VPNs said to offer safety from WEP flaws
ENTERPRISES SHOULD LOOK toward VPNs for protection against recently uncovered security flaws that threaten popular corporate wireless computer networks, according to industry observers.
The flaws could allow signal disruption or eavesdropping by nearby hackers. New wireless networking algorithms to fix this problem are expected to become available in approximately six months to a year, according to industry analysts and vendors.
The wireless vulnerability, detected by researchers this week from the University of California, Berkeley, and security company Zero-Knowledge Systems, affects the 802.11 wireless network standard by knocking out the WEP (Wired Equivalent Privacy) security algorithm.
Although new algorithms are key to finding a solution, users who have laptops with 802.11 wireless interfaces should install VPN client software to encrypt communications sent via the wireless interface and should use VPN servers in conjunction with the wireless gateway, said John Pescatore, an analyst for Internet security at Stamford, Conn.-based Gartner.
In addition, the mobile computing 802.11 wireless LAN extension implies a risk level dependent on physical exposure, and enterprises might want to consider investing in the extra VPN protection, depending on business geography parameters, Pescatore said.
"A lot of companies install wireless LANs so employees can work on the patio and outside, especially in Silicon Valley," Pescatore said. These latest vulnerability discoveries will spur users to better determine how much information is being exposed via wireless networking, he said.
However, this week's revelations are not causing ripples of alarm by the makers of the wireless technology. Phil Belanger, a Wireless Ethernet Compatibility Alliance representative based in San Jose, Calif., said the wireless LAN industry was already aware of the glaring security holes in WEP. "[The reported flaw] was not surprising to the industry insiders. We knew there were security issues, and they are already being addressed," Belanger said.
Belanger said that an update to the WEP standard is expected within six months. This update will include enhancements to the media-access protocol that will address security flaws.
Although researchers this week reported that nearby outside parties could bypass wireless network encryption and authorization features by modifying 802.11 devices, Cisco and 3Com called the issue "old news" and said their enterprise-level products already have security features that address the security holes in WEP.
Cisco last month announced the Aironet 350 Series wireless LAN product line. The family of access points, bridges, and adapters offer features for specific security enhancements, such as the addition of user-based authentication and dynamic WEP keys that can be configured by a network administrator to refresh at any number of intervals.
John Drewry, a senior director at 3Com, in Santa Clara, Calif., added that these potential security breaches would likely be thwarted by the complex encryption key protections of VPN tunnels.