Rachel Metz opened her Apple Computer Inc. iBook in June to take some notes at a middle school she was visiting in Palo Alto, the heart of Silicon Valley.
Upon bootup, the laptop's wireless LAN adapter picked up a strong WLAN signal, which it displayed onscreen, along with a guest logon invitation. Metz found she had access to the Internet, via the school's open wireless network.
But Metz wasn't just any visitor. She is the education reporter for the Palo Alto Daily News, and her story about the ease with which she accessed the Palo Alto Unified School District's network became front-page news. On several occasions, Metz logged on as a guest and accessed file servers. In one instance she accessed a server that temporarily stores a variety of information, including students' grades, addresses and phone numbers - even some psychological profiles.
The WLANs that Metz encountered are typical of those found in smaller organizations, and in branch or home offices of remote corporate workers. One of the chief causes of security weaknesses in small WLANs is the lack of a security infrastructure that is typical in big companies: RADIUS servers, VPNs, elaborate security policies and so on. In the past, smaller firms, telecommuters and the like "were forced to settle for security that is flimsy at best," Burton Group's Michael Disibato wrote in a January 2003 report "Securing Wireless LANs." The alternative, he writes, is investing in costly infrastructure improvements.
Unlike vendors of enterprise WLAN products, small office/home office (SOHO) WLAN vendors treat security as an option: access points and adapter cards ship with security features such as Wired Equivalent Privacy (WEP) turned off, and these features must be activated deliberately during setup. Repeatedly, surveys find users don't bother to turn on WEP, leaving corporate data on laptops and servers exposed to even the most casual, accidental wireless access of the Palo Alto schools.
To combat the problem, network executives need to enforce the basics of wireless and computer security, and keep abreast of emerging security standards and products. Best practices should include a layered approach that make it as tough as possible for outsiders to access the WLAN by activating WEP, blocking Service Set Identifier (SSID) broadcasts and the like.
It's widely known that WEP is vulnerable to a skilled attacker for two reasons. WEP starts to repeat fairly quickly the data elements used in the scrambling process, elements hackers can use to decrypt the traffic. And WEP doesn't automatically change the shared key, or encoder, used by a group of clients and an access point, giving trackers more chances to crack the code.
Even so, WEP still slows down attackers and prevents passersby from viewing wireless traffic. "Things like using WEP and blocking the SSID are still important things to do," says E.J. von Schaumberg, executive vice president for WPCS International, a WLAN integrator in Exton, Pa.
Standards and products also are emerging that promise to boost WEP's security.
WLAN vendors are introducing products that run code for the Wi-Fi Protected Access (WPA) specification, with a variation called Pre-Shared Key, which is designed for SOHO users. WPA is an early version of the WEP repair work being done by the IEEE 802.11i Working Group.
WPA improves data encryption with Temporal Key Integrity Protocol, which makes it much harder to unscramble data encrypted between the client and the access point. WPA also adds stronger user authentication by using the 802.1x authentication standard and Extensible Authentication Protocol. Essentially, the client and access point check in with an authentication server, such as RADIUS.
But for SOHO networks, where RADIUS servers and complex authentication infrastructures are rare, WPA uses a pre-shared key. This key is a password, the longer the better, which a user types in for the access point, and each wireless client. The key authenticates these devices to each other, after which the improved WPA encryption and other safeguards kick in.
Because Microsoft Corp. now is using WPA in Windows XP, users can run through a series of screens to implement WPA between an adapter and access point. Wireless vendors such as Linksys and Buffalo Technology already are shipping new access points and adapter cards with WPA, and all vendors are waiting for Wi-Fi Alliance WPA certification testing.
WLAN products typically can be upgraded to WPA. Users download from vendor Web sites new firmware code for the access point and a new driver for the adapter card, and follow installation instructions.
New products such as Code Red's AirBlock software and Funk Software Inc.'s Odyssey Server also are aimed at beefing up WLAN security of smaller networks. You install AirBlock software on each client PC, type in a password that becomes the pre-shared key, and AirBlock automatically configures both the adapter card and the access point, if they have WPA code. If not, AirBlock will enhance WEP by rotating the encryption keys every 10 minutes. The software also can manage devices using a mix of WEP and WPA. AirBlock costs US$40 per user, with volume discounts available.
Funk's new Odyssey Server 2.0 creates a security infrastructure based on the IEEE 802.1x standard. Odyssey is client and server software that uses the access point to establish an authenticated connection.
Funk has 802.1x software that runs on Windows versions, and Odyssey supports several authentication protocols. You also can buy the application installed on a pre-configured server from Funk partner Network Engines. Funk Odyssey 2.0 costs $2,500 for a server, with 25 clients.