The latest on Wi-Fi dangers and standards

The latest in the WLAN protocol wars

Although wireless networking holds great promise for extending and mobilizing the 24/7 connected world we've all become accustomed to, it obviously comes with a wide variety of manageability and security headaches for IT departments. Two of the biggest problems IT administrators currently face are protecting mobile users who are now connecting to public wireless hotspots and keeping well informed about the latest standards and techniques for securing wireless LANs.

The public wireless problem
More and more wireless networks now beckon the unwary road warrior. So it's become vital for administrators to take responsibility for the mobile workers carrying company data out into the connected world of airports, high dollar coffee shops, hotels, and restaurants and taverns—many of which now allow users to connect their laptops and/or PDAs to the Web using wireless public networks.

If you've never given this a thought before, consider how little your laptop-equipped users are aware of the dangers of logging on to any random network they encounter in their travels. At a bare minimum, you need to educate them about the threat these open networks pose. You may also need to scrub their systems of any critical unencrypted corporate data they are carrying around.

Just as companies are coming to realize how dangerous unfiltered access to the Internet is in the office, IT professionals as well as users must start viewing public wireless networks as a wilderness where many systems could become easy prey for attackers. After all, why should a hacker go to all the trouble of breaking into a corporate network when an open wireless network provides easy access to a corporate system? From there, an attacker can, for example, plant a Trojan or raid corporate data stored locally on the system.

A well-configured firewall is essential for any laptop that has wireless capabilities—regardless of whether the person carrying it has any confidential information—because, at a minimum, they may pick up a Trojan, a virus, or other malicious software and later transfer it to the company network.

Keep up with WLAN security
Securing your own wireless network can be a much bigger challenge than guarding your mobile users, and this is due both to weak security offerings and a confusion of standards in the wireless field. In fact, most wireless vendors ship their offerings with encryption turned off and/or with very weak security settings as part of the default configuration.

Even with encryption turned on, a Wi-Fi network is inherently insecure because the encryption used is weak. Forcing your users to use encryption locally will at least prevent the average script kiddie—who just got a laptop as a birthday present—from penetrating your system by doing little more than walking past your office building. The effort to encrypt your WLAN may also provide a good legal, if not technical, defense against serious hackers taking over your network for illegal purposes.

Although configuring an open wireless LAN has become so simple that virtually anyone can do it, securing one is a major challenge worthy of the time and talents of a top security expert.

In the beginning, 802.11b relied primarily on MAC address filtering for access control. If you had an allowed MAC address, you could connect to the wireless access point. The only problem was spoofing. Your wireless device was continually broadcasting its address and any attacker could intercept it and spoof the MAC address to match the allowed address.

Data was secured using Wired Equivalent Privacy (WEP). But WEP generally uses a 40-bit encryption key (sometimes 64-bit) and only a 24-bit initialization vector (IV), which makes it extremely vulnerable. The 128-bit WEP2 is available on some systems. A major problem with WEP is the 24-bit IV, which is so small that many networks will reuse the same IV multiple times in a single day. In fact, it is so insecure that there are free hacker tools available on the Internet to crack a busy WEP network in a few hours.

Adding IPSec can be a major improvement for security, but most wireless networks are already plagued with quality of service (QoS) issues, so using sophisticated encryption schemes across the network is usually not an acceptable solution unless you upgrade the hardware on the entire network.

Several wireless vendors have quickly moved to secure their market share by improving the authentication side to offer better security for their products. Cisco and Microsoft have pushed RSA's Protracted Extensible Authentication Protocol (PEAP) to authenticate users through a secure tunnel. Cisco also has another security protocol, termed Lightweight EAP (LEAP), which is simple to implement (on Cisco equipment), although the passwords may be vulnerable to dictionary attacks. Both of these are based on the IEEE 802.1X framework and are improvements over WEP, allowing authentication without having a certificate on the client.

But PEAP isn't as useful as it could be because Cisco's version isn't the same as Microsoft's and—surprise—the two aren't compatible. The EAP-TLS protocol used in Windows XP's 802.1X client is strong but requires both server and client certificates.

Another EAP-based protocol, Tunneled Transport Layer Security (TTLS), developed by Funk Software, is nearly identical to PEAP—but the key word is "nearly." EAP-TTLS offers strong security and easy configuration, requiring only server-side certificates.

The new Wi-Fi Protected Access (WPA) is also being pushed by Microsoft, Cisco, and members of the Wi-Fi Alliance. You can download a WPA upgrade for Windows XP from Microsoft.

None of these EAP-based authentication systems fully address the data security problem posed by the continued reliance on WEP, which is why many organizations have turned to using VPNs to encrypt all communications sent over a wireless link. The problem with that is that it adds another layer of latency and complexity to the WLAN. In short, it simply shouldn't have to be that difficult to make a secure WLAN connection.

Final word
This only skims the surface of the protocol wars raging in the wireless world at this time. In the near term, if you're adding (or moving entirely to) a wireless network, you'll be well advised to stick with a single vendor throughout if you hope to secure your wireless networks. Otherwise, you need to choose technologies compatible with some third-party vendor and rely on that company to keep your system working. Even if you get everything working properly, you should still take a long, hard look at what information you place on that network.

A testament to the wireless problem
I decided to write this article after I spoke at the Summercon hacker convention in Pittsburgh recently. There were probably 30 open networks within a single square mile around the conference site, and other cities have similar WLAN-rich areas around universities and high-tech businesses. I saw people logging onto three and four wireless networks from PDAs right in the hotel lobby, and only one of the networks was owned by the hotel.

Everyone from the overt FBI agent to a former NSA staff member to the average hacker was logging onto wireless networks, and I bet even in that elite group, no more than half realized that merely by connecting to an open network they were potentially opening up their computers to anyone else on the same wireless network.

Even worse, only a few of those networks were intended for general public use. Most were private networks with so little security that anyone could log on, almost by accident.


Editor's Picks