Wireless local-area networks are notoriously insecure. But thats not stopping companies from cobbling together technologies. Learn strategies for managing.(Baseline)
Why do organizations offer wireless access to their networks or Internet even though its fraught with risks? Companies want to protect themselves rather than allow individuals to hook up Wi-Fi on their own.
In the absence of strong security standards, companies are cobbling together technologies, living with gaps, and hoping for the best.
Sure, theres Wired Equivalent Privacy (WEP), the encryption approach that was supposed to make Wi-Fi—or “wireless fidelity”—connections as resistant to hackers as wired networks are. But enterprise-security experts say WEP is wimpy, partly because it relies on unchanging, shared encryption keys that are relatively easy to crack.
“We believe that WEP is useless, so we dont use it,” says John Halamka, chief information officer at CareGroup Healthcare Systems, which has rolled out Cisco wireless networks in all six of its hospitals in Massachusetts. “Instead, were going with strong authentication and Web-based encryption.”
Unfortunately, no widely-supported standard has come along to improve on WEP. Thats a problem for information-technology managers because wireless networks transmit data—sometimes sensitive corporate or personal information—over open airways between desktop computers, laptops and other devices.
Wireless vendors have been haggling for years over a replacement security standard—802.11i—that promises strong encryption and authentication. Products using that standard arent expected until late next year at the earliest. In the meantime, vendors such as Microsoft and Cisco Systems have come up with an interim fix—801.1x—that incorporates some of the improvements expected in 801.11i. Because each vendor has implemented 801.1x differently in its products, network managers have difficulty supporting more than a single kind of wireless equipment or brand of access point.
Some networking pros accept known wireless-security holes, at least until vendors address the problem.
“Were doing the best we can given a very fast-changing situation,” says Eric Barnett, wireless administrator at Arkansas State University. Two years after starting to deploy a wireless network that has grown to 93 Cisco access points, Barnett scrapped plans to use the Wired Equivalent Privacy standard when its flaws were revealed. But he cant use Ciscos proprietary version of 801.1x authentication, known as Cisco LEAP, either—as many as 10,000 campus Wi-Fi users cant all be expected to have laptops equipped with wireless cards capable of working with Cisco.
Instead, Barnett has come up with a compromise: Cisco LEAP for those with compatible cards, and for all others, a much weaker scheme which checks a unique identifier in laptops and other devices before allowing them to access the network.
Despite security challenges, a growing number of organizations are adopting Wi-Fi technology. Infonetics Research predicts total spending on Wi-Fi technologies will increase from $1.68 billion in 2002 to $2.72 billion in 2006. While most of that spending has been by consumers and in such places as colleges and hospitals, enterprises are beginning to get onboard. A Yankee Group survey found that 37 percent of large enterprises are testing or deploying wireless networks, and another 14 percent expect to join them in the next 12 months.
Many see Wi-Fi—and the new applications it enables—leading to tangible payback. Clerks at stores owned by Orlando, Fla.-based beverage retailer ABC Fine Wines & Spirits, for example, save about five hours per week now that they scan incoming inventory and place resupply orders using Palm handheld devices and a Symbol wireless network instead of paper and fax. Multiply that time savings by 150 stores, and youre talking big bucks, says Guy Ledbetter, ABCs help desk manager.
Business furniture maker Steelcase is testing phones that work over the Wi-Fi network covering public areas on the companys Grand Rapids, Mich., campus, says information-services director Bob Krestakos. Once in use, the Internet Protocol phones will take a big bite out of Steelcases corporate cell-phone bill, up to 30 percent of which represents calls made within the Steelcase headquarters.
Some organizations use the 801.1x approach for wireless authentication and encryption, even though there are multiple implementations of the young standard. That inconsistency means its difficult to make wireless access points and wireless devices from different vendors work securely together.
CareGroups Halamka, for example, uses Ciscos LEAP to secure his wireless network, but only because doctors and other hospital personnel use company-supplied laptops equipped with LEAP-compatible network cards and software.
That wont work for providing wireless Internet access to hospital visitors who bring along their own laptops. For them, Halamka plans a different tack: install a wireless-security gateway that can authenticate visitors with any kind of laptop. The gateways can also be used for some wireless-management functions such as automatically controlling how much Wi-Fi bandwidth is parceled out. Such gateway products are not inexpensive. Enterprise versions of Bluesocket gateways, for example, capable of supporting 100 users, start at $6,000 and go up to $13,000 for a 400-user version.
With mixed results, some organizations are tinkering with wired security technologies for the wireless world. Last March, at the University of Massachusetts at Amherst, network analyst Christopher Misra extended an existing virtual private network to cover a new Cisco wireless network. Because it was already installed, staff knew how to manage it. And the private network offers strong encryption via the Internet security protocol that uses public keys.
But that approach also caused complications—it requires users to have specific software installed. While most Windows laptops come with virtual private network software built in, the same is not true of many handheld devices or Macs. Also, such virtual connections arent designed for mobile applications, and connections often get dropped as wireless users roam between access points. Misra is now considering augmenting the approach with Bluesockets Wi-Fi security gateway.
One thing that Misra and other technology managers are not considering, however, is backing away from wireless until security standards become more solid. “People are used to wireless now and expect it,” says Steelcases Krestakos, who supports more than 1,000 Wi-Fi users today. “Its improved [teamwork] and collaboration. The benefits outweigh the risks.”
reless Security Dynamics”>
Wireless Security Dynamics
Category: Wireless local-area network security
What it is: Hardware and software for authenticating wireless network users, encrypting wireless network traffic and monitoring and managing wireless network access points.
Key Players: AirWave, Avaya, Bluesocket, Cisco, Enterasys, Fortress Technologies, Funk Software, Intel, Meetinghouse, Proxim, ReefEdge, Symbol, Vernier, Wavelink
Whats Happening: Absent strong security standards, many enterprises are going ahead with wireless, plugging security holes as best they can.
Expertise Online: www.weca.net/opensection/ protected_access.asp