Security threats Toolkit

Locking down your wireless network

Tags:
Security,
Wi-Fi,
Wireless

Jonathen Yarden Tech Republic

Published: 25 Apr 2005 18:30 BST

Unfortunately, most corporations that have already deployed wireless access chose usability over security, just like most software companies. In addition, many organisations don't consider the fact that wireless access doesn't really offer any advantages over wired access in many cases.

In fact, it can actually introduce new problems. I can't tell you how many times I've witnessed 802.11b wireless network problems caused entirely by the use of 2.4-GHz wireless phones, often from wireless PBX systems.

Despite my own personal disdain for wireless network access, wireless networks are now in the corporate environment, and enterprise deployments are increasing. However, I strongly advise organisations to use this strategy when deciding whether to go wireless: Use wireless networking only in cases where wired access is impossible, not just as a simple or trendy alternative.

And while security should be a primary factor in this decision, keep in mind that there are more than just security-related reasons for staying wired. For example, wired networks can handle significantly higher bandwidth, as well as offer better security, because they don't broadcast packets of information.

But if bandwidth isn't a concern, and the powers-that-be are convinced that wireless is the way to go, rest assured that it is possible to make wireless access much more secure without depending on WEP. Two methods for accomplishing this include using protocols such as PPTP or L2TP and enforcing access controls with usernames and passwords or some other authentication method. Add IPSec to the mix, and you've got both access control and end-to-end encryption that's more secure than wired network access. But keep in mind that this solution is still prone to interference.

Of course, some people will argue that 802.11i features all of this security provided by WPA — WEP's expected replacement — as well as better interference control. While this is great news, 802.11i is no use to anyone until there are plans to replace all existing wireless networking equipment or upgrade the firmware, if that's even possible.

In addition, remember that no matter what security technologies or standards emerge, there will always be someone out there trying to break it — and that includes WPA. In my experience, you can deploy Gigabit Ethernet access at a lower cost, and it provides both superior security and bandwidth irrespective of data encryption.

If wireless access is your only alternative, explore the use of PPTP/L2TP and IPSec on your existing infrastructure before deciding to replace or upgrade existing 802.11a and 802.11b equipment. While it's not "pretty" from a technological point of view, it's quite functional, and it just might prove to be more secure than 802.11i. As for me, I'll stick with wired networks.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for an American regional ISP.