As wireless networking continues to expand across the enterprise, it is important that IT departments evaluate the effects of these technologies on system security and arrive at ways to integrate them into established security frameworks.
Companies now face an assortment of wireless networks, including LANs, powered by the IEEE 802.11 standard; PANs (personal area networks), powered by Bluetooth; and WANs, driven by assorted wireless services such as Palm Inc.s Palm.Net. Each of these schemes presents its own security risks as well as benefits, but eWeek Labs believes current standards and security for wireless networks incorporating LAN, PAN and WAN technology are sufficient for sites to begin implementing them across corporate campuses.
A LAN link
A wlan (wireless lan) provides mobile access among computers by using radio waves instead of cables. In corporate setups, WLANs are usually implemented as the final link between the wire network and a group of client computers, giving users wireless access to the full resources and services of the corporate network across a building or campus setting.
The most popular WLAN equipment on the market is based on the 802.11b standard. Like all IEEE 802 standards, 802.11 focuses on the two lowest levels of the ISO model, the physical layer and the data link layer. Any LAN application, NOS or protocol, including TCP/IP and NetWare, will run on an 802.11b-compliant WLAN as easily as it runs over Ethernet.
For data encryption, the 802.11b standard provides for a WEP (Wired Equivalent Privacy) using a 40-bit and 128-bit shared-key RC4 PRNG (Pseudo Random Number Generator) algorithm from RSA Security Inc. All data sent and received while a mobile client and an access point are connected can be encrypted using this key.
When WEP encryption is used, an access point issues an encrypted challenge packet to any client attempting to associate with it. The client must use its key to encrypt the correct response to authenticate itself and gain network access.
Most vendors of 11M-bps 802.11b equipment provide WEP as an option, and eWeek Labs tests have shown that activating WEP doesnt degrade data throughput very much. We found that, at most, throughput dropped about 1M bps for 40-bit WEP and between 1M bps and 2M bps for 128-bit WEP—a small price to pay for wireless transmission protection.
Controlling access to a WLAN via MAC (media access control) addresses is another 802.11b feature thats available to network administrators. By limiting network access only to wireless clients that have approved MAC addresses, administrators can control, to a great degree, the wireless clients that have been granted access to the WLAN.
In addition to Layer 2 security, 802.11b WLANs support the same security standards as other 802 LANs for access control (such as NOS log-ins) and encryption (such as IP Security or application-level encryption). These higher-layer technologies can be used to create end-to-end secure networks encompassing both wired-LAN and WLAN components, with the wireless piece of the network gaining unique additional security from the 802.11 WEP feature.
Protecting WLAN communications takes more than encryption. Once the data packets hit the wired portion of the LAN, security measures are only as good as the network administrator makes them.
Color it blue
Bluetooth is a low-power, low-cost, short-distance wireless networking protocol that enables users to assemble disparate computing devices into WPANs (wireless PANs).
Although Bluetooth-powered WPANs promise to boost productivity by extending the benefits of cooperation to a wider range of devices, companies must deploy these systems keeping a close eye on security—particularly because Bluetooth is an emerging technology.
Bluetooth security presents a challenge, in part, because of the various applications for which the technology is intended. Bluetooth WPAN technology will be called on to enable usage scenarios that range from cable replacement in handheld-to-desktop computer synchronization—a process in which the machines to be synchronized must have wide access to each others data and services—to ad hoc networking and public network access scenarios, in which access to the same data and services must remain strictly controlled.
The security model built into the Bluetooth specification provides for authentication, which verifies device identity; authorization, which determines which services a given device is allowed to access; and encryption, which prevents eavesdropping.
A matter of trust
The Bluetooth specification enables users to control relationships with remote devices through a security manager contained in the Bluetooth software stack of Bluetooth-enabled devices.
The security manager contains a database of previously authenticated devices and lets users assign these devices a “trusted” designation—a trusted device has a fixed relationship with another device and has access to all services of that device. Untrusted devices are those for which theres no permanent relationship or for which theres a permanent yet restricted relationship.
It is also possible to crank up the granularity on these security relationships by refining the trusted/untrusted designations to a per-service or per-service-group setting. In this way, having access to some services on a device neednt mean having access to all services on that device.
The Bluetooth security manager also enables users to set the security levels for device services themselves. Users can set services such as file transfer and dial-up networking to require authorization and authentication; to require authentication only; or to require a low level of security, in which services are open to all devices.
A service programmed to require authorization and authentication offers automatic access only to devices designated as trusted in the security managers device database. Other devices require manual authorization.
Bluetooths built-in security authenticates the device, not the user. As a result, Bluetooth applications will rely on higher application-level security such as password or smart-card protection for users to sign in. This is particularly important because Bluetooth-enabled devices will be highly mobile and relatively easily lost or stolen.
The WAN edge
WWANs (wireless wans), which enable mobile users to run applications that access vital corporate data via wireless handheld devices, carry significant productivity benefits for the companies that deploy them. However, WWAN setups carry their own security vulnerabilities as well.
The great portability of the wireless handheld clients that access these networks makes them more vulnerable to loss or theft than traditional computing clients. In addition, the small size of these devices places limitations on the CPU power and memory resources that can be devoted to security and encryption.
Mobile devices that access corporate data via WAP (Wireless Application Protocol) are susceptible to the gap in encryption that occurs when encrypted data that has left a companys firewall must be decrypted briefly at the wireless gateway of its carrier before its re-encrypted with Wireless Transport Layer Security. One way around this vulnerability is for companies to self-host a wireless application gateway. Behind the corporate firewall, sensitive data can be handled with greater security.
Palm VII devices, operating with the Palm.Net service, make use of ECC (Elliptic Curve Cryptography) technology from Certicom Corp. to encrypt the link between the wireless Palm device and the Internet.
ECC provides high levels of security at relatively small key sizes—its 163-bit keys are equivalent in strength to RSA 1,024-bit keys. This efficient approach means shorter messages and fewer required device resources.
The Palm servers that provide content to Palm VII devices feature SSL (Secure Sockets Layer) security. Any remote host that supports SSL acts to ensure the Palm wireless connection end to end.
Research in Motion Ltd.s BlackBerry devices send and receive data—primarily e-mail—between the corporate LAN and the BlackBerry handheld secured by Triple Data Encryption Standard algorithm encryption. The data is encrypted inside a companys firewall and is not decrypted as it passes through the service carrier.