Securing the WLAN: Are the Alphabet Standards Finally Soup?
Wireless networking has changed how corporate America connects its computers. With the increasingly mobile employee and his or her laptop, what started as a cheap, easy solution for home networking has now become common in the commercial sector as well. And why not? To the business community the appeal of a quick and cheap deployment — look ma, no wires – and transparent administration, is just too good an opportunity to ignore. There is always a catch, alas: Wireless technology would have been adopted even faster if it had not had some serious built-in security flaws.
Because of its consumer sector origins, the developers of 802.11 (define) and the other wireless protocol standards gave little or no thought to security, scalability or network management. When the average deployment was one access point and three computers, nobody was thinking about neighbors getting free internet access courtesy of sloppy or minimal security. The earliest appearance of wireless in the corporate world was when bright technical people realized that little access point at home would work equally well in the office – with just as little security. Once the network administrators recognized that they needed to control the access points, they obviously demanded a higher level of security and accountability from the vendors.
The last time we seriously looked at wireless networking security, the industry was clearly still in its infancy. The earliest network security standard, WEP (Wired Equivalent Privacy) (define) with its weak 40 or 104 Bit encryption, had only recently become available on access point hardware and client software. Fortunately wireless security standards have come along way since then. With the long-anticipated June 2004 adoption of the IEEE (define) 802.11i security standard, the wireless industry now has a strong set of standards and tools that will allow companies to create wireless networks as secure as traditional wired networks. Let us look at the 802.11i standard, see how it works, and explore how it will shape your ability to build secure wireless networks for your business.
Real Wireless Network Security, Just a Year Behind Schedule
After years of limping along with the seriously insecure WEP, the IEEE 802.11i wireless security standard was finally officially adopted in June 2004 – only a year later than originally planned. Because the new standard was delayed so long, the Wi-Fi Alliance, a wireless vendor trade association, created an interim standard called WPA (Wi-Fi Protected Access) (define) to address the shortcomings of WEP; enough to build equipment that would be acceptable to the huge business market that was demanding better security – now!
WPA was developed based on the then-emerging 802.11i standard. It utilized the Temporal Key Integrity Protocol (TKIP) (define) which specifically addressed a major security flaw with WEP: The widely known encryption keys were hard-coded into the chipset. TKIP allows the system to create dynamic keys, important for strong encryption. TKIP was previously known as WEP2, which just adds to the confusion of the already befuddled consumer. The WPA standard was broadly adopted, and since 2002 every major vendor includes TKIP in their devices.
Ironically, the 802.11i standards committee then incorporated Wi-Fi Alliance's work into the emerging standard. The body decided to change the basic security algorithm to the US government's official cipher, Rijndael (AES) (define) — a far more secure encryption method. To allow for backwards compatibility, the standard now allows for two alternative encryption methods, because the more advanced and secure form requires special hardware that was never deployed in older devices. Vendors will have a choice of TKIP or AES based encryption schemes. Bowing to market demand, vendors have been incorporating the AES compatible hardware in their devices for several years, but since they were guessing somewhat on how the standards would finally develop, many devices may require a software upgrade to be fully compatible with 802.11i. In some cases, just a driver upgrade will be all that is necessary, but in others, a full CMOS flash may be called for.
Some important new features of the standard are that keys can be assigned on a per-user basis and changed whenever necessary, rather than shared by an entire network. A key is used to authenticate the sender of each individual packet, preventing a classic "man in the middle" attack where the session is hijacked after the login session has been established. Wireless networks are particularly vulnerable to these types of attacks. Both features add significant additional security to offset the inherently public and insecure nature of the wireless data networking environment.
What's It All Mean in Practice?
The new standard will mean that wireless equipment vendors will finally be able to produce a new generation of equipment that will meet the increasingly exacting security standards of the modern IT infrastructure. Until recently, many corporations have been reluctant to deploy major installations of wireless networks. Hospitals and educational institutions have been so compelled by the advantages of wireless that they have been willing to work around the security issues by creating their wireless networks as separate "untrusted" networks within their network infrastructure. Some have even gone so far as to incorporate firewalls and VPNs to allow wireless LAN access to the corporate systems. This has made more work for network administrators, and unhappy senior IT management, who see increasing overhead and support costs associated with a technology that is supposed to be dramatically less expensive to deploy.
The good news for customers is that the standards allow for at least some backwards compatibility with older hardware, which means that there will be no need for massive upgrade projects – unless the nature of the company's business requires a higher level of security. If that is the case, the company has probably been shying away from a wireless deployment anyway. For the extremely security conscious, the incorporation of the new standards into vendor equipment may finally mean a comfort level to allow consideration of a wireless deployment.
What a Difference a Year Makes…
Two years ago, wireless networking was strictly for homes, SOHO's (define) and tech-heads. Corporations were justifiably wary because of the weak security, paucity of real management tools, and the lack of equipment geared to the large-scale installations demanded by the business community. With the new 802.11i standard finally in place the security concerns can finally be properly addressed.
To answer the obvious question, has the wireless networking security problem finally been solved yet? The answer is, for the most part, yes. As companies rush to incorporate the new 802.11i security standard into their products in the next year or two, there will be a dramatic improvement in wireless networking security. In the meantime, TKIP or WEP2 maintains interoperability with the older chipsets deployed in the marketplace, and already offers improved security for those who cannot wait.
- IEEE 802.11 General Information website - http://www.ieee.org/portal/index.jsp?pageID=corp_level1&path=about/802std&file=index.xml&xsl=generic.xsl
- The evolution of wireless security in 802.11 networks: WEP, WPA and 802.11 standards - http://www.sans.org/rr/papers/68/1109.pdf
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in different industries including manufacturing, architecture, construction, engineering, software, telecommunications, and research. She is available for consulting to help your company identify the right IT infrastructure to meet your business objectives.