Securing WLANs still a hit or miss proposition

Securing wireless LANs is a growing challenge with no easy solutions. The need to spend time, money and staff to beef up security is hobbling the technology, even so customers still spent US$1.68 billion on wireless gear in 2002 and are expected to spend US$2.72 billion by 2006, according to Infonetics Research Inc.

The IEEE is expected to fix wireless LAN security flaws by year-end with a new standard to be called 802.11i. That will purportedly clear up the problems identified with its predecessor called Wired Equivalent Privacy (WEP), namely that its authentication messages are forged easily and its encryption keys are poorly protected.

In the meantime, users that require secure wireless LANs are turning to supplemental security, which falls into two camps: IP Security (IPSec) remote-access VPN gear and equipment made by a pack of mainly young companies specializing in wireless LAN security, among them Bluesocket Inc., Cranite Systems Inc., Fortress Technologies Inc., ReefEdge Inc. and Vernier Networks Inc.

While IPSec addresses the security problems, it is not perfect and brings along all the shortcomings it has in a wired network.

For example, the technology handles only IP traffic, not IPX or Appletalk. It requires client software on all the remote machines. IPSec tunnels are point-to-point, so multicasting traffic wastes a lot of bandwidth setting up all those tunnels.

"It's kind of like the question about IPSec in general: it works well for some people, and doesn't work well for others. Adding wireless into the mix is not going to change that very much," says Joel Snyder, senior partner with Opus One.

IPSec works for Christopher Misra, network analyst for the University of Massachusetts at Amherst, which installed wireless hot spots in five public areas on campus last year for student use.

The hot spots are secured using Cisco Systems Inc. VPN gear Misra already had for a wired-network project. Because of WEP's weaknesses, he decided on IPSec.

In the UMass network, each remote machine has a VPN client that creates a secure session with a VPN server located on the LAN side of the wireless access points. This prevents unauthorized machines from tapping into the network or picking off unsecured communications between authorized machines and the campus network.

Misra says he is satisfied IPSec secures the network, but it was not easy to implement. For security reasons, he wanted the wireless network to be logically separate from the wired network, and that required careful design.

"The complexity for us was in implementing the parallel network over our existing backbone," he says. He set up a separate virtual LAN (VLAN) for the access points and wireless clients to segregate the traffic and restrict where users can go on the network for security reasons. "This required us to configure [VLAN] trunks to each building where we wanted to implement a wireless network," Misra says.

Other challenges included installing clients on all student-owned machines, creating work for the help desk to assist technology-challenged users, Misra says. Macintosh users are out of luck because IPSec gear won't support it.

Another potential problem with IPSec is that VPN sessions could break when users move from one access point to another because the IP address changes. The break can freeze other applications, forcing users to reboot. "It's not a great way to handle mobility if you're moving around," says Mark Stevens, vice president of network security at VPN vendor WatchGuard Technologies.

The wireless security companies that offer an alternative to IPSec address some of these problems. Ecutel has developed a technology that keeps application sessions alive when wireless devices move between access points. The transition becomes unnoticeable to users, the company says.

These security boxes sit on the LAN side of access points and typically include a firewall, authentication support and encryption. Some of these products, such as those from Bluesocket and ReefEdge, also do some management of wireless bandwidth by applying quality-of-service restrictions.

Fortress' airFortress gear consists of three elements: client software; an appliance that handles encryption and network-layer authentication; and access-control-server software residing on a Windows NT server in the LAN.

The client includes a key it shares with the appliance for machine authentication, then the access control server confirms that the remote device is authorized to use the network, and the user is challenged for name and password.

All traffic between the wireless machines and the airFortress appliance encrypts using Data Encryption Standard, Triple-DES or Advanced Encryption Standard encryption. Because the communication is bridged through the access point using source media access control address and destination MAC address, each packet, including Layer 3 headers, is encrypted. This prevents hackers from gaining information about the wired network to which the wireless gear grants access, Fortress says.

A single airFortress appliance deals with all the access points in a network, so it can smoothly maintain communications as the mobile machines move between access points.

The Syracuse, N.Y., police department chose Fortress gear because it had to secure sensitive data as it used wireless to expand into new office space. It also wanted to use wireless gear in interrogation rooms so it could be removed easily, says Pat Phelps, IT specialist for the department.

He says part of Fortress' attraction is that it offers security through obscurity. Hackers won't focus on trying to break its technology once a commercial standard is adopted, he says. "Whatever standard comes out people will put their effort in trying to crack that," Phelps says.

While they are necessary now to secure wireless LANs, these add-ons might become less popular after the IEEE finishes its 802.11i standard.

"When new authentication and encryption standards get put in place later this year, you probably won't need to use VPNs," says Dave Kosiur, an analyst with The Burton Group Corp. "Then wireless security will be sufficiently strong."

Some users have even put off using wireless until these problems are fixed and security becomes streamlined. "The entire attraction of wireless is its ease of use," says Paul Forbes, network engineer for Trimble Navigation in Sunnyvale, Calif. "If it isn't essentially transparent to the user, what is the point? Why not jack in on a wired port?"

(John Cox contributed to this article.)

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Advanced Encryption StandardBurton GroupCiscoEcutelIEEEInfonetics ResearchOpus OneReefEdgeTrimble NavigationWatchguardWatchguard Technologies

Show Comments