Searching for Wi-Fi Security Solutions

By Beth Cohen

July 14, 2003

Security has long been the Achilles heel of the wireless industry. Set aside the security issues, though, and the case for wireless networking is overwhelmingly compelling — it's cheap, easy, and portable. Now that the industry is addressing the problem head-on with new solutions for manageable and acceptable network security, Wi-Fi may well be a choice that enterprises should be considering (or reconsidering).

At the recent Boston 802.11 Planet Conference and Expo, the aisles and booths were bustling with activity, giving ample proof that Wi-Fi (Wireless Fidelity, or more properly, wireless networking) has finally come of age. The hardware gear venders – switch, carriers, integrators, chip manufacturers, and antenna – were all there in force, of course. However, the big news was that the show was dominated by vendors addressing network security, with new solutions from the network, software, and hardware perspectives.

Security has long been the Achilles heel of the wireless industry. Set aside the security issues, though, and the case for wireless networking is overwhelmingly compelling — it's cheap, easy, and portable. Now that the industry is addressing the problem head-on with new solutions for manageable and acceptable network security, Wi-Fi may well be a choice that enterprises should be considering (or reconsidering).

The Problem

According to an article in the April 26 issue of Barrons, a one-hour cruise in lower Manhattan last March revealed 622 Wi-Fi networks, with two-thirds of them wide open to unauthorized use. And don't think just because you are located in a suburban office park you can escape — this problem is not limited to dense urban areas. Wi-Fi networks in multi-tenant office parks and employees’ residences can easily spill over into adjacent areas inside the same building, or into or across public thoroughfares.

Even more than with traditional hardwired LANs, network security is an essential complement to IEEE 802.11 network connectivity. After all, you are broadcasting your traffic over the air and have no direct control over who is listening or transmitting. Do you really want anyone with some inexpensive equipment and a criminal intent to be hacking your network? You cannot just assume that the PCs on the network are really the ones they claim to be, or that they are acting the way they are supposed to.

There are two major components to the security problem for Wi-Fi. One is assuring the privacy of the data transmitted over the network against eavesdroppers. The other is protecting the network itself against intrusion. Unauthorized PCs may attempt to piggyback on your network, stealing bandwidth that you are paying for. Even worse, unauthorized Access Points can be used to mount a variety of other nastier attacks, including listening to, diverting, or interrupting network traffic.

Because mobility is an essential aspect of Wi-Fi networks, old techniques that rely on stable, hardwired connections between switch ports and hosts (and other systems) are no longer sufficient to assure proper access control. Wi-Fi networks are orders of magnitude more vulnerable to MAC (Media Access Control) address spoofing than wired LANs.

The rising use of Wi-Fi for home networks may raise security concerns for organizations. With the increase in telecommuting and consulting, IT managers need to be alert to the possibility that employees are transmitting sensitive data over unsecured networks. As a result, the employee’s home needs to be at least as secure as his or her office environment. Wireless Networking Security Solutions

Most industries are dominated by a few innovative players and a large number of copycats who hope to capitalize on technological breakthroughs. Wi-Fi security is no exception; many venders are selling variations on a few basic themes and approaches. One is the need for intrusion detection systems, while another is network management and integration with some type of back-end access control technology, most often RADIUS (Remote Authentication Dial-In User Service).

While the bad news about Wi-Fi is that intruders have greater opportunity to break into the network, the good news is that compared with wireline Ethernet, it is easier and less expensive to observe and collect information about nefarious Wi-Fi network traffic. Instead of having to monitor individual switches and their ports, one need only listen promiscuously to packets as they cross the air.

Real-time monitoring displays for Wi-Fi traffic dotted the show floor at the 802.11 Expo. Packets were analyzed and Wi-Fi hosts and access points were tracked on maps while windows and panes scrolled. As eye-catching or cluttered as the demonstrations might have been, these products addressed the separate problems of real-time detection of intruders and post-incident analysis of traffic.

There was comparatively less discussion of integrating real-time Wi-Fi monitoring with most companies’ installed bases of existing network management systems. Having a monitoring system that is integrated into your existing infrastructure would be infinitely more useful than yet another display for troubleshooting an incident after the fact.

Because the wireless network’s composition and topology is flexible and inconstant, the monitoring equipment’s footprint must adequately cover all of a Wi-Fi network’s potential airspace. Several vendors offered hand-held meters to detect and measure Wi-Fi availability. Typically, these meters would be employed inside a company or used by a systems integrator to troubleshoot or check for adequate network coverage.

However, they can also be put to another more insidious use — drive-by detection of other people’s networks. Most people who are doing it view it as a nerdy idea of a fun sport, but there are those who are practicing intrusion with more criminal motives. According to Special Agent Nenette Day of the FBI Boston Cybercrime Unit, it is not even clear that intrusion over an unprotected wireless network is officially a crime yet.

Page 2: The Ideal, Integrated Security Solution

Pages: 1 2


Comment and Contribute
(Maximum characters: 1200). You have
characters left.