Wireless network security holes and initial plugs
Security concerns have already become a key issue for wired networks. In the annual Computer Security Institute/FBI Computer Crime and Security Survey this year, most U.S. corporations reported attacks on networks in the past 12 months. Less than half knew the actual dollar value, but 273 companies reported cumulative losses of $265.6 million.
Wireless LANs (WLANs) encounter many of the same security problems that affect a wired LAN, plus a few more. In a wireless environment, the potential for a transitive trust attack and infrastructure denial of service attacks appears to be higher.
Mike Vergara, director of product marketing at RSA Security, Inc., the largest security company in the United States by revenue, said that authentication is the key to WLAN security.
“In my opinion, the most important element to encourage is authentication. People are just not doing it with consistency in wireless networks,” Vergara said. “I’m not speaking of confirming that a particular computer is on the wireless LAN. I’m talking about confirming who is on the computer on the LAN.”
The Federal Trade Commission, like many users, is looking to hear a “state-of-the-union” message on wireless networks and technologies. High on the list will be the issue of personal data security and the chances of widespread identity theft as more wireless devices converge into single products. WLANs operate in the same portion of the 2.4-GHz band, creating a need for caution.
“Most users are lazy, and they are the weakest link in the security chain for wireless networks,” Vergara said. “People worry about data privacy—someone stealing their credit card number in transit—but the technology exists to solve that problem now. It just has to be used.”
Existing security measures
The basic Institute of Electrical and Electronics Engineers 802.11 wireless standard provides for two methods of security: authentication and encryption, both of which are receiving industry-wide attention.
Authentication refers to the way in which one station is verified to have authorization to communicate with a second station in a given coverage area. Generally, in the infrastructure mode, authentication is based between an access point and each station with either an open system or a shared key. In an open system, any station may request authentication and the station receiving the request grants authentication based on a user-defined list. In a shared key environment, optional encryption plays a hand.
Encryption in a WLAN allows for a level of security comparable to that of a wired LAN. In the IEEE 802.11 standard, the Wired Equivalent Privacy (WEP) feature uses the RC4 Pseudo-Random Number Generator (PRNG) algorithm from RSA Security, Inc. The IEEE accepted this algorithm because it is self-synchronizing, computationally efficient, exportable, robust, and optional.
In October, RSA Security announced its support of the new Advanced Encryption Standard (AES) and previewed plans to incorporate this symmetric key algorithm into its security software. The National Institute of Standards and Technology (NIST) announced that the Rinjdael algorithm was chosen to become the new AES. This replaced the current Data Encryption Standard (DES) algorithm.
The minimum encryption built into 802.11b WLANs should be sufficient for many applications. A user can implement network layer encryption, such as Internet Protocol Security (IPSec) across both wired and wireless portions of the network, eliminating the need for 802.11 security. The customer can have critical applications encrypt their own data, including network data such as Internet Protocol (IP) and Media Access Control (MAC) addresses.
The primary culprit in compromised security is human error in not turning on security features, according to security analysts involved in the wireless field. The built-in WEP encryption protocol must be turned on after installation. Gartner analyst John Pescatore, who formerly worked in national security, estimated earlier this year for Computerworld that only about 20 percent of users actually turn on the WEP feature. (TechRepublic is a subsidiary of Gartner.)
Other access control methods are possible, such as the identification value called an Extended Service Set ID (ESSID), which is programmed into each access point to identify which subnet is on. This can be used to check authentication.
In November, the Datamonitor group issued a white paper based on research that focused on 25 major companies worldwide. The paper tabulated research from more than 12,000 consumers, and the results suggested that more than $15 billion worth of damage worldwide is caused by e-security breaches. Yet business investment on network security is only half that figure. Datamonitor reported that more than 50 percent of businesses worldwide spend just 5 percent or less of their IT budget on securing their networks. Education and user knowledge of what steps can be taken were cited as paramount in the report.
New tools for users
A number of companies at Comdex 2000 announced devices and products that assist in securing wireless devices and networks. Among the new offerings was Ensure Technologies’ XyLoc 3G, the third-generation of its wireless PC security solution. Xyloc 3G automatically secures notebooks and personal computers when the user steps away and unlocks the PC upon the user’s return, sometimes requiring additional authentication. New features include XyCrypt, which automatically encrypts files to prevent unauthorized access, and the Personalization Wizard, which allows custom settings. Ensure also added the advanced wireless protocols of Bluetooth to this release.
VeriSign has seen a market opportunity to offer a wireless developer program that will eventually help make buying items from the Web using a mobile device as secure as doing so from a desktop. It also has plans to collaborate with the WAP Forum to beef up the security of the wireless protocol. VeriSign approaches security issues by creating a certificate infrastructure on the server and client side. Motorola, in agreements with VeriSign, Entrust Technologies, and Baltimore Technologies, embeds certificate and PKI code in its WAP gateways already.
VeriSign, which is a spinoff of RSA Security, could see additional business from users of wireless networks, since the digital certificate provides a form of authentication. “It could serve a purpose for VPNs and wireless VPNs,” Vergara said.
New tools for wireless networks
At the server level, Lucent Technologies has released its new ORiNOCO AS-2000 access server for WLANS, featuring per-user, per-session encryption that provides high levels of security to each wireless session. It also adds a built-in RADIUS Client that enables user authentication, authorization, and accounting to control access to the entire wireless network. This is a leap from the traditional shared-key wireless LAN systems, eliminating the need for manual intervention.
And earlier this year, Cisco presented a proof-of-concept demonstration of its next-generation security capabilities for WLANs, involving the next IEEE draft proposal 802.1x and the Extensible Authentication Protocol (EAP). The system provides robust security administration and management in Windows 2000 clients for user-based authentication and wireless security management.
Have you trained your users on how to work securely? Has your wireless network ever been invaded? Send us your tips on how to keep your wireless network secure.
Dawn Marie Yankeelov is president of ASPectx, a Web consulting and marketing practice that supports technology companies and provides competitive intelligence to its clients. Visit her Web site at dawnmarie.com.