Security Management Strategies for the CIOAt the recent Spring 2004 Information Security Decisions conference Joel Snyder, senior partner of Opus One, outlined several wireless security strategies. This tip is based on the highlights from his session.
Here's the good news about wireless LANs: They're not as insecure as you have been lead to believe and breaking into a wireless network isn't as fast or easy as it's been portrayed. What's the bad news? You still need to pay close attention to your WLAN security choices, because there are vulnerabilities and weaknesses that can threaten your network security.
However,
Requires Free Membership to View
choosing a
wireless LAN security solution really depends on the organization. After all, the term
"security" means different things to different people. So, which solution is right for you? Here's
the low down on WEP, 802.1X and the promise of 802.11i.
Wired Equivalent Privacy (WEP)
The attraction of using the WEP protocol (specified in the 802.11b standard) is that it's easy to
install and compatible, which makes it a popular choice. Unfortunately, WEP is plagued by several
well-known vulnerabilities such as static keys, weak initialization vectors and RC4 encryption, one
of the weakest encryption algorithms and not designed for wireless security.
However, the biggest problem with WEP, stressed Snyder, is management. WEP keys are difficult to change, so they are often not updated and managed improperly. Since WEP keys are shared by groups of people, Snyder said it's like, "You're giving everyone the same password and they're not allowed to change it."
MORE INFORMATION ON SECURING A WIRELESS LAN:
- Learn about Web authentication and IPsec in part two of Strategies for securing your wireless LAN.
- Join us on June 8 at noon EDT for a live Webcast with guest speaker and Information Security contributor Jon Edney on new developments in wireless LAN access control.
- Learn how to secure wireless access against malware invasion in this tip by malware guru Ed Skoudis.
802.1X
This standard adds a user authentication requirement and can be deployed in a wired or wireless
environment. "Before the user is allowed to get onto the LAN, they have to authenticate," said
Snyder. And when used with TLS-based authentication, you have per-user/per-session WEP keys,
stressed Snyder. 802.1X's short-lived keys means that admins can change them as often as needed --
making communication more secure (in comparison with WEP's static key model).
Some drawbacks of using 802.1X require the use of a client and a RADIUS server.
802.11i/WPA
The 802.11i standard (part of the 802.11 designed specifically for wireless) has not been approved
yet, but it is intended to improve security under 802.11. (Wi-Fi Protected Access is an
intermediate standard to be replaced by 802.11i when it is finally released.) Improvements to
802.11i include these features: Temporal Key Integrity Protocol (TKIP), which enhances WEP with
per-packet re-keying mechanism and adds a Message Integrity Check field to each packet; replaces
RC4 encryption with Advanced Encryption Standard (AES); and adds encryption for management
frames.
Snyder added that to take full advantage of 802.11i, an organization is going to need to change its hardware and use AES encryption and go for 802.1X authentication. That said, Snyder doesn't recommend running out to buy AES hardware. After all, he continues, if you're happy with RC4 encryption, there's no real need to change to AES.
Deciding on the "right" WLAN solution isn't an easy task. There are pros and cons to each solution, but armed with the right knowledge organizations can decide what's the best one for them.
About the author
Mia Shopis is assistant editor for SearchSecurity.com. You can e-mail her here at mshopis@techtarget.com
This was first published in May 2004
Join the conversationComment
Share
Comments
Results
Contribute to the conversation