War Driving Misses Part of WLAN Security Picture

By Carol Ellison  |  Posted 2004-06-01 Print this article Print

The practice doesn't truly measure the level of security—but it does show us that even the best security mechanisms cannot protect anyone who doesn't enable them.

On a slow news day, you can always go "war driving." Thats what Mike Outmesguine did in an 800-mile drive down the California coastline in an Associated Press story this week. About 40 percent of the networks he detected from the laptop on the passenger seat of his Toyota 4Runner were not secured.
The news here, folks, is that this is not news. That 40 percent has hardly budged since PC Magazine did its first war-driving investigation into wireless LAN (WLAN) security more than two years ago.
Does that mean were as insecure now as we were then? Are we wireless warriors computing blindly in the wild? Are our transmissions really just out there for everyone to see? Dont ring the alarm just yet. My apologies to Benjamin Disraeli, who said there are three kinds of lies: lies, damned lies and statistics. And what we have here are statistics. Time and the law dont allow joyriding war drivers to truly access all of those networks to see whether they really are insecure. What you get from a war-driving report is rarely more than a surface glance. It tells how many networks are not running the native, over-the-air security mechanisms built into 802.11 devices. But this does not necessarily mean that theyre not running security at all. Detecting "open" WLANs by using a laptop, sniffing software such as NetStumbler and an antenna mounted atop a vehicle can identify networks that have not implemented Wired Equivalent Privacy (WEP) or the much stronger and much more secure Wireless Protected Access (WPA) that you get in newer devices. But can WEP even be called security? If anyone out there has not heard about WEPs many vulnerabilities, please raise your hand. Most enterprise networks gave up on WEP long ago, and the tools they do use to secure wireless network segments cant be detected by casual war drivers. Unless a war driver actually associates with a WLAN and gets an IP address, he cant really draw valid conclusions about the networks security. Any one of a number of other things might be going on. At the simplest level, a network manager can restrict Media Access Control (MAC) addresses to allow only known wireless devices onto the network. The technique is not practical in large enterprises with lots of devices to track, but it is realistic for the small or home office, and lots of integrators who sell and manage small WLANs do it. Enterprises can—and usually do—deploy 802.1X user authentication to require users to enter user names and passwords before theyre given network access. And if they have legacy WEP devices that cannot be upgraded to WPA, they can secure data transmissions on the wireless segments of their networks with Virtual Private Networks (VPNs). Next page: Truths and fictions about wireless-network security.

Carol Ellison is editor of eWEEK.com's Mobile & Wireless Topic Center. She has authored whitepapers on wireless computing (two on network security–,Securing Wi-Fi Wireless Networks with Today's Technologies, Wi-Fi Protected Access: Strong, Standards-based Interoperable Security for Today's Wi-Fi Networks, and Wi-Fi Public Access: Enabling the future with public wireless networks.

Ms. Ellison served in senior and executive editorial positions for Ziff Davis Media and CMP Media. As an executive editor at Ziff Davis Media, she launched the networking track of The IT Insider Series, a newsletter/conference/Web site offering targeted to chief information officers and corporate directors of information technology. As senior editor at CMP Media's VARBusiness, she launched the Web site, VARBusiness University, an online professional resource center for value-added resellers of information technology.

Ms. Ellison has chaired numerous industry panels and has been quoted as a networking and educational technology expert in The New York Times, Newsday, The Los Angeles Times and The Wall Street Journal, National Public Radio's All Things Considered, CNN Headline News, WNBC and CNN/FN, as well as local and regional Comcast and Cablevision reports. Her articles have appeared in most major hi-tech publications and numerous newspapers and magazines, including The Washington Post and The Christian Science Monitor.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel