Wireless local area networks are still too easy to hack, especially if you don't take basic security precautions. But with some effort and the help of security technologies that are already shipping, you can say goodbye to wires for even some core applications.
One common wireless security method is the use of relatively low-cost appliances that link wireless access points to existing virtual private networks (VPNs) to encrypt sensitive data. (See
Most Wi-Fi hardware now ships with Wi-Fi Protected Access (WPA), which replaces the easy-to-crack Wireless Encryption Protocol (WEP) with the stronger Temporal Key Integrity encryption protocol. WPA also includes a message integrity checker that examines packets for possible forgery and user authentication using the 802.1x EAP (the Extensible Authentication Protocol.) WPA support is also available in the form of software upgrades for some older Wi-Fi gear.
WPA itself is a steppingstone to the 802.11i security standard, which is scheduled to be published early next year and will include all the features of WPA along with even stronger encryption in the form of the Advanced Encryption Standard. (One downside: Taking full advantage of 802.11i will require new equipment, although some vendors say their WPA-compliant equipment now shipping will also support 802.11i.)
To further ease security fears, some vendors are looking to centralize WLAN security. ReefEdge this spring rolled out its Wireless Services Fabric, which lets its wireless VPN appliances and network monitors share information and provide a central, single point from which to monitor and manage the entire wireless network. This lets IT managers create "virtual firewalls" that can control what protocols, what ports and what networks WLAN clients can send traffic to; the subnets to which their traffic can be routed and which network subnets the wireless device can access, says Sandeep Singhal, chief technology officer of wireless security provider ReefEdge Inc.
John Arechavala, network and systems manager at Carroll College in Waukesha, Wisconsin, is using ReedEdge's Connect Server 100 appliances to centrally manage the 20 access points that offer wireless local area network (WLAN) access to the 3,000 students on his campus. He says he likes the fact he can manage access points and client wireless cards from any vendor, and easily handle additional users and access points as they join the network.
Security and management policies generated by the Connect Server are enforced by EC 100 and EC 25 Edge Controllers sitting between the access points and the wired LAN. When the college hosts a conference, for example, he can easily allow attendees using wireless systems to use the college's network to access the Internet but not any other systems or applications.
Centralized WLAN security is attractive because many users can't or won't manage security themselves, says Leo Pluswick, wireless technology program manager with TruSecure Corp.'s ICSA Labs. Other vendors offering such tools are Intermec Technologies Corp. with its MobileLAN; Fortress Technologies with its AirFortress Gateways, client software and access control server; and Bluesocket Inc. with its wireless gateways. Newbury Networks Inc. offers centralized management capabilities along with its WiFi Watchdog, server-based software that identifies the rogue access points that can create security loopholes in many corporate networks.
However, many of these tools rely on proprietary technologies, says Pluswick, so customers who want to use the same security management tools across the enterprise must buy all the management software (and in some cases, the Wi-Fi hardware as well) from a single vendor.
Technology aside, making security easy to implement for users and IT managers is crucial to protecting Wi-Fi networks. The 802.1x security standard will be "a tremendous leap" in security, but will still be too complicated for some users, says Roy Pereira, director of product management at Certicom Corp., which makes software and software development kits for notebook and PDA wireless security.
For example, he says, corporations adopting EAP will often have a RADIUS server to which wireless client devices can authenticate, "but a lot of home users don't have a RADIUS server sitting around." This makes it much less likely home users will implement EAP, and that could pose a threat if hackers try to access corporate networks through a telecommuter's poorly-protected home WLAN.
Only if vendors such as Microsoft make authentication methods such as EAP easy enough to use will those technologies actually boost security, says Al Potter, the manager of ISCA's Network Security Lab. And technology aside, any authentication or encryption mechanism which relies on keys and digital certificate system will only work and scale if it is "carefully mapped out and thought out," he says, complete with policies outlining which users are allowed access to what resources.
In other words, Wi-Fi security technology is getting better all the time, but the key is still using it correctly.About the author
Robert L. Scheier is a former technology editor at Computerworld who writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.
For more information on this topic, visit these resources:
- Executive Security Briefing: Policy-driven WLAN security
- Security Policies Tip: Wireless networking security policy
- News & Analysis: Experts: Plan for wireless before rogue access points appear
This was first published in August 2003