Insecure about Wi-Fi security? Don’t be...

Sensible precautions will see you right

Security is often cited as the main barrier to widespread use of Wi-Fi wireless networks, whether at work, at public 'hot spots' or within homes. But as Simon Marshall makes clear, for every problem there is a practical solution... Despite the well flagged security issues with enterprise and public wireless LANs, some companies still seem quite blasé about their wireless activities. Fortunately, many enterprises appear to be holding back on fully embracing WLAN technology largely because of rudimentary awareness of security problems, according to Frost & Sullivan. Yet WLAN continues to be one of the sweet spots in a depressed technology industry. Research from Gartner Dataquest published earlier this year shows that worldwide spending on kit grew by 38 per cent to reach $2.3bn in 2002. This comprised 15 million adapters and 4.4 million access points and gateways. The analyst house predicts prices will fall a further 25 per cent this year. "Overall our survey shows that there is strong momentum behind the adoption of wireless technologies and services across European enterprises," comments Michael Wall, an analyst at Frost & Sullivan. But companies continue to be worried about the security risks posed by WLAN, even though the technology for using them securely is ironically already available. Apparently, many hassles with WLAN security come from carefree users who do not turn security on, or who use the default configuration. This is not helped by vendors that, with seemingly equally gay abandon, sell their kit with security settings as an opt-in, rather than an opt-out. Further weaknesses appear in the vulnerability of the WEP standard, which has already been exposed by programs such as WEPCrack and AirSnort. Apparently, it's so flawed that the Wi-Fi Alliance industry body has said it will drop WEP in favour of a new standard called Wi-Fi Protected Access (WPA). The new standard is expected to appear in Wi-Fi Certified products any time now but enterprises are still waiting. "The bar for security is always rising and the development of robust security solutions takes time," comments Stuart Kerry, chairman of the IEEE 802.11 Standards Working Group for WLANs. The Wi-Fi Alliance has been working alongside the IEEE to develop WPA, which is also working towards the longer-term goal of the 802.11i security standard. "WPA will meet the needs of both manufacturers and customers for the foreseeable future and the IEEE will also continue its work on the full 802.11i amendment, which is expected to be completed by mid-2003." Companies who use a VPN along with the new WPA standard in their WLANs will have nothing to fear about poor security, says Gartner. "It's easy to fall into the trap of looking only at the hype when it comes to risk," says Nigel Deighton, VP at Gartner. "But companies also have to be realistic about security and take some very basic steps." These can often be something as simple as securing wireless devices with PIN codes. Despite the industry's best efforts to beef-up the security of Wi-Fi, many breaches are still perpetrated by clandestine 'rogue' users. War-chalking marks on the pavement are testament to a thriving cottage industry. However, they may need to keep their heads low as vendors try to sniff them out. Nortel Networks, for example, has launched a new centralised security architecture for Wi-Fi that will enable companies to detect and disconnect unauthorised access points attached to a network. Wi-Fi is not, of course, limited to the enterprise WLAN. Although public hotspots (P-WLANs) operated by independent service provides are proliferating, they are by their nature outside of the realm of the enterprise security manager. It is vital for enterprises to consider this when designing a security policy for WLAN use outside the office. Device-level authentication and secure VPNs will be central to stopping unauthorised access, rather than a blanket ban on P-WLAN use. In any case, it appears that many employees are still ignoring this type of restriction. An RSA Security survey published earlier this year recorded 328 wireless access points in just seven areas in the City of London alone and only a third of these were running WLAN security software. Last month KMPG carried out a WLAN 'honey pot' experiment in the City of London to get some indication of the extent of the problem. It set up three wireless points in different areas for a week each and recorded activity, detecting over three separate probes per working day, with 16 per cent of all the activity resulting in unauthorised network access. Interestingly, these attacks peaked during the morning and evening rush hours. According to Mark Osbourne, director of Security Services at KPMG, many companies are not actually that worried about security. "People do not believe that there are hackers out there," he points out. He warns that although many of the attacks look fairly benign, many hackers are still neophytes and that the problem will only get worse as their skills improve. Alastair Broom of systems integrator Omnetica says that companies have discovered that threats are no inducement to observe a ban policy, and that education and training are the best motivators. While security is the major issue in holding back WLAN adoption, companies also need to consider appropriate migration paths through the variety of standards. This task has been made slightly easier as IEEE 802.11 earlier this year finally fought off the alternative HomeRF standard which a number of large companies - including Motorola and Nokia - were backing right up to its demise. However, HomeRF was never more than a minor distraction for enterprises. The number of IEEE 802.11 flavours is more the issue for them now. Essentially The IEEE 802.11 standard operates in two different frequency bands, 5GHz and 2.4GHz. The main problem with the 2.4GHz band is that it is already swamped by devices as diverse as Bluetooth headsets, microwaves and cordless phones. The most widespread standard, called IEEE 802.11b, uses this frequency band with speeds of up to 11Mbps. IEEE 802.11a uses the 5GHz frequency band and offers a data rate up to five times faster at 54Mbps over a shorter distance. The IEEE is also developing a third flavour called 802.11g, which aims to boost the speed of the 2.4GHz-based products to 54Mbps. However, most companies are happy to deploy the 802.11b products. Frost & Sullivan's enterprise survey found little current evidence of a demand for movement to the higher-speed 802.11a standard. It does, however, believe that companies will start to migrate to the higher-speed standards over the next four years. This will be supported by vendors increasingly bringing multimode Wi-Fi devices to the market, tempting enterprises in particular to make a move to mobility. However, Gartner warns that becoming a wireless enterprise is no simple matter. "Don't worry about the technology, we have plenty of it and it works pretty well by now," says Gartner's Deighton. "Worry about how you are going to integrate mobility into your working culture. It makes little difference to strategy if technology is unstable and continues to change over the next five years." Anthony Plewes contributed to this report. silicon.com will be publishing more about what lies 'beyond Wi-Fi' over the next two weeks. Silicon.com Wi-Fi special report can be found at www.silicon.com/Wi-Fi.