Truths and Fictions
Then, too, there are times when wireless networks are left open by design. The number of public Wi-Fi hot spots is growing at a rapid pace. For better or for worse, hot-spot operators function on the assumption that users who need the security will open VPN tunnels to their corporate networks once they log on. Its not the best policy, but who can blame them? Public hot spots are cropping up everywhere, from fast-food hamburger stands to truck stops, and its just not practical for folks at the lunch counter to be handing out passwords to customers and reconfiguring their WLANs to accept them. Thats not to say that war-driving reports should be ignored. Even if their statistics exaggerate the case, theres a troubling truth behind them: The best security mechanisms cannot protect anyone who doesnt enable them.And by years end, the Institute of Electrical and Electronics Engineers is expected to ratify the 802.11i standard, which brings much stronger security to 802.11 devices. Last week at CeBIT, I caught up with Colin McNabb, CEO of wireless chipmaker Atheros Communications Inc., who bravely predicted that "11i is going to solidify security standards once and for all." The Advanced Encryption Standard (AES) called for in 802.11i has been approved as the Federal Information Processing Standard (FIPS)and has been adopted by the U.S. Department of Commerce and the National Institute of Standards and Technology (NIST). Atheros and other chipmakers have already begun building in AES support. But the vendors who build those chips into their devices typically ship them with security turned off in the default configuration to make them easy to install. Deploying that security is not always tough for users to do but, as Outmesguines friends experience shows, its also not always easy. Click here to read about Intel Corp.s decision to turn off the wireless features by default in its Grantsdale chipset. Also, studies have shown that the preshared key used in WPA will be vulnerable to dictionary attacks if users choose an easily remembered password that can be easily deciphered. (Hint: Instead of a password, use a passphrase that includes numbers and symbols.) It wont be until the industry finds an easy way to ensure that security is implemented in the default configurations of WLAN devices that the war-driving reports will go away. Until then, they serve as a reminder to all of us that we should take the job of wireless security seriously. Good fables usually do contain great truths. Check out eWEEK.coms Mobile & Wireless Center at http://wireless.eweek.com for the latest news, reviews and analysis.
The Wi-Fi Alliances adoption of WPA as a standard for certification last year closed the holes that WEP left open in WLAN security.