Years ago, at a computer show during the dot-com boom, I stopped by the booth of a now-defunct high-speed wireless network provider and inquired about the security of the vendor's wireless networks. Specifically, I questioned the inherent insecurity of the 802.11a standard, the prevalent wireless networking specification at the time.
The engineer who was staffing the booth assured me that the company's wireless access was indeed secure, yet he failed to explain how or why. It was more than apparent that he scoffed at the idea that I would even ask such a question—particularly with potential customers present—and he seemed to want nothing more than for me to walk away.
Of course, the booth was quite elaborate, complete with fancy A/V displays and everyone working the booth dressed in sharp suits. But their appearance belied their inability to understand the security of their own products.
However, while most of us recognize the fact that looks are deceiving, appearance still appears to be everything to a whole lot of people. So I'm happy that the well-dressed agents of the Federal Bureau of Investigation recently were able to conclusively demonstrate how insecure the majority of wireless networks really are. In addition, the agency announced that even 802.11b wireless access with Wired Equivalent Privacy (WEP) encryption—widely touted as the secure replacement for the 802.11a standard I was so concerned about years ago—is just as insecure.
I sincerely hope this satisfies those people who insist that a suit and tie are prerequisites for knowledge of security information. It took the FBI literally three minutes to demonstrate how to break WEP encryption and gain access to a secured network.
The FBI's findings should serve as a warning to organizations currently using wireless access, and it might prevent some companies from using wireless networks entirely. Regardless, companies need to be more aware of the critical role that security plays in wireless networks.
Whatever comes of the FBI demonstration, it's important that companies fully understand this concept: Unless you've deployed end-to-end data encryption, communication is never really secure, no matter how well-secured the wireless network. Despite advances in wireless technology, the security of a wireless network will never equal that of a wired network.
Unfortunately, most corporations that have already deployed wireless access chose usability over security, just like most software companies. In addition, many organizations don't consider the fact that wireless access doesn't really offer any advantages over wired access in many cases.
In fact, it can actually introduce new problems. I can't tell you how many times I've witnessed 802.11b wireless network problems caused entirely by the use of 2.4-GHz wireless phones, often from wireless PBX systems.
Despite my own personal disdain for wireless network access, wireless networks are now in the corporate environment, and enterprise deployments are increasing. However, I strongly advise organizations to use this strategy when deciding whether to go wireless: Use wireless networking only in cases where wired access is impossible, not just as a simple or trendy alternative.
And while security should be a primary factor in this decision, keep in mind that there are more than just security-related reasons for staying wired. For example, wired networks can handle significantly higher bandwidth, as well as offer better security, because they don't broadcast packets of information.
But if bandwidth isn't a concern, and the powers-that-be are convinced that wireless is the way to go, rest assured that it is possible to make wireless access much more secure without depending on WEP. Two methods for accomplishing this include using protocols such as Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) and enforcing access controls with usernames and passwords or some other authentication method. Add IPSec to the mix, and you've got both access control and end-to-end encryption that's more secure than wired network access. But keep in mind that this solution is still prone to interference.
Of course, some people will argue that 802.11i features all of this security provided by Wi-Fi Protected Access (WPA)—WEP's expected replacement—as well as better interference control. While this is great news, 802.11i is no use to anyone until there are plans to replace all existing wireless networking equipment or upgrade the firmware, if that's even possible.
In addition, remember that no matter what security technologies or standards emerge, there will always be someone out there trying to break it—and that includes WPA. In my experience, you can deploy Gigabit Ethernet access at a lower cost, and it provides both superior security and bandwidth irrespective of data encryption.
If wireless access is your only alternative, explore the use of PPTP/L2TP and IPSec on your existing infrastructure before deciding to replace or upgrade existing 802.11a and 802.11b equipment. While it's not "pretty" from a technological point of view, it's quite functional, and it just might prove to be more secure than 802.11i. As for me, I'll stick with wired networks.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.