By George Ou

The freedom of wireless networking is enticing, but the accompanying risks are daunting. If you’re running a wireless LAN on the 802.11 standards, you may think your organization is secure. Think again. Joe User can drive to the local computer store, buy a wireless access point for less than $100, and be free from Ethernet cables and any legitimate security within 15 minutes. And hunting down one of these rogue access points is not an easy task.

The problem with WEP
During the inception of the 802.11 standards for wireless networking, the IEEE had to resolve a fundamental issue of wireless security; it’s vulnerable because it uses radio signals through open air space, as opposed to electrical signals through closed wires. The Wired Equivalent Privacy (WEP) standard was created to address this liability. It was supposed to make wireless networks as private as wired networks by using 40-bit and 128-bit encryption. Maybe it’s due to a lack of peer review or some other misstep, but whatever the reason, that “equivalent privacy” is not so private after all.

To be precise, WEP can be broken very quickly after gathering 100 MB to 1,000 MB of data with freeware sniffers commonly distributed on the Web. Anybody with a $60 wireless PC card and a laptop can collect that data in three to 30 hours on a typical wireless network. From that point on, freeware utilities can easily break the WEP code.

Making things worse, range is not your friend—you’re vulnerable to this type of intrusion from points way beyond your parking lot. Ten dollars’ worth of stuff from Radio Shack and a Pringles potato chip can will boost an 802.11 card’s 100-foot range to about 10 miles line of sight. And we won’t even discuss what an industrial-grade directional antenna can do to you.

Because the 802.11 standard has no facility to centrally manage or distribute keys, WEP is fatally crippled by the fact that its keys are the same for all users and all sessions, and the keys never change. Attempting to manually change the WEP keys is highly impractical.

Many IT pros think they’ve found an answer with the use of VPNs, but VPNs for wireless LANs are not very practical, convenient, or totally secure. First of all, VPNs require users to take the extra step in making a VPN connection after securing a wireless LAN connection. In addition, any interruptions in service (which are common for wireless LANs) will terminate the VPN connection and force users to reconnect to the VPN server.

On the issue of security, only the traffic to the VPN server is encrypted, so the wireless LAN interface itself is left wide open, forcing the need to run a personal firewall on the WLAN interface. Many vendors have come up with solutions to address some of these security and convenience issues. But licensing is costly, and these products don’t address the fundamental issue of wireless security. What is really needed is a WEP that works.

Introducing 802.1x and EAP
After the IEEE recognized the shortcomings of WEP and 802.11, it quickly came up with the 802.1x and EAP solution. A standard for Port Based Access Control for both wired and wireless networking, 802.1x in itself does not make wireless networking secure. However, combine 802.1x with the Extensible Authentication Protocol (EAP) standard, and the gold standard in wireless network security is born; it’s now possible to resolve WEP’s biggest liability: static user and session keys.

User authentication is now mutually assured, and WEP keys can be centrally managed with policies and distributed securely. WEP keys can now be unique for individual users and individual sessions. In addition, keys can be set to automatically expire every 10 minutes to force constant rekeying, which makes it impossible to collect the 100 to 1,000 MB of data that hackers need to break WEP.

The illustration below shows how this combination works.

The client makes a connection to the access point. At this point, the client is in an unauthorized state and not given an IP address or permitted access to the network in any way. The only thing the client can do is send 802.1x messages. The client sends user credentials to the access point with EAP, and the access point forwards the request to the Remote Authentication Dial-In User Service (RADIUS) server for approval. If the credentials are valid, the client will request credentials from the Authenticator via 802.1x and EAP. Once that process is complete, the RADIUS server issues a new temporary WEP key, and the access point allows the WEP session to proceed for that client. Every 10 minutes, the key expires and the EAP authentication process is run again to buy another 10 minutes of time.

Security is worth the investment
For any business network where wireless encryption needs to hold beyond one day, the time for real wireless LAN security has arrived. It may cost a few times more than a consumer access point and require a more complex implementation, but your company’s security should be worth a lot more than a $100 SOHO wireless access point. Your $100,000 firewall is useless if someone puts up a rogue access point, and standard WEP can do little to stop such attacks.