-compliance security standard.