Wireless security - Some surprising conclusions

Farpoint Group –

No topic in wireless attracts more attention than security. And that's really how it should be - an insecure wireless network isn't really a network at all. It's an open invitation for hackers and crackers and all the other evils that inhabit the communications world. Not surprisingly, wireless network security, particularly regarding wireless local area networks (WLANs), is the number one concern of network managers, and, as such, an entire industry has grown to serve the ever-changing demands of wireless-network-based information integrity.

As enterprises have gradually adopted wireless (as at least an appendage to the corporate network), it was naturally assumed that special security precautions would be required to deal with the unique nature of wireless communications. After all, wireless purposely puts valuable enterprise information out on the airwaves, and anyone within range and equipped with an appropriate receiver should be able to grab this data and put it to all kinds of nefarious use. Since this is the case, many wireless networks implement inherent authentication and encryption mechanisms to provide basic assurance to customers that their data will at least be difficult to decrypt, and their networks at least challenging to crack.

It soon became obvious however, that despite the efforts of carriers and equipment providers, data was being compromised and networks were being hacked. The debacle surrounding the Wired Equivalent Privacy (WEP) mechanism in the IEEE 802.11 wireless-LAN standard served (at the very least) to bring the entire issue of wireless (and enterprise) security to the top of every network manager's to-do list. WEP, to its defense, was never designed to be a complete wireless security solution. Indeed, at the time of the release of the initial 802.11 standard in 1997, it was illegal to export effective encryption technology from the U.S. High-performance encryption was classified as a potential weapon! It's pointless to debate the politics however, other than to mention that very sophisticated encryption technology was available at the time for free download on the Internet (isn't everything, these days?). Most WLAN vendors quickly realized that more sophisticated encryption was required, and quickly developed new approaches. To give you some context, WEP by default uses a security key of 40 bits. Today, most WLAN vendors offer at least 128 bits, which is a good deal more secure.

There were two immediate pieces of fallout from this state of affairs. First, many network managers assumed that WEP just wasn't secure and simply never enabled it - despite the fact that some security is always better than none, and the hackability of WEP was at least a little overblown. As a result, many WLANs were left essentially open for public access on the wrong side of the firewall.

Second, the industry responded quickly with the Wi-Fi Alliance, an industry trade association, announcing Wireless Protected Access (WPA), and the 802.11 committee developed more sophisticated security in the form of 802.11i, due later this year. WPA includes essentially everything in .11i except support for the Advanced Encryption Standard (AES). AES is powerful enough (read: computationally-intensive enough) to require new WLAN hardware in many cases; WPA should run fine on most current products and will in fact be required shortly in order to get Wi-Fi certification.

Still, we've always advised that users must take responsibility for the security of their own networks, implying that the tools and techniques of security must be under enterprise control and not solely in the wireless network. In fact, wireless LAN security isn't really that different from wired LAN security. And we already have a good solution here - the virtual private network (VPN). One can secure the entire value chain from client to server using VPN technology, so it really doesn't matter what form of airlink security is used. After all, why secure just part of your network when the entire thing needs securing? We're even seeing some WLAN vendors today offering end-to-end security solutions.

By the way, wide-area wireless networks (WWANs), whose airlinks are significantly more secure than 802.11's, require a similar approach - end-to-end security under control of the enterprise. A VPN-based implementation can serve your entire mobile workforce. While it's not always easy to set up, and constant vigilance for new threats is required, VPNs are a solution that work, and usually at a very reasonable price.

A final note - we've found most security leaks occur not in the middle of the network, but rather at the endpoints. A casual hacker with a Pringles' can antenna (Yes, there is such a thing, and it works quite well. See http://www.seattlewireless.net/index.cgi/PringlesCantenna) might probe your network for weakness and try to capture data off the air, but professionals know this is a waste of time. They can't sit around all day hoping you'll send revisions to the top secret strategic plan to a server over a wireless connection. Rather, they'll try to hack your server over whatever connection (wired or wireless) suits them best, or steal your notebook or PDA in an airport or hotel. It's quicker and easier. And who encrypts data on their mobile device? Well, you should. Wireless security, as we've seen here, is just one piece of the security puzzle.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon