At the recent Spring 2004 Information Security Decisions conference Joel Snyder, senior partner of Opus One, outlined several wireless security strategies. This tip is based on the highlights from his session.
Here's the good news about wireless LANs: They're not as insecure as you have been lead to believe and breaking into a wireless network isn't as fast or easy as it's been portrayed. What's the bad news? You still need to pay close attention to your WLAN security choices, because there are vulnerabilities and weaknesses that can threaten your network security.
Wired Equivalent Privacy (WEP)
The attraction of using the WEP protocol (specified in the 802.11b standard) is that it's easy to install and compatible, which makes it a popular choice. Unfortunately, WEP is plagued by several well-known vulnerabilities such as static keys, weak initialization vectors and RC4 encryption, one of the weakest encryption algorithms and not designed for wireless security.
However, the biggest problem with WEP, stressed Snyder, is management. WEP keys are difficult to change, so they are often not updated and managed improperly. Since WEP keys are shared by groups of people, Snyder said it's like, "You're giving everyone the same password and they're not allowed to change it."
MORE INFORMATION ON SECURING A WIRELESS LAN:
- Learn about Web authentication and IPsec in part two of Strategies for securing your wireless LAN.
- Join us on June 8 at noon EDT for a live Webcast with guest speaker and Information Security contributor Jon Edney on new developments in wireless LAN access control.
- Learn how to secure wireless access against malware invasion in this tip by malware guru Ed Skoudis.
This standard adds a user authentication requirement and can be deployed in a wired or wireless environment. "Before the user is allowed to get onto the LAN, they have to authenticate," said Snyder. And when used with TLS-based authentication, you have per-user/per-session WEP keys, stressed Snyder. 802.1X's short-lived keys means that admins can change them as often as needed -- making communication more secure (in comparison with WEP's static key model).
Some drawbacks of using 802.1X require the use of a client and a RADIUS server.
The 802.11i standard (part of the 802.11 designed specifically for wireless) has not been approved yet, but it is intended to improve security under 802.11. (Wi-Fi Protected Access is an intermediate standard to be replaced by 802.11i when it is finally released.) Improvements to 802.11i include these features: Temporal Key Integrity Protocol (TKIP), which enhances WEP with per-packet re-keying mechanism and adds a Message Integrity Check field to each packet; replaces RC4 encryption with Advanced Encryption Standard (AES); and adds encryption for management frames.
Snyder added that to take full advantage of 802.11i, an organization is going to need to change its hardware and use AES encryption and go for 802.1X authentication. That said, Snyder doesn't recommend running out to buy AES hardware. After all, he continues, if you're happy with RC4 encryption, there's no real need to change to AES.
Deciding on the "right" WLAN solution isn't an easy task. There are pros and cons to each solution, but armed with the right knowledge organizations can decide what's the best one for them.
About the author
Mia Shopis is assistant editor for SearchSecurity.com. You can e-mail her here at firstname.lastname@example.org
This was first published in May 2004