Wi-Fi simplicity edging out Wi-Fi security

By Eric B. Parizo, Site Editor 09 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For years, enterprises were reluctant to adopt wireless LAN (Wi-Fi) technology because, they clamed, immature products and weak standards would expose their networks to any number of potential threats.

Today, Wi-Fi security standards and products have evolved to the point where businesses can ensure rock-solid security over the air and on wireless endpoints, but despite that accomplishment, industry analysts say the technology is being overlooked in favor of simplicity.

Michael Disabato, service director with Midvale, Utah-based research firm Burton Group, said he's found enterprises are adopting the simpler strategy of placing access points beyond the network perimeter and requiring all wireless users to gain network access via VPNs, instead of grappling with the advanced Wi-Fi security standards.

Wi-Fi security: WEP crack demonstrates need for WPA2: A new paper highlighting the weakness of Wired Equivalent Privacy (WEP) is a call to all users to switch to the more secure Wi-Fi Protected Access 2 (WPA2). Commentary: WPA answers wireless security woes: Enterprises considering going wireless are often hesitant about security and investments in previous legacy hardware. IEEE panel adopts new Wi-Fi standard: In 2004, the Institute of Electrical and Electronic Engineers (IEEE) standards board formally accepted the 802.11i protocol as an industry specification.

"People have been using IPsec and SSL VPNs forever and nobody has hacked them," Disabato said. "It's just that you've got to make sure all those access points are outside the firewall."

In the early days of Wi-Fi technology, products relied on the security scheme called Wired Equivalent Privacy, or WEP, but it was soon obvious that hackers were able to bypass WEP as easily as punching through paper. In 2003, the Wi-Fi Protected Access (WPA) standard was developed to replace WEP, but adoption was slowed by the need for user authentication systems and legacy software and hardware that didn't automatically support the new standard.

The following year, another iteration called WPA2, or 802.11i, was introduced and included a next-generation encryption method called Advanced Encryption Standard (AES), but deeper interoperability problems became apparent when organizations learned access points would need hardware upgrades to function properly, while other existing equipment couldn't be upgraded at all.

While it may be tempting to assign blame, Disabato suggested the problem resulted from a disconnect between the engineers who developed the 802.11i standard and practitioners tasked with enforcing it.

"I don't think [the engineers] realized the pushback they were going to get," he said. "I don't think they thought about what the implementation ramifications were going to be when people saw all of the pieces that go into it."

As it stands now, Disabato said 802.11i's many "moving pieces" have frustrated a number of network and security managers to the point where they've found Wi-Fi security easier to manage by treating all wireless devices like external, untrusted clients.

"It's a very complex protocol to get working," Disabato said, because it requires Extensible Authentication Protocol, a public key infrastructure, operating system support or supplicant software and wired LAN support for communication with a RADIUS server for authentication.

However, the easier approach isn't necessarily the recommended one. Jean Kaplan, research analyst with Framingham, Mass.-based research firm IDC, said that he doesn't believe that many organizations are using VPNs instead of 802.11i. He said it's not an approach companies should be undertaking as a matter of course.

Kaplan said while it's no surprise that organizations are falling back on the security methods they know and trust, the complexities of Wi-Fi security and radio-frequency (RF) management are such that IDC recommends utilizing the underlying strengths of today's Wi-Fi security protocols instead of VPNs.

Yet for that to happen, Disabato said the 802.1x authentication protocol -- utilized by 802.11i -- must be simplified, and that's unlikely.

Experts agree that any Wi-Fi security method is better than none at all, but inevitably it will be the market that decides which method works best. But even if some enterprises decide the answer may be VPNs, Disabato said the method does have its advantages. "At least if you're a user," he said, "you're going to get into the network the same way, no matter where you are."

Tags: Wireless Network Protocols and Standards,  Wireless LAN Design and Setup,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business Wireless LAN Design and Setup Wireless network guidelines for PCI DSS compliance Best Wireless Security Products How to prevent wireless DoS attacks Lesson 4 quiz: How to use wireless IPS Wireless intrusion prevention systems: Overlay vs. embedded sensors Rogue AP containment methods How to monitor WLAN performance with WIPS The role of VPN in an enterprise wireless network Wireless AP placement basics Lesson 3 quiz: Who goes there? Wireless LAN Design and Setup Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary