Keep pace with WLAN security developments

• Tags:
• WLAN,
• 802.11i,
• WEP,
• Wireless

Carl Weinschenk

Published: 25 Mar 2003 09:06 GMT

• 
• 
• 
• 
• 

Deploying first-rate wireless security tools is a worthless endeavor if the enterprise is not diligent in keeping them current. Not updating security in access points and other gear can be worse than having no security at all. Some companies are so skittish about WLAN security that they refuse to deploy it -- even if their enterprises are prime candidates for its benefits -- despite the availability of tools that can make their WLAN as secure as a wired network.

Some executives just don't want to risk deploying a WLAN. Devin Akin, the CTO of Planet3 Wireless, says, "This is perfectly valid if they do not understand the technology. Most people don't. That's one of the problems. It falls back to educating the user, the installer, and the administrator."

To get a better view of the problems with this technology, the ways to combat those problems, and the new security trends, here is a closer look at wireless security from the CIO perspective.

Turn on security and use it
The two biggest problems with WLAN security -- outside of the lack of education among users -- are:

• The security that comes loaded with access points and related gear is not turned on.
• The current security standard -- the Wired Equivalent Privacy (WEP) -- is thought by many to be insecure. There are, however, workarounds to the most obvious faults of WEP.

An enterprise using WEP should be careful of how it is deployed and administered. To show how many enterprises were not taking adequate precautions with WEP, Brice Clark, worldwide director of strategy and business planning for Hewlett-Packard Company's HP ProCurve Networking Business, referred to research that was done by International Data Corporation (IDC) on WLAN security. IDC commissioned wireless detection flights over San Francisco and San Diego that revealed that a majority of access points run in a default mode that broadcasts service set identifiers (SSIDs). A great majority of organisations were found not to use WEP, and those that did were found to operate it in an inadequate manner.

Setting and enforcing a solid wireless security policy, of course, can largely diminish this improper use of WLAN.

Set a clear policy
Setting a policy means making security priorities clear to employees. For instance, they must be told in no uncertain terms that it is not okay to stop by Radio Shack or Best Buy and pick up a wireless access point to plug into the Ethernet port at the office. Doing so creates rogue access points that are outside the realm of the enterprise's security infrastructure and can lead to lost data. The bookend to a clear security policy is enforcement. This means having the right tools on hand to test for the presence of rouge access points.

"Another important step is strong policy control on the network side," says Sandeep Singhal, CTO of wireless security vendor ReefEdge. Different levels of access must be established for different people using the WLAN. For instance, the CTO should have more wireless access than an account executive. Singhal also recommends security validation testing. This ensures that configurations are set up correctly and are doing their jobs. "As with any network that faces the public, ongoing intrusion detection is important as well," Singhal says. Joel Snyder, a senior partner for Opus One, says that it's important to do something as simple as switching the WEP key periodically. "The least you can do is change it," he says. "That will help."

Hope is on the horizon
A new approach to WLAN security is emerging. There are hopes that the wide-scale acceptance of WLANs and the resulting publicity around security issues is making people more aware of the issues and, therefore, less careless. The standard itself is changing as well. In the short term, a new standard -- WiFi Protected Access (WPA) -- will replace WEP. Over the long haul, the standard from which WPA is derived, called 802.11i, will also take over.

Clearly, the industry is struggling to gets its ducks in a row even as wireless usage increases radically. For the time being, says Clark, "companies can be relatively safe by using WEP Weak Key Avoidance." This approach, as the name implies, bypasses the compromised elements of WEP. Also, "A key to implementing WLAN security is that it has a clear migration path," says Singhal. This can be in the form of potential software-based upgrades or the inclusion of a middleware level that handles the complexities of standards transitions independently of the security software itself.

WPA has encryption and authentication layers. On the encryption layer, a concept called the temporal key integrity protocol (TKIP) is currently working its way through the IEEE's 802.11i standards committee. "TKIP will initially use RC4 encryption, but later it will implement the more secure advanced encryption standard (AES)," says Snyder. WPA authentication is being developed under a framework referred to as 802.1x. Under this framework, many possible authentication protocols or methods -- from legacy approaches to two-factor approaches to certificates -- will be available to vendors and end users.

---

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed