The Palo Alto Research Center recently found itself in a position shared by many other enterprises.
Wireless technologies have quickly become a commodity-priced item for
home use. Consumers who want the same mobility and flexibility they
have at home began installing wireless LAN products at work. The
trend mirrors the way the first PC LANs were adopted -- often without
the consent or approval of information technology directors.
Palo Alto Research Center, or PARC, was no different. Although the
company didn't have a full-fledged wireless LAN, a growing number of
its employees began implementing ad hoc network access points at
their workstations. As these devices proliferated, PARC executives
decided to take action.
PARC, in Palo Alto, Calif., is a subsidiary of Xerox Corp. The
organization commercializes technology developed by Xerox engineers.
Since PARC researchers frequently collaborate across workspaces,
personal wireless access points dotted the enterprise like stars on a
clear night sky. To get a better handle on how many access points
were installed and who was using them, the company decided to deploy
a wireless LAN based on the 802.1x security standard. 802.1x is an
interim standard designed to enhance the security of wireless LANs
that follow the 802.11 standard, which was developed by the Institute
of Electrical and Electronics Engineers (IEEE).
"People were starting their own access points, but they were careful
about it because they knew about the wireless security issues. From a
management point of view, it became hard to keep track of who was
putting up access points and, as a company, we wanted to have some
policy pertaining to wireless networks," says Dirk Balfanz, a
security expert with PARC who helped implement the wireless LAN.
Within the next 12 to 18 months, the IEEE is expected to release
standards that ratchet up security even higher than what's called for
in 802.1x, while simultaneously addressing the interoperab
To continue reading for free, register below or login
To read more you must become a member of SearchSOA.com
ility of
different vendors' wireless products. The developing standard, known
as 802.11i, is part of a series of specifications that address all
aspects of wireless LAN technologies.
Although a final version of 802.11i isn't expected for at least
another year, a snapshot of the security standard, known as Wi-Fi
Protected Access, or WPA, was released in April by the Wi-Fi
Alliance, which certifies wireless products. As a result, many
vendors began shipping firmware upgrades based on WPA this summer.
Companies took the Wi-Fi Alliance's approval as a signal that
wireless LAN security was about to take a giant stride forward, says
Lisa A. Phifer, vice president of Core Competence Inc., a network and
computer consulting firm in Philadelphia. "People realized they
didn't have to wait until 802.11i is finalized next year
[before] buying products and rolling out a wireless LAN
deployment," she says.
Statistics bear this out. According to the Boston-based Yankee Group,
wireless LAN implementations have doubled in the last few years, with
more than 1 million access points now in use by more than 700,000
U.S. enterprises.
According to Infonetics Research Inc., in London, worldwide revenue
for wireless LAN hardware is expected to surpass $2 billion by the
end of the year.
WPA addresses the security flaws of its predecessor, known as Wired
Equivalent Privacy, or WEP. By observing packets in WEP, for example,
someone could potentially discover the cryptographic keys for
encrypting network traffic and gain full access to the network.
"The cryptography of WEP didn't do its job. It was indeed possible
for people who didn't possess the password to read your data,"
Balfanz said.
Specifically, WPA provides stronger authentication protocols and
enhanced confidentiality algorithms. For encryption, WPA uses the
Temporal Key Integrity Protocol, which includes a per-packet mixing
function, a message integrity check, an extended initialization
vector, and a rekeying mechanism. It relies on a central
authentication server to verify and authenticate users trying to
access the system using remote servers or dial-in numbers.
"It is an interim fix that, used properly, eliminates all the known
vulnerabilities of the Web," says Leo Plustwick, a program manager at
ICSA Labs, in Mechanicsburg, Pa. "The caveat is that users have to
turn the machine on, configure it properly, understand how it works,
and make sure all the countermeasures are being used."
In other words, WPA security is neither transparent nor user
friendly, at least in its formative stage. WPA curtails spoofing,
eavesdropping, forgeries, and tampering with the data -- the types of
activities involved in gaining unauthorized access to a network. It
does little, however, to prevent denial-of-service attacks, although
most experts agree these are more annoyances than deep security
threats.
IEEE also is trying to solve interoperability and compatibility
issues, which are inextricably linked to wireless LAN security. The
latest compatibility standard, 802.11g, gives vendors a
backward-compatible standard for devices and equipment that enables
enterprises to run mixed-mode radio networks that transmit data at
higher speeds (of up to 54 Mbps). Laptops and other wireless devices
with G-compliant radio cards are being shipped now.
In parallel with developments of new wireless gear, a spate of
competing startups has emerged offering switches for supervising and
managing wireless LANs, especially for large environments. They
include Trapeze Networks Inc., in Pleasanton, Calif.; AirFlow
Networks Inc., in Sunnyvale, Calif.; Aruba Wireless Networks Inc., in
San Jose, Calif.; and Airespace Inc., in Palo Alto, Calif. All four
companies have received venture funding, a signal that investors
recognize the growing role played by corporate wireless LANs.
FOR MORE INFORMATION:
10 Common questions (and answers) on WLAN security
Security fears still dominate WLAN space
