WLANs May Be Banned at Agencies

The proposed National Strategy to Secure Cyberspace plans to get tough on wireless technology, saying that if secure WLANs dont exist, federal agencies shouldnt use them.

The proposal aims to prevent the proliferation of unsecured wireless LANs that run on the 802.11b standard, also known as Wi-Fi, according to a draft of the strategy obtained by eWeek. The Bush administration wants a moratorium on Wi-Fi WLAN networks until security is improved and wants government IT users to avoid wireless products for sensitive applications.

Developed by the Presidents Critical Infrastructure Protection Board, the proposal, due Sept. 18, recommends that vendors change the default configurations on WLAN gear to increase security, something critics say would make the equipment difficult to use in both public and private networks.

While the language is strong, security experts who work with government agencies say they generally assume wireless products are inherently insecure.

“Built-in wireless security I consider utterly beside the point and put my trust in SSH [the Secure Shell remote connection protocol] in the hope that the folks who are dedicated to making something rock-solid secure do a better job with security than folks who are dedicated to making and selling radio transceivers,” said Steve Durst, a research engineer at Skaion Corp., a North Chelmsford, Mass., security consultancy whose customers include the Air Force and the Defense Advanced Research Projects Agency. “I tunnel everything through SSH.”

An IEEE task group is developing a standard called 802.11i to improve the security of WLANs, but that technology is not due until the fall of next year. Meanwhile, the vendor group Wireless Ethernet Compatibility Alliance plans to support an improved encryption scheme called SSN (safe secure network). The draft mentions 802.11i and SSN as improvements, but its unclear whether either would meet the governments new criteria.

“WECA has been promoting that wireless LANs need to be secured,” said Dennis Eaton, chairman of WECA, in Mountain View, Calif. “Unfortunately, security and ease of use are the nemeses of each other. Achieving both is a very difficult proposition.”

The recommendation that WLAN equipment either come out of the box secure or be disabled until users make it secure leaves some users worried about future loss of Wi-Fis plug-and-play capabilities.

When configuring WEP (Wired Equivalent Privacy), “different vendors interfaces dont seem to match. One has to enter the passwords in very different ways,” said Christopher Bell, chief technology officer of People2People Group, in Boston. Bell said it took him almost 2 hours to set up a secure access point, a notebook computer and a Pocket PC device enabled with 802.11b. “I cant imagine many people would bother to do what I did to get it all to work when simply turning off WEP made it plug and go.”

In addition to WLANs, the cyber-security strategy addresses the Bluetooth wireless protocol, which is used primarily as a cable replacement between devices. The drafts authors recommend that Bluetooth developers build a better broadcast keying scheme, a feature to prevent unlimited authentication requests and a more sophisticated encryption procedure.

Related stories:

• Bushs Cyber-Security Plan Targets E-Mail
• Startup Takes on WLAN Security
• New Options Help Sort Out 802.11
• Protecting the WLAN
• Wireless LAN Security Crackdown