When Phil Fournier's 20-person company first deployed wireless LANs, he said he was amazed at how nice it was to not be connected to walls. Employees could bring their computers anywhere in the building without losing their LAN connection, according to Fournier, vice president of Legacy Advisors in McLean, Va. And when the firm moves into larger quarters, "we're not going to pay $3,000-$5,000 for CAT-5 wiring to be built into the wall."
With these kinds of cost and mobility benefits, it's not surprising a Gartner Inc. survey showed 50% of enterprises plan to deploy 802.11b wireless LANs. But there are huge and well-known security holes that allow anyone with an 802.11b client (say, a notebook computer with a wireless card) and some widely available software, to decode the standard 802.11b encryption key and log on to the network.
The good news is that there's a growing number of vendors that claim to have tools that solve one of the key weaknesses in the 802.11b protocol and that are solid enough to make customers comfortable deploying wireless LANs.
The bad news is that some of these fixes can be expensive -- adding a virtual private network (VPN) can cost as much as $1,500 per wireless access point -- and require that you stick with a single vendor's hardware for all mobile access points. There's also strong debate over whether those devices go far enough in protecting the multiple security weaknesses in 802.11b.
The major weakness in 802.11b security lies
with how it implements the Wireless Encryption Protocol (WEP), says Dave Juitt, chief security architect at wireless security vendor Bluesocket Inc. in Burlington, Mass. WEP assigns a single encryption key to both the wireless base station that transmits data and to the receiving device, says Juitt. This avoids having administrators "set the parameters of their security policies... so that the more important the information, the more often the key changes."
Some vendors solve this problem by adding management capabilities to allow managers to change keys more often; others add authentication and encryption technologies such as VPNs atop the current 802.11b encryption. Other approaches including filtering Media Access Control (MAC) addresses so each access point will allow entry by only specific MAC addresses.
NextComm Inc. recently announced "key-hopping" technology that changes the keys periodically -- say, every 30 seconds. The Bellevue, Wash., firm plans to sell the technology through OEMs and include it in its own integrated circuit for 802.11b Media Access Controllers. CEO Jerry Wang says key-hopping is less expensive than other approaches that require adding another access control server to the network. He declined to discuss pricing, except to say it would be low enough to attract customers in the SOHO (small office/home) market.
Another criticism of WEP is that it operates at only the two lowest layers of the OSI Network Model: the physical and data-link layers. Bluesocket implements the IPSec security protocol at layer three (the network layer), which allows Bluesocket's $5,995 WG-1000 Wireless Gateway to distinguish between different types of network traffic, says Juitt. Sitting between the backbone network and wireless access points, he says, the gateway can allow wireless users access only to certain applications and maintain the secure connection as users move between access points. It handles key management through the Internet Key Exchange (IKE), which, among other features, changes encryption keys during user sessions.
Atlanta-based Vernier Networks Inc. also tackles security at the network layer with its $2,500 AM 5004 Access Manager and $15,000 CS 5000 Control Server. The Access Manager examines all wireless traffic between users and the corporate network, the company says, examining packets to enforce access rights and bandwidth management. The Control Server can manage as many as 10 Access Managers and coordinates roaming among wireless access points, as well as managing authentication and user access rights.
ReefEdge Inc. in Fort Lee, N.J., takes a similar architectural approach with its Connect Bridge, which costs $2,500 in a configuration that supports up to 10 access points, and the $3,000 Connect Server, which provides centralized management of wireless access. The company also charges a licensing fee based on the number of access points controlled by the Connect Server.
Some tools also support the Remote Authentication Dial-In User Service (RADIUS) protocol to centralize user authentication at a single server. Mindshift Technologies Inc., a systems integrator and managed service provider in Fairfax, Va., has many small- and medium-sized customers using 802.11b networks. It uses Cisco Systems Inc.'s AiroNet350 wireless access points, which use Cisco's version of the EAP standard to provide server-based RADIUS authentication to remote wireless devices.
Finally, a number of commercial and open-source software tools can help IT managers scan wireless networks for security holes. AiroPeek, a wireless network management tool from WildPackets Inc. of Walnut Creek, Calif., for example, can be set to scan continuously for failed authentication attempts and capture the traffic during those attempts to help identify the hackers. Airsnort and wepcrack are hacker tools administrators can use to scan their own wireless networks for vulnerabilities.
In the longer term, the IEEE is considering a number of enhancements to the 802.11b standard. One would replace the 40-bit encryption built into WEP, which relies on the RC4 encryption algorithm, with 128-bit encryption using the Advanced Encryption Standard to make it less likely the same keys would be repeated during a user session, making it harder for a hacker to crack the key.
In the meantime, the best defense may be to treat wired access like any other remote access. Gartner recommends customers run 802.11b networks on a separate LAN segment, with a firewall isolating them from the corporate LAN and that wireless users access the network through a VPN to encrypt all traffic.
In addition to technical fixes, security administrators must begin looking for wireless "back doors," such as wireless access points installed by users "who want to use their laptops without having to plug in wires every day," says Joe Judge, a financial industry security consultant. In fact, Gartner says 20% of enterprises already have such "ogue"wireless LANs installed without the knowledge of the corporate IT group.
>>Scheier's Security Roundup runs monthly at TechTarget. He can be reached at firstname.lastname@example.org.
This was first published in October 2001