IT administrators have pretty much conceded that wireless local area networks are an inevitability for the enterprise.
Companies have installed wireless LANs for office uses such as access to file and print servers and e-mail, while some, like retailers, for example, have gone wireless to transmit transaction information that may include sensitive data like credit card, Social Security and account numbers.
Not all of those installations are secure. Many network administrators are still negligent about turning on encryption features that would scramble traffic and keep data from harm.
After conducting war drives recently in the business and financial districts of Atlanta, Chicago and San Francisco, wireless security solutions vendor AirDefense Inc. determined that 57% of the 1,136 access points detected were unencrypted. Seventy-seven percent, meanwhile, were broadcasting their service set identifiers (SSIDs) in the clear, and 9% were found to be rogue access points running at 100% default settings.
Gartner Inc. vice president of research John Pescatore said that more enterprises are addressing the inevitability of wireless LANs with planned rollouts that encrypt traffic via protocols like
"They tried to just say no, but they can't keep it out," Pescatore said. "It's just too useful, and just too easy to install on your own."
According to Gartner research, fewer than 20% of large enterprises doing planned wireless LAN rollouts are doing so without encrypting traffic. Others require users to use a virtual private network to tunnel into wireless access points placed outside a firewall. Small offices, Pescatore said, are more likely not to turn on encryption.
"That number [of unsecured implementations] has gone down a little," Pescatore said. "Our research said it was closer to 70% last year. This year, closer to 50% are using WLANs with no encryption on."
The WEP algorithm was the de facto wireless encryption standard, but administrators and observers derided it as insecure. WEP's inadequacy stems from its use of static keys. An attacker using a freeware monitor could sniff minimal amounts of traffic to determine a WEP key and gain access to data or a network.
In April, the Wi-Fi Alliance released the WPA protocol as an alternative to WEP. WPA uses dynamic keys through the Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) to prevent forgery. Many vendors have had software upgrades available since April and will include WPA in new hardware going forward.
"On the enterprise side, the vast majority of equipment has WPA built in. Cisco, for example, 70% of its equipment now comes with WPA," Pescatore said.
Current WEP wireless implementations can be upgraded to WPA with a simple software upgrade, Pescatore said.
"If you're already running wireless and not running WPA, chances are, you're not going to buy it just to do [WPA]," Pescatore said. "Enterprises will be doing maintenance upgrades in the next few months, chances are. They can do it then."
FOR MORE INFORMATION:
FEEDBACK: Has your enterprise upgraded its WLAN to WPA yet?
Send your feedback to the SearchSecurity.com news team.