The Lowdown On WLAN Security

Many IT managers have heard the news that there are people out there who live to spam corporate networks, send malicious viruses, and take over enterprise Web sites. We don't have to live in fear and avoid initiatives such as rolling out wireless LANs (WLANs). However, we need to educate ourselves about what kinds of wireless standards are available and what kinds of security can be used to protect our corporate data.

Security 101: Don't Broadcast Your WLAN Location
To begin, it's important to understand a few basic facts related to WLAN security. First, an alarming number of enterprises don't use any security features at all. According to Diana Ying, public relations specialist for WLAN vendor Linksys (Irvine, CA), "More than 50% of wireless networks are totally open. Anyone with a laptop and NIC [network interface card] could log on and have full access to the enterprise's data. When enterprises purchase WLANs they come with the data encryption and other security features turned off. In their haste to get employees set up with the new solution, many IT administrators either forget or ignore the option of turning on the encryption, thus leaving the system wide open."

The second major security faux pas occurs at the AP (access point). APs broadcast an SSID (service set identifier), which is a form of password for a user's NIC. Most APs broadcast the SSID many times per second. To make matters worse, most SSIDs are set to a standard default name. For instance, Cisco APs have a default name "tsunami," and Symbol access points default to "101." If the default SSID is used and it is broadcast, hackers can easily intercept the message and sneak onto the network. "By changing the default SSID name and turning the SSID broadcasting off, the burden is placed on the user to find the network rather than having the network broadcasting its location," says Ying. By understanding these security basics, enterprises can make themselves less vulnerable to WLAN intruders. But, what other precautions should IT managers know about?

WEP Gets KO'd By TKIP
If you've already heard umpteen reports on the ineffectiveness of WEP (wired equivalent privacy), forgive me because I have to get my licks in too. WEP is the security that is built into all 802.11-compliant APs and NICs. WEP uses a security encryption called RC4, the same as its wired counterpart - TLS (transport layer security) - which creates secure sessions when connecting to the Internet. So, why has this "wired equivalent" not lived up to its near cousin's standard? "WEP uses the same encryption key for every user on a network and offers no easy way to rotate the keys," says Eric Hermelee, VP of marketing for WLAN management software provider Wavelink (Kirkland, WA). "Because of the weakness in WEP's encryption key management, hackers have to test far fewer combinations before breaking the encryption code." After receiving pressure from WECA (Wireless Ethernet Compatibility Alliance) in 2001 to beef up WEP's security, the IEEE (Institute of Electrical and Electronics Engineers) began working on a new wireless security standard know as TKIP (temporal key integrity protocol). TKIP more than triples the encryption level of WEP, and it has a built-in procedure for changing encryption keys every 10,000 packets. But, while this is a step in the right direction, many experts argue that this solution doesn't rotate the keys often enough. It still would take only three hours to hack a TKIP-protected system. (Note: the same upgrade from 40-bit to 128-bit encryption in TLS reduces the chances of cracking the code exponentially because the algorithm is not weakened by a static or near- static encryption key.)

802.1x: Beyond WEP, TKIP
Even though the fight against eavesdroppers and hackers is far from over, don't despair. In early 2002 the IEEE released what it called an RSN (robust security network), known more commonly as the 802.1x security standard. "The 802.1x standard uses EAP [extensible access protocol], which is an extension of the PPP [point-to-point protocol] often used for Internet dial-up authentication, to transmit data from the 'supplicant' [user] to the 'authenticator' [AP]," says Chuck Bolvin, VP of technology for value-added distributor WAV, Inc. (West Chicago, IL). "With this new protocol, there is an authentication server that sits between the user and the back end application known as a RADIUS [remote authentication dial-in user service] server. When the RADIUS server receives a request for access to the back end application or database it sends back a challenge to the authenticator. The authenticator unpacks the message from IP [Internet protocol], repackages it into an EAP over LAN protocol, and sends the message to the supplicant." If the supplicant responds successfully to the message, the authenticator responds with a success message. Not only is authentication established, but the authenticator can also be set up to impose different attributes or business rules on each supplicant, providing various levels of restricted access to supplicants.

Is 802.1x All You Need?
So, can WLAN security stop every hacker? No. Not yet anyway. Even with the latest RSN in place there are some inherent problems. The one-way authentication of the supplicant to the AP can expose the supplicant to MIM (man-in-the-middle) attacks with a hacker posing as an AP to the supplicant and as a supplicant to the AP.

One proposed fix for this built-in flaw is to add a VPN (virtual private network) to the RSN. "VPNs use tunneling protocols such as IPsec [Internet protocol security] that give added security over leased lines and create the same effect as using a private/dedicated line," says Fred Geiger, product line manager for wireless clients at WLAN vendor 3Com (Santa Clara, CA). "For the highest level of WLAN security, IT administrators should treat WLAN users just like they would treat outsiders trying to get access to their corporate data. Have them go through a VPN before getting access to corporate data." To achieve the highest level of protection, however, enterprises must invest in a second firewall - one on each side of the VPN server. One firewall would be dedicated for users accessing the Internet. The other firewall would be placed between the WLAN APs and the VPN server. This surrounding of the corporate server with firewalls establishes what is called a DMZ (demilitarized zone). Some vendors also offer single multiport firewalls that can give the user the same result. The disadvantages of creating a DMZ is that it costs more and it is more difficult to scale your network.

Keep WLAN Security In Perspective
When it comes to securing your data, especially in a wireless scenario, there are a few things to keep in mind to help bring a little balance to the table. First, wireless security shouldn't be viewed as an all-or-nothing scenario. Depending on the confidentiality level of your data, TKIP or 802.1x may sufficiently protect you. If you determine that it does not, you can purchase further add-ons such as VPNs and firewalls to make sure your WLAN is secure. As WLAN security gets better over the next several months and more enterprises pay attention to using wireless security to protect their corporate data, the WLAN horror stories are bound to diminish. And, to fill this void we will hear more stories about how WLANs make workers more than 22% more efficient at doing their jobs.