There has been an explosion in wireless LAN product use in the last two years. Albert D’aoust of Evans Research Corp. predicts WiFi product sales for 2004 will be about $115 million in Canada – 30 per cent growth over last year, in an overall IT market that’s sagging by 10 per cent.
Add applications and services to the equation, and the number doubles, D’aoust says.
There’s good reason WiFi is taking off. It’s ideal for a mobile work force. It’s a quick, cheap way to add new machines to the network without pulling wires out of the walls.
But you can’t restrain radio signals. There’s a boundary issue with wireless LANs. Your wired network terminates at the end of a Cat 5 cable, but wireless leaks into the parking lot, out onto the street. With technology as simple as a Pringle’s can, outsiders can pick up your network’s signals from hundreds of metres away.
The 802.11b specification for wireless networking features a built-in encryption standard called wired equivalent privacy (WEP). That’s the good news. The bad news is that users often don’t enable WEP. According to Chris Kozup, program director of technology research services for Meta Group, some “war drives” – a term for cruising a business district looking for wireless networks – have shown 60 to 70 per cent of access points are unsecured. That number is skewed by public hotspots and consumer networks, and Kozup says less than 15 per cent of corporate networks aren’t battened down – the number has dropped significantly over the last three years thanks to media exposure and product improvements, but that’s still a lot of business data left wide open to interception.
More bad news: WEP isn’t bulletproof.
“WEP is an old protocol now and the weaknesses are increasingly well understood,” says Kozup. The biggest problems are its static, shared keys and the limited size of the initialization vector (IV). The IV and secret key are used together to create a random keystream to encode data for each plain text stream. But because the IV is only 24 bits, it’s only a matter of hours before IVs repeat, and they are sent in clear text. A hacker only has to capture about one million packets to reverse-engineer the key.
WEP has no mechanism for authentication, only encryption. One alternative to WEP is WPA (WiFi protected access), which includes both. Intended to be part of the 802.11i specification – which should be ratified this June – the first version of WPA is available now.
Temporal Key Integrity Protocol (TKIP) is essentially Version 2 of WEP, but the name TKIP avoids recalling WEP’s insecure reputation, says Kozup. TKIP has a message integrity check function – called MIC or Michael – that significantly reduces the likelihood of man-in-the-middle attacks, says Kozup.
It also better manages IV generation, and the IV size has been doubled to 48 bits, virtually eliminating collisions. Unlike WEP, it changes keys during a session, making it much harder to crack, says Steve Rampado of Deloitte.
In addition to TKIP’s encryption, WPA also has an authentication scheme called 802.1x, which blocks traffic at the port level until it’s passed by a back-end authentication server.
The 802.i standard will incorporate advanced encryption standard (AES), generally regarded as “significantly more robust” than TKIP, says Kozup.
Many organizations are going the route of virtual private networks using IPSec to secure their networks.
“This approach is viable, but should be seen mostly as a tactical step,” says Kozup. “VPNs don’t work well in a mobile environment, are costly, and are not supported on a wide variety of client devices.”
So the technology is available to secure wireless access to your network – at least, at the access points you’re aware of. But that might not be all of them.
“Rogue access points come into being quite easily,” says Rampado. “It’s as easy as an internal employee purchasing a $200 access point from a store like Future Shop and plugging it into a boardroom or office.” All too often, users want a quick network setup for a new machine without having to wait for the IT department, or just want the convenience of working on their laptops without having to fuss about with Ethernet cables.
It’s a practice that has to be stopped.
“The first step is to establish a policy banning the deployment of rogue APs,” says Kozup. Detecting them is another matter.
Access point mapping software is freely available over the Internet, says Rampado, and frequency scanners can help locate rogue access points. An AP scan should be part of every regular IT audit, he says.
The essence of security policies don’t change from a wired to a wireless environment, Rampado says – wireless is simply another information carrier that has to be secured.
But the borderless nature of radio makes security more critical, says Kozup.
“Security policies need to be more clearly communicated and enforced than was probably previously the case in the wired domain,” he says. But as wireless network becomes more tightly integrated with the wired network, “the level of security and the types of security policies and processes will converge and become just as critical across wired and wireless networks,” he says.