Many companies have deferred wireless LAN rollout due to fears about wireless intrusion and wardrivers. In this column, I'll put wardriving threats into context and explain how existing security measures can be used to avoid intrusion and deploy safer WLANs today.
To be sure, results from the second Worldwide Wardrive are disconcerting. Volunteers roamed the streets in November, charting unprotected WLANs. Of the nearly 25,000 access points (APs) identified worldwide, less than 7,000 used Wired Equivalent Privacy (WEP). Over 7,800 of those without WEP were also using default network names, known as Service Set Identifiers (SSIDs).
Wardriving for public good
Fortunately, these volunteers were not trying to penetrate WLANs. Rather, drive organizers wanted to heighten awareness, encouraging vulnerable WLAN owners to secure them.
For example, owners fail to change SSIDs, because they do not realize that using the default invites intruders. Changing this network name is simple and strongly recommended for all WLANs.
WEP is admittedly more confusing. Newbies may not know what keys are, and each product requires a slightly different incantation. If you don't know how to configure WEP, start with the FAQs posted on the Wardrive Web site. Companies often upgrade to stronger privacy measures, but WEP is a useful first step for most privately-operated WLANs.
Why stats are misleading
It is important to put wardriving results like these into perspective.
Raw numbers may include WLANs that are intentionally open for public Internet access. For example, during a recent limo ride to the San Francisco airport, I spotted 45 APs, 62% without WEP. However, 17 were clearly identified as public hotspots (WayPort, etc). Discounting these, my no-WEP ratio drops to 39%.
Some WLANs use encryption, authentication and access control at a higher layer. If we assume that half of these open APs were using VPN tunneling, my unprotected AP ratio falls under 20%. This leaves room for improvement, but it is far less alarming.
Although not statistically significant, this example illustrates a broader principle: Only a subset of the networks discovered by wardrivers can be readily penetrated by intruders.
Don't be paralyzed by FUD
Stories about wardriving and WEP cracking have helped to create an atmosphere of fear, uncertainty and doubt (FUD). But don't let FUD stop you from taking advantage of wireless LANs to reduce cabling costs, speed network expansion and increase productivity. Instead, use cautionary tales to understand risks and take proactive steps to secure your WLAN.
Network operators disable WEP for many reasons. Some believe that WEP isn't worth using since it can be cracked. Others find configuring shared WEP keys inconvenient -- for example, in public hotspots. Some find updating keys in a large, distributed network too difficult. Others require privacy for individual users -- something WEP was never designed to provide.
Fortunately, upgrades are becoming available to address these concerns.
- Most enterprise APs have been patched to avoid weak key vulnerabilities exploited by attack tools like WEPcrack and AirSnort. However, these flaws are still present in unpatched devices and several entry-level products. As you begin your WLAN implementation, select products that have been patched, and keep deployed firmware up-to-date.
- Many enterprise APs support 802.1X port access control to keep out unauthorized users. To use 802.1X, you'll need at least one common Extensible Authentication Protocol (EAP) method on your authentication server, APs and stations. Today, no single method is broadly supported. Convergence on EAP methods will make 802.1X easier. In the meantime, you may want to experiment with 802.1X to understand its benefits and implications.
- 802.1X also provides WEP key distribution, eliminating pre-configured keys, thereby reducing administrative overhead and making cracking less likely. But 802.1X stations must still be configured with credentials. EAP methods like Protected EAP (PEAP) simplify 802.1X station setup by reusing logins and passwords already deployed elsewhere in your network.
- In late November, the Wi-Fi Alliance announced Wi-Fi Protected Access (WPA). This upgrade neutralizes the most significant weaknesses in WEP. WPA ensures that no two frames are encrypted with the same keystream and can detect forged data. Firmware upgrades are already available from some vendors, but WPA certification will promote multi-vendor interoperability.
- Enterprises that already have RADIUS authentication in place can use WPA with 802.1X. Small business and home WLANs can use WPA without 802.1X. Instead of configuring every station with the same WEP keys, systems with WPA will be configured with secret passphrases. Passphrases are mixed with MAC addresses so that each station encrypts data with a different key. While not as secure as 802.1X, this is still a significant improvement.
802.1X and EAP methods will continue to evolve. Man-in-the-middle vulnerabilities in PEAP must still be resolved, and new EAP methods have been proposed -- for example, to let dual-mode smart phones authenticate themselves to wireless LANs. Since change is expected, companies launching new WLANs may want to start small and expand over time. Operate in mixed mode for a while, using 802.1X authentication only where you really need it, reducing your cost to deploy upgrades.
Final standards for Enhanced WLAN Security (known as 802.11i) will include a new privacy protocol, based on the Advanced Encryption Standard, to be implemented by next-generation hardware. This is no reason to delay installation of WPA firmware upgrades as soon as they become available. You don't have to enable WPA features immediately -- you can phase them in over time.
Link-layer security is only one piece of the WLAN security puzzle. Innovations are also happening elsewhere, for example: hotspot APs that block inter-station traffic, gateways that facilitate secure roaming by floating VPN endpoints, directional antennas that reduce signal leakage and intrusion-detection systems that automatically react to wireless attacks.
The bottom line
You don't need to know about all of these to begin secure WLAN deployment, but anyone planning a large WLAN should invest in training to learn about available measures and how to design security into your network from the start. If you adopt available WLAN security measures, wardrivers will probably still be able to discover your APs. But there is plenty you can do today to prevent the vast majority of would-be intruders from actually penetrating your WLAN.