Tip

Wireless network protection: Choosing wireless LAN security

by Mia Shopis, Assistant Editor

At the recent Spring 2004 Information Security Decisions conference Joel Snyder, senior partner of Opus One, outlined several wireless security strategies. This tip is based on the highlights from his session.

Here's the good news about wireless LANs: They're not as insecure as you have been lead to believe and breaking into a wireless network isn't as fast or easy as it's been portrayed. What's the bad news? You still need to pay close attention to your WLAN security choices, because there are vulnerabilities and weaknesses that can threaten your network security.

However,

    Requires Free Membership to View

choosing a wireless LAN security solution really depends on the organization. After all, the term "security" means different things to different people. So, which solution is right for you? Here's the low down on WEP, 802.1X and the promise of 802.11i.

Wired Equivalent Privacy (WEP)
The attraction of using the WEP protocol (specified in the 802.11b standard) is that it's easy to install and compatible, which makes it a popular choice. Unfortunately, WEP is plagued by several well-known vulnerabilities such as static keys, weak initialization vectors and RC4 encryption, one of the weakest encryption algorithms and not designed for wireless security.

However, the biggest problem with WEP, stressed Snyder, is management. WEP keys are difficult to change, so they are often not updated and managed improperly. Since WEP keys are shared by groups of people, Snyder said it's like, "You're giving everyone the same password and they're not allowed to change it."


MORE INFORMATION ON SECURING A WIRELESS LAN:


802.1X
This standard adds a user authentication requirement and can be deployed in a wired or wireless environment. "Before the user is allowed to get onto the LAN, they have to authenticate," said Snyder. And when used with TLS-based authentication, you have per-user/per-session WEP keys, stressed Snyder. 802.1X's short-lived keys means that admins can change them as often as needed -- making communication more secure (in comparison with WEP's static key model).

Some drawbacks of using 802.1X require the use of a client and a RADIUS server.

802.11i/WPA
The 802.11i standard (part of the 802.11 designed specifically for wireless) has not been approved yet, but it is intended to improve security under 802.11. (Wi-Fi Protected Access is an intermediate standard to be replaced by 802.11i when it is finally released.) Improvements to 802.11i include these features: Temporal Key Integrity Protocol (TKIP), which enhances WEP with per-packet re-keying mechanism and adds a Message Integrity Check field to each packet; replaces RC4 encryption with Advanced Encryption Standard (AES); and adds encryption for management frames.

Snyder added that to take full advantage of 802.11i, an organization is going to need to change its hardware and use AES encryption and go for 802.1X authentication. That said, Snyder doesn't recommend running out to buy AES hardware. After all, he continues, if you're happy with RC4 encryption, there's no real need to change to AES.

Deciding on the "right" WLAN solution isn't an easy task. There are pros and cons to each solution, but armed with the right knowledge organizations can decide what's the best one for them.

About the author
Mia Shopis is assistant editor for SearchSecurity.com. You can e-mail her here at mshopis@techtarget.com

This was first published in May 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.