Network Computingwww.networkcomputing.com

For some organizations with sensitive systems secured behind internal firewalls, it might not be a big problem when you give users inside your organization unauthenticated access to the network for Web and e-mail usage just by popping $89 wireless NICs into their notebook computers. But providing wireless access to secure systems--that's a different need altogether, and one that's not particularly easy to meet without deploying proprietary and/or expensive solutions.

The Goals of Wireless Security

If you are a network manager evaluating WLAN security, you should be concerned about three separate issues: authentication, privacy and authorization. Focusing too much on one of these capabilities without adequately addressing the others is like installing the world's greatest deadbolt system on the doors of your home while leaving the ground-floor windows open.

Network infrastructure designers haven't traditionally worried too much about authentication on their wired LANs, probably because most wired LAN ports have been installed within relatively secure offices. However, with wireless LAN radio waves propagating throughout--and perhaps outside--the enterprise, WLANs obviously present unique challenges. While things may change in coming years if the emerging IEEE 802.1X authentication protocol catches on in the market, today's standards-based WLANs provide very little in the way of integrated authentication. The inclusion of 802.1X support in Microsoft Windows XP, combined with support in a new generation of access points, is a start, but gaining support for legacy systems will take time.

WLAN privacy is normally enforced through some type of data-stream encryption, usually in the form of WEP (Wired Equivalent Privacy). WEP uses either a 40-bit or a 128-bit RC4 encryption mechanism, typically implemented in the NIC's hardware to minimize performance degradation.

Unfortunately, WEP provides a weak foundation for security. Recent headlines have focused on the vulnerability of the WEP encryption mechanism, and tools are widely available to hack WEP encryption. But even if WEP weren't vulnerable to hacking, its static-key architecture, which allows for the definition of up to four keys shared between access points and clients, has never been a viable solution for networks with more than 100 or so nodes. There's simply no easy way to protect the keys or to update them on a regular basis.

Then there's the problem of authorization. Even if you could restrict access by implementing some form of authentication, resource access is usually an all-or-nothing proposition. Everyone who gets into the LAN has access to the same resources. For many organizations contemplating the deployment of WLANs, a more granular device or a subnet-based access-control system, in which resource access is restricted or granted based on who you are, would be desirable.

Finally, even if you can address each of these issues, you're probably still not out of the woods. Thanks in part to standards and competition, virtually any user within your organization can now set up a wireless LAN in his or her office for less than $150. And guess what? It's happening all the time in an office near you.

Preventing people from doing this is nearly impossible, just as it was once impossible to stop people from installing dial-up modems on their PCs and using Symantec pcAnywhere to access their machines from home. The only viable solution to this problem involves definition of appropriate security policies and a program of periodic monitoring and enforcement.

The Solution Landscape

In light of all the concerns about WLAN security, it's not surprising that vendors have stepped in to provide solutions. Most of the major WLAN infrastructure vendors have their own security solutions, and there's also an emerging market of software and hardware security overlays.

Unfortunately, none of these solutions are optimal. Most are relatively immature. Some sacrifice interoperability. Others carry high price tags. Still others require the installation and maintenance of software on every client device. The IEEE 802.11 committee, painfully aware of the awkward state of affairs, has Task Group I busy working on solutions. However, progress toward a unified standards-based security framework has been slow.

If you choose to operate within the confines of the security capabilities provided by all WiFi (Wireless Fidelity)-certified WLAN products, you can do so, but the administrative costs may be high, and you still may have some security exposures. Many new WLAN managers naively view the 802.11 SSID (service set ID) as an element of their security implementations. Each 802.11 WLAN access point must be assigned an SSID, and WLAN clients use the SSID when they associate with the access point. This system doesn't ordinarily provide much security, however, because most access points broadcast their SSIDs.

Thus, any WLAN client that can be configured to scan for SSIDs will recognize the availability of access points and often present the available systems to you in a pick list. Some access points can be configured to suppress broadcast of SSIs. On systems configured in this manner, only clients that know the SSID will be able to associate with that access point.

Some network managers take advantage of access-control lists based on MAC (Media Access Control) addresses, a feature supported in most access points. This is an effective solution for small networks, but it has several problems. First, hackers can spoof MAC addresses, thereby overcoming the access-control restrictions. Second, the number of MAC address entries any given access point can support usually has limits, a potential problem in environments with thousands of wireless nodes. Finally, in multiple access-point environments, you need to have a system in place to automatically distribute all MAC address entries to all access points.