Part 1: Strategies for securing your wireless LAN

At the recent Spring 2004 Information Security Decisions conference Joel Snyder, senior partner of Opus One, outlined several wireless security strategies. This tip is based on the highlights from his session.

Here's the good news about wireless LANs: They're not as insecure as you have been lead to believe and breaking into a wireless network isn't as fast or easy as it's been portrayed. What's the bad news? You still need to pay close attention to your WLAN security choices, because there are vulnerabilities and weaknesses that can threaten your network security.

However, deciding on a solution really depends on the organization. After all, the term "security" means different things to different people. So, which solution is right for you? Here's the low down on WEP, 802.1X and the promise of 802.11i.

Wired Equivalent Privacy (WEP)
The attraction of using the WEP protocol (specified in the 802.11b standard) is that it's easy to install and compatible, which makes it a popular choice. Unfortunately, WEP is plagued by several well-known vulnerabilities such as static keys, weak initialization vectors and RC4 encryption, one of the weakest encryption algorithms and not designed for wireless security.

However, the biggest problem with WEP, stressed Snyder, is management. WEP keys are difficult to change, so they are often not updated and managed improperly. Since WEP keys are shared by groups of people, Snyder said it's like, "You're giving everyone the same password and they're not allowed to change it."

• Learn about Web authentication and IPsec in part two of Strategies for securing your wireless LAN.
• Join us on June 8 at noon EDT for a live Webcast with guest speaker and Information Security contributor Jon Edney on new developments in wireless LAN access control.
• Learn how to secure wireless access against malware invasion in this tip by malware guru Ed Skoudis.

802.1X
This standard adds a user authentication requirement and can be deployed in a wired or wireless environment. "Before the user is allowed to get onto the LAN, they have to authenticate," said Snyder. And when used with TLS-based authentication, you have per-user/per-session WEP keys, stressed Snyder. 802.1X's short-lived keys means that admins can change them as often as needed -- making communication more secure (in comparison with WEP's static key model).

Some drawbacks of using 802.1X require the use of a client and a RADIUS server.

802.11i/WPA
The 802.11i standard (part of the 802.11 designed specifically for wireless) has not been approved yet, but it is intended to improve security under 802.11. (Wi-Fi Protected Access is an intermediate standard to be replaced by 802.11i when it is finally released.) Improvements to 802.11i include these features: Temporal Key Integrity Protocol (TKIP), which enhances WEP with per-packet re-keying mechanism and adds a Message Integrity Check field to each packet; replaces RC4 encryption with Advanced Encryption Standard (AES); and adds encryption for management frames.

Snyder added that to take full advantage of 802.11i, an organization is going to need to change its hardware and use AES encryption and go for 802.1X authentication. That said, Snyder doesn't recommend running out to buy AES hardware. After all, he continues, if you're happy with RC4 encryption, there's no real need to change to AES.

Deciding on the "right" WLAN solution isn't an easy task. There are pros and cons to each solution, but armed with the right knowledge organizations can decide what's the best one for them.

About the author
Mia Shopis is assistant editor for SearchSecurity.com. You can e-mail her here at mshopis@techtarget.com

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Screencast: Catching network traffic with Wireshark Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Wireless Security Issues Adventures in wireless security: Why home and corporate wireless LANs are insecure WLAN security tools Infosec Know IT All Trivia: Wireless security Wireless LAN intrusion detection Trend to ponder: Our fragile smart phones The X Factor: 802.1X keeps intruders off your network Slowly but surely, Wi-Fi security is improving 10 Common questions (and answers) on WLAN security Tutorial test: Implementing WLAN security countermeasures Defending the WLAN Wireless Access Control PCI DSS 1.2 clarifies wireless, antivirus use Lessons learned from TJX: Best practices for enterprise wireless encryption Should the enterprise be concerned with the Apple iPhone's automatic connection to Wi-Fi networks? Is it possible to identify a fake wireless access point? How 'evil twins' and multipots seek to bypass enterprise Wi-Fi defenses Wi-Fi simplicity edging out Wi-Fi security Should an enterprise network be regularly checked for rogue access points? Aruba bolsters mobile suite with security acquisition Cafe Wi-Fi VeriSign, AirMagnet team up for wireless IPS Wireless Access Control Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary evil twin  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.