Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Years ago, at a computer show during the dot-com boom, I stopped
by the booth of a now-defunct high-speed wireless network provider and inquired
about the security of the vendor’s wireless networks. Specifically, I
questioned the inherent insecurity of the 802.11a standard, the prevalent
wireless networking specification at the time.

The engineer who was staffing the booth assured me that the
company’s wireless access was indeed secure, yet he failed to explain how or
why. It was more than apparent that he scoffed at the idea that I would even
ask such a question—particularly with potential customers present—and he seemed
to want nothing more than for me to walk away.

Of course, the booth was quite elaborate, complete with
fancy A/V displays and everyone working the booth dressed in sharp suits. But their
appearance belied their inability to understand the security of their own
products.

However, while most of us recognize the fact that looks are
deceiving, appearance still appears to be everything to a whole lot of people.
So I’m happy that the well-dressed agents of the Federal Bureau of
Investigation recently were able to conclusively
demonstrate how insecure the majority of wireless networks really are. In
addition, the agency announced that even 802.11b wireless access with Wired
Equivalent Privacy (WEP) encryption—widely touted as the secure replacement for
the 802.11a standard I was so concerned about years ago—is just as insecure.

I sincerely hope this satisfies those people who insist that
a suit and tie are prerequisites for knowledge of security information. It took
the FBI literally three minutes to demonstrate how to break WEP encryption and
gain access to a secured network.

The FBI’s findings should serve as a warning to
organizations currently using wireless access, and it might prevent some
companies from using wireless networks entirely. Regardless, companies need to
be more aware of the critical role that security plays in wireless networks.

Whatever comes of the FBI demonstration, it’s important that
companies fully understand this concept: Unless you’ve deployed end-to-end data
encryption, communication is never really secure, no matter how well-secured
the wireless network. Despite advances in wireless technology, the security of
a wireless network will never equal that of a wired network.

Unfortunately, most corporations that have already deployed
wireless access chose usability over security, just like most software
companies. In addition, many organizations don’t consider the fact that
wireless access doesn’t really offer any advantages over wired access in many
cases.

In fact, it can actually introduce new problems. I can’t tell
you how many times I’ve witnessed 802.11b wireless network problems caused
entirely by the use of 2.4-GHz wireless phones, often from wireless PBX
systems.

Despite my own personal disdain for wireless network access,
wireless networks are now in the corporate environment, and enterprise
deployments are increasing. However, I strongly advise organizations to use
this strategy when deciding whether to go wireless: Use wireless networking
only in cases where wired access is impossible, not just as a simple or trendy
alternative.

And while security should be a primary factor in this
decision, keep in mind that there are more than just security-related reasons
for staying wired. For example, wired networks can handle significantly higher
bandwidth, as well as offer better security, because they don’t broadcast
packets of information.

But if bandwidth isn’t a concern, and the powers-that-be are
convinced that wireless is the way to go, rest assured that it is possible to
make wireless access much more secure without depending on WEP. Two methods for
accomplishing this include using protocols such as Point-to-Point Tunneling
Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) and enforcing access controls
with usernames and passwords or some other authentication method. Add IPSec to
the mix, and you’ve got both access control and end-to-end encryption that’s
more secure than wired network access. But keep in mind that this solution is still
prone to interference.

Of course, some people will argue that 802.11i features all
of this security provided by Wi-Fi Protected Access (WPA)—WEP’s expected
replacement—as well as better interference control. While this is great news,
802.11i is no use to anyone until there are plans to replace all existing
wireless networking equipment or upgrade the firmware, if that’s even possible.

In addition, remember that no matter what security technologies
or standards emerge, there will always
be someone out there trying to break it—and that includes WPA. In my
experience, you can deploy Gigabit Ethernet access at a lower cost, and it provides
both superior security and bandwidth irrespective of data encryption.

If wireless access is your only alternative, explore the use
of PPTP/L2TP and IPSec on your existing infrastructure before deciding to replace
or upgrade existing 802.11a and 802.11b equipment. While it’s not
“pretty” from a technological point of view, it’s quite functional,
and it just might prove to be more secure than 802.11i. As for me, I’ll stick
with wired networks.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.