Though the momentum of wireless local area network (WLAN) adoption at the corporate level is clearly on the side with the technology, pesky security concerns remain.
While no technology is infallible, the knock on WLANs has been they’re an the ideal entry point onto a network for nefarious activity.
“”A lot of people who implement a WLANs don’t do a proper site survey,”” says John Morrissette, director of technical services for Service Informatique Paradis. The consulting and services firm provides IT support to Montréal-based Michel-Lincoln Packaging Inc., a manufacturer of corrugated cardboard products.
“”Some people laugh at us for the amount of security features we have built in, as we manufacture cardboard products,”” he says. “”We’re not the Canadian Mint, but we take it seriously.””
Morrissette says about one-quarter of the company’s Drummondville plant receives WLAN coverage, as does most of its Montréal location.
“”All systems are vulnerable,”” he says. “”Even WiFi Protected Access (the latest 802.11-b WLAN security feature) has been criticized as being circumventable but we took the risk anyway . . . we’ve had no problems whatsoever.””
Have wireless fears subsided entirely? No. But they have relaxed a little.
“”It (security) was an issue when we first initiated our enterprise-wide implementation in September 2001,”” says Norman Housley, manager of network development and implementation of computing and networking services at the University of Toronto’s downtown campus.
The university’s WLAN spans the campus and is available to the institution’s estimated 60,000 student body and its 10,000 faculty. From Day 1, U of T has employed six levels of identification so any individual can log onto its network wirelessly. If even one level doesn’t check out, Housley says, access is denied to that user. Moreover, once a user is registered onto the network and is in session, his or her individual encryption keys change while online to further thwart any would-be hackers.
“”Those concerns have to be considered and it has to be handled, but I don’t think it’s insurmountable,”” he says.
Yet those very concerns remain a constant, invisible threat that is causing some companies to say no to wireless. The trouble with WLAN’s 802.11b-based security is well-known, says Mike Simon, chief technology officer for Conjungi Networks in Seattle. The 802.11b standard’s embedded Wired Equivalent Privacy specification isn’t up to snuff.
“”It has inherent issues with the RC4 encryption algorithm and its initialization vector is static,”” he says. “”In other words, it’s easy to capture enough data packets over a short period of time to decrypt the transmitted data.””
More disconcerting to Simon than weak WLAN deployments using WEP is the proliferation of access points (APs) in corporate offices. He says APs are so cheap and easy to plug-and-play, office dwellers that pick one up and deploy it at work are unknowingly putting their entire corporate network at risk.
Industry pundits agree the negative slant on WLANs has entrenched itself in corporate mindsets.
“”Security remains a very big barrier, especially for large corporate enterprises,”” says Warren Chaisatien, senior telecom analyst for IDC Canada in Toronto. “”However, of the security concerns that exist in the market place today, about 50 per cent of it is myth. How often do you see the media making big headlines out of a successful WLAN implementation?””
According to IDC Canada, 31 per cent of large businesses and 18 per cent of medium-sized firms were using WLANs within the enterprise in the first quarter of 2003. That’s a three per cent increase in WLAN use in both market segments from one year ago. IDC Canada also says security concerns remain the No. 1 stumbling block for more widespread adoption at the corporate level.
“”A lot of these issues with WLAN are caused not so much by the technology, but by human error or an insufficient corporate IT policy dealing with WLAN,”” Chaisatien says. “”WLAN does in fact create a clear value proposition for corporations and many Canadian organizations are moving towards mobilizing their business applications.””
Matthew Gast, author of 802.11 Wireless Networks: A Definitive Guide (published by O’Reilly), says there is a lot of misinformation swirling about over WLANs. He says they’re perfectly safe for the corporate environment provided proper security procedures are in place.
“”WLANs have gone beyond the initial cheap design phase,”” he says. “”Now there’s experienced cryptographers and designers working on these devices.””
Gast says the problem with WLANs in the office generally is human error.
“”I have a friend who claims as he drives to the airport he doesn’t need to dial-up to get online, he simply hooks up to a company’s AP and downloads his e-mail while mobile,”” he says. “”There are software tools available that can detect these rogue deployments from the network.””
PROTECT your ID
There are steps companies can take to ensure a relative amount of security in the event a WLAN is being deployed in-house. Begin by taking a long look in the mirror. U of T’s Housley says smaller enterprises should safeguard against revealing their network identifiers.
“”Mine (network identifier) is public as my universe contains about 70,000 people. But if you were a smaller enterprise, you shouldn’t expose your network identifier,”” he says.
According to IDC Canada, public sector organizations are the leading adopters of WLANs.
For instance, Queen’s University’s Anesthesiology Informatics Laboratory (QUAIL) at the Kingston General Hospital in Kingston, Ont., has provided its anesthesiologists with WiFi-enabled mobile devices for instant access to medical data. Dr. David Goldstein, medical director at QUAIL, says safety, security and privacy is the mandate of the Queen’s lab, and wireless technology makes it possible to administer better care.
He calls security issues surrounding WLANs and wireless computing in general “”a red herring.””
“”Hospitals take security and privacy very seriously and we strive to the best of our abilities to achieve the highest degree of security possible,”” he says. “”We’ve got triple-DES encryption on our handhelds, the same grade as those employed by the RCMP and CSIS.””
Mark Segal, director of IT for FCI Broadband in Richmond Hill, Ont., is more
skeptical. His office recently deployed a WLAN for its executive staff to make use of their wirelessly integrated notebooks.
“”If the device being used is not a portable station such as a laptop or a tablet PC, I don’t suggest using it (WLAN),”” he says. “”We wouldn’t go completely WLAN in our office of about 90 people.””
Steve Rampado, senior manager for Deloitte & Touche’s security services practice in Burlington, Ont., says the big issue with 802.11b-based WLANs is a lack of awareness over the built-in security features that can be deployed.
“”Most companies don’t implement these security features and it’s true, WEP — though not a complete security feature — is in itself is a seriously flawed encryption protocol,”” Rampado says. “”Default passwords and SSIDs (service set identifier) should be enabled . . . disable the DHCP (dynamic host configuration protocol) feature whether you’re running wireless or not. If it’s enabled, you’re broadcasting your IP address.””