Wireless LAN Lockdown

Wireless gear will make it onto your network one way or another; stay secure by taking the right steps now.

The drastic drop in the cost of WLAN (wireless LAN) gear, along with the great extent to which 802.11b networking is now being built into notebook and handheld computers, virtually guarantees that wireless networking will secure a spot on your agenda—whether youve placed it there or not. IT administrators would do well, then, to head off a wireless groundswell by taking the lead in deploying these networks and doing so with the sort of attention to security that end users often cant afford to pay.

In the past year, theres been some encouraging movement toward more secure wireless networking standards. However, as security standards for these networks mature, so, too, will the tactics of those who would crack them.

Inherently Less Secure

Wireless networks are fundamentally less secure than wired ones. Nearly every business, however, is already plugged in to perhaps the least secure network of all—the Internet. By regarding WLANs with the same suspicion they do the Internet, companies can unwire themselves with relatively high confidence.

First, survey your WLAN coverage to make sure that access does not extend beyond your campus.

Then, start with the security built in to Wi-Fi products. Although WEP (Wired Equivalent Privacy), the primary security mechanism that ships with 802.11b gear, has been proved flawed, it provides better protection than nothing.

In addition, be sure to apply patches as vendors ready security updates for their WLAN hardware and software offerings (such as those this spring that will bring Wi-Fi Protected Access to existing equipment). If there were any doubts about the importance of patching, the Slammer worm outbreak last month should have put them to rest.

Companies can protect themselves against casual attacks by enabling WEP, changing access point administration passwords and SSIDs (Service Set Identifiers) from their factory defaults, and separating the wireless network from the wired network into an Internet-access-only zone. Atop such a framework, companies can provide secure access to the network resources theyve sequestered in the same way that they provide these services across the Internet—with a VPN (virtual private network).

This can be particularly attractive to companies that have already developed a VPN infrastructure to secure traffic across the Internet. And, because of the popularity of VPNs for securing Internet traffic, VPN clients ship with or are available for most operating systems and computing devices.

VPN clients do impose additional processing power overhead that can be especially noticeable on handheld devices, but weve experienced good performance with the mobile VPN clients weve tested.

Moving forward, client-side encryption capabilities should improve as chip makers build hardware acceleration engines for encryption algorithms into their processors. Transmeta Corp., for example, has announced it will do so in future Crusoe chips.

Some WLAN equipment vendors have bolstered and otherwise extended WEP in their products—replacing, for example, WEPs static key mechanisms with dynamic ones.

eWeek Labs recommends that companies eye such proprietary solutions with caution, however, because they generally require vendor homogeneity from access point to NIC.

Wireless networking is all about flexibility and openness, two virtues that proprietary security technologies can work to suppress. And WLAN functionality is being built into a wide range of computing devices, many of which may not interoperate with a given proprietary security technology.

For companies searching for a single, end-to-end solution—and willing to pay for it—vendors such as ReefEdge Inc. offer appliance and software-based solutions that provide for user authentication, traffic encryption and access point management in fairly turnkey packages. Such systems tend to be hardware-agnostic and offer benefits such as quality-of-service assurance and smooth roaming among access points.

Companies with small or particularly well-managed networks can further boost security by disabling Dynamic Host Configuration Protocol within their WLANs, to keep closer control of users accessing the network, and by enabling media access control address filtering on access points, to limit network access to an authorized set of wireless NICs.

Senior Analyst Jason Brooks can be reached at jason_brooks@ziffdavis.com.