home news blogs forums events research newsletter whitepapers careers


Network Computing Network Computing Network Computing
HOT PICKS

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |
APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


Mobile & Wireless Technology
W O R K S H O P  
Security Still Up in the Air

  February 5, 2001
  By Tom Zeller


The idea of a wireless LAN has always had a certain charm -- suggesting an end to the expense and inconvenience of running cable, and to users' whining about being tethered to their desks. And now, with wireless standards firming up, throughput increasing and prices dropping, more and more IT managers are succumbing to temptation. In fact, Cahners In-Stat Group predicts that the wireless LAN market will grow 25 percent annually over the next few years, from $771 million last year to nearly $2.2 billion in 2004.



At the enterprise level, however, security is a major stumbling block. While the 802.11b wireless Ethernet standard includes several security measures that can lock down small installations, how well these measures scale to environments with tens of access points and hundreds of users is still unclear.

Enterprise-level wireless-LAN security is a two-pronged concern: Network access must be limited to authorized users, and wireless traffic must be shielded from sniffing by would-be packet hijackers.

Access Control

The best way to secure access to a wireless network -- and, hence, a corporate network -- is to instruct access points to pass only those packets originating from a list of known Ethernet addresses. Of course, MAC (Media Access Control) addresses can be spoofed, but an intruder would have to learn the address of an employee's Ethernet card. Unfortunately, this may not be difficult -- unlike internal NICs, many wireless PC cards have the MAC addresses printed in plain sight, right on the card.

Even assuming physical card security can be ensured, the problem of compiling and distributing a list of valid MAC addresses remains. In addition, each brand of access points has some limit on the number of addresses allowed. Lucent Technologies' Orinoco access point, for example, has a limit of 492 MAC addresses, so scalability is a concern. The good news, though, is that once entered, the list of addresses often can be saved and used to populate other access points.

Another setting on the access point that can be used to restrict access to approved users is the network name, also referred to as the SSID (Service Set ID). This feature was designed to let specific groups use particular access points. An access point can be configured either to allow any client to connect to it or to require that a client request use the access point by name. While not meant primarily as a security feature, setting the access point to require the network name can let the name act as a password.

As with any password scheme, however, the more people who know the password, the higher the probability that an unauthorized user will misuse it. Certainly the network name can be changed periodically, but each user must be notified of the new name and make the few clicks required to reconfigure his or her client -- arguably a deal killer as your network grows.

Stopping the Sniffer

The 802.11b standard allows for encrypted communication between clients and access points via WEP (Wired Equivalent Privacy). WEP is an optional RC-4-based, 40-bit encryption mechanism that encrypts the data portion of the packet. Because an initialization string is tacked on, adding in the 24 bits that are used to identify a device to the LAN, WEP is referred to by vendors as 64-bit encryption.

Unfortunately, high-end equipment can break 40-bit encryption in a matter of seconds. In addition, WEP has a loophole wide enough to sail a boatload of pirates through: Under WEP, all users of a given access point share the same encryption key. To achieve mobility within a campus, all access points must be set to use the same key, and all clients the same encryption key as well.

Given these limitations, some vendors do not implement WEP, though most provide models with and without it. In this case, an access point can be configured to never use WEP or to always require the use of WEP. In the latter case, an encrypted challenge is sent to the client. If the client cannot respond correctly, it will not be allowed to use the access point, making the WEP key, in effect, another password. As with using the network name as a password, you could routinely change the WEP key, but you'd have the same client notification and configuration issues involved with changing the network name.

Of course, an attacker possessing the WEP key could sniff packets off the airwaves and decrypt them. Nonetheless, requiring WEP substantially raises the minimum skill set that is needed to intercept and read wireless data.


   Page: 1 | 2 | 3 | Next Page





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Purchase Today: $299
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch


Microsite of the Week


Powerful Information at Your Fingertips



techweb
Online Communities TechWebInformationWeekLight ReadingIntelligent EnterprisebMightyNetwork ComputingDark ReadingDigital LibraryWall Street & Technology
Byte & SwitchNo JitterInternet EvolutionLight Reading's Cable Digital NewsContentinopleUnStrungBank Systems & TechnologyAdvanced TradingInsurance & Technology
Face-to-Face Events
InteropWeb 2.0 ExpoWeb 2.0 SummitVoiceConBlack HatCSISoftwareEntrprise 2.0 ConferenceGTEC
Mobile Business Expo
InformationWeek 500 ConferenceBuy Side Trading XchangeBuy Side Trading SummitBank Executive SummitInsurance Executive SummitTelcoTVEthernet ExpoOptical Expo
Magazines  
InformationWeekWall Street & TechnologyInsurance & TechnologyBank Systems & TechnologyAdvanced TradingMSDNTechNetSmart EnterpriseThe Architecture JournalDatabase Magazine
 
Research & Analyst Services  
Heavy ReadingInformationWeek ReportsInformationWeek Analytics
 
   
   
App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights