The 802.11i protocol has been praised as a Wi-Fi suit of armor. But two people who had a hand in its development warn that wireless networking is still vulnerable to attack and that extra precautions are necessary.
"Security is constantly changing and there are new risks all the time," said Robert Moskowitz, senior technical director of ICSA Labs., a division of Herndon, Va.-based TruSecure Corp. "We constantly have to run with it."
Moskowitz spoke of these risks Tuesday at The Conference and Expo on Mobile and Wireless Security in Boston along with Jesse Walker, security technologist with Santa Clara, Calif.-based Intel Corp. Moskowitz is a voting member of the Institute of Electrical and Electronic Engineers (IEEE) 802.1 group and contributed to the development of 802.11i. Walker has been credited as the one who first identified vulnerabilities in the 802.11b protocol (WEP) and served as editor for the 802.11i standard.
Approved by the IEEE in June, 802.11i is designed to better encrypt data sent along a Wi-Fi-established WLAN and ensure it can't be cracked if intercepted. While Moskowitz and Walker touted those improvements, they warned wireless technology remains vulnerable to break-ins, forgeries, data exposure and other threats and offered users advice on how to make their networks more ironclad.
Walker used a bridge analogy in his presentation. "A bridge with none of its spans is not a bridge. A bridge with only some of its spans is still not a bridge. A bridge is only a bridge with all of its spans in place," he said in his slide presentation. "Today's mobile platforms venture beyond the enterprise firewall, so [users] must protect themselves. Personal firewalls are a must because wireless systems are vulnerable to direct port scans by their neighbors. Virus and intrusion detection is a must because viruses, worms and Trojan horses happen wherever you go."
Walker also warned that technology doesn't work if security goals aren't clearly understood. "You can't just talk about pie-in-the-sky security," he said. "You need specific goals. If your biggest concern is forgery, your goals must revolve around stopping forgery." He added that enterprises should have their security plans reviewed by outside parties.
Using 802.11i-compliant devices and taking these extra steps will help build a strong bridge, he concluded.
Moskowitz described himself as a "belt and suspenders guy," saying, "I believe you have to do it all; that different layers address different threats." He said in his slide presentation that the security focus has changed over time, and will continue to do so. In 1995, he noted that espionage was seen as the big threat, followed by "commerce theft" in 1999 and malicious intent in 2002.
"Wireless is a subversive technology," he said. "It comes in under the radar. No one pays attention. Then, before long, it changes the way business is done." At this point, he believes security lags behind reality. "Wireless networks are trivial to discover," he said in his presentation. "WEP is crackable and done regularly… All you can do is throw up a 'no trespassing' sign. Man-in-the-middle attacks are easy to launch with standard tools."
Among other things, his advice to IT practitioners is to "monitor, audit and educate" and understand that "layer-2 security does not prevent layer-2.5 attacks."