Understanding Basic WLAN Security Issues
January 11, 2002
A good primer on the risks incurred by the implementation of a wireless LAN and some ideas on how to begin to address them.
A wireless LAN is the perfect way to improve data connectivity in an existing building without the expense of installing a structured cabling scheme to every desk. Besides the freedom that wireless computing affords users, ease of connection is a further benefit. Problems with the physical aspects of wired LAN connections (locating live data outlets, loose patch cords, broken connectors, etc.) generate a significant volume of helpdesk calls. With a wireless network, the incidence of these problems is reduced.
There are however, a number of issues that anyone deploying a wireless LAN needs to be aware of. First and foremost is the issue of security. In most wired LANs the cables are contained inside the building, so a would-be hacker must defeat physical security measures (e.g. security personnel, identity cards and door locks). However, the radio waves used in wireless networking typically penetrate outside the building, creating a real risk that the network can be hacked from the parking lot or the street.
The designers of the IEEE 802.11b or Wi-Fi tried to overcome the security issue by devising a user authentication and data encryption system known as Wired Equivalent Privacy, or WEP.
Unfortunately, some compromises that were made in developing WEP have resulted in it being much less secure than intended: in fact a free program is now available on the Internet that allows a hacker with minimal technical knowledge to break into a WEP-enabled wireless network, without being detected, in no more than a few hours.
The IEEE standards group is working on an improved security system that is expected to overcome all of WEP's known shortcomings but it is unlikely that products incorporating the new technology will be widely available before late 2002 or early 2003.
In the meantime, security experts agree that all sensitive applications should be protected with additional security systems such as Internet Protocol Security (IPsec). However, if excessive security measures are forced on users of non-sensitive applications, the wireless network becomes cumbersome to use and system throughput is reduced.
A good wireless networking system should therefore provide a range of different user authentication and data encryption options so that each user can be given the appropriate level of security for their particular applications.
Another point to bear in mind is that each access point in a Wi-Fi network shares a fixed amount of bandwidth among all the users who are currently connected to it on a first-come, first-served basis. It is therefore important to make sure that sufficient access points are installed for the expected volume of users and traffic. Even then there is a tendency in a first-come, first-served kind of network for a small number of wireless devices (typically those who are physically closest to the access point) to grab most of the available bandwidth, resulting in poor performance for the remaining users. The best way to resolve this issue is to choose a system which has quality of service (QoS) features built into it.Since one of the major benefits of wireless networking is user mobility, another important issue to consider is whether users can move seamlessly between access points without having to log in again and restart their applications. Seamless roaming is only possible if the access points have a way of exchanging information as a user connection is handed off from one to another.
Furthermore, most large corporate data networks are divided into a number of smaller pieces called subnets for traffic management and security reasons. In many instances wireless LAN vendors provide seamless roaming within a single subnet, but not when a user moves from one subnet to another.
There are a number of ways of dealing with the issues described above. Several of the best-known networking equipment vendors have developed their own product ranges to include special access points and wireless LAN interface cards, central firewall and security components, and routers with built-in QoS capabilities.
When all these elements are used together, the result is a secure, high-performance wireless network. However, such solutions are expensive and integrating the various components requires a considerable amount of patient networking expertise.
Another approach that is often advocated is the use of virtual private network (VPN) hardware. VPN hardware is designed to enable remote users to establish a secure connection to a corporate data network via an insecure medium, namely the Internet. On the face of it this is a very similar problem to connecting via a wireless link.
However there are drawbacks to using existing VPN products in a wireless LAN environment. For starters, a VPN solution on its own does not address the requirement for QoS and seamless roaming between subnets.
Also, a VPN solution imposes the same high level of security on all users whether or not their applications warrant it. In order to achieve this they require special VPN software to be installed on each user's computer. In a wireless network with large numbers of users, this translates to a major headache.
What network managers are asking for is an architecture that offers different levels of security to meet varying user needs, ranging from simple user name access with no encryption through to a full IPsec implementation for sensitive applications. Ideally, the solution should deliver up to 100 Mbps of throughput. Other features should include QoS features to allocate bandwidth fairly among users, and seamless roaming both within and between subnets.
The objective is to deploy and maintain secure, high performance wireless LANs with a minimum amount of time, effort and expense.
Eric Janszen is CEO of Bluesocket, a developer of products that provide security and management to 802.11 WLANs.