Security standards improve: improved encryption standards offer better wireless safeguards - Wireless

Communications News, Jan, 2002 by Joe Savarese

Wireless LANs (WWANs) and wireless WANs use different technologies and meet different needs. Their security challenges are similar, and a single security solution can be deployed over both kinds of networks.

The confidentiality of information is vital, since anyone connected to a WLAN or WWAN can eavesdrop. The security methods must also take the user experience into account: A method that is too much trouble will not be used.

Seamless roaming between networks is favorably accomplished using virtual private network (VPN) technology for mobility (wireless), which connects network components and resources through secure protocol tunnels. Thus, mobile devices on disparate networks appear to share a common backbone.

Unlike VPN technology, which normally operates at the network layer and above, vendors of Wi-Fi-compliant devices supply encryption capabilities at the media access layer, based on the wired equivalency protocol (WEP) standard. The intent of the WEP standard is to use cryptography to make wireless LANs as secure as wired ones. Questions have been raised, however, that the chosen cipher mechanism for WEP is poorly suited for the way it is used in 802.11b environments.

Industry analysts and the Wireless Ethernet Compatibility Alliance recommend that enterprises deploy VPN technology, which directly addresses the security problem, and also provides advanced features like network and subnet roaming, session persistence for intermittent connections, and battery life management for mobile devices.

Compared to WLANs, WWANs operate at much lower speeds and over greater distances. The security used for the wireless link depends on the access technology and the telecommunications carrier.

For example, in global system for mobile communications and derivative networks, subscriber identity mechanism cards are used to supply key information used during encryption. Although all of these WWAN security systems encrypt the data while it is being transmitted, security becomes the responsibility of the individual user once the data leaves the wireless interconnect and travels over a public network, such as the Internet.

To protect data from end to end, enterprises typically deploy wireless-optimized VPNs, just as they do with Wi-Fi networks. A VPN for WWANs should provide distinctions specific to wireless networks and use standard protocols like Layer 2 tunneling protocol/IPsec.

The most popular encryption algorithm deployed today is the data encryption standard (DES) as defined by the U.S. government. Improvements in processing power, however, have left the default 56-bit keys used by DES vulnerable to attack. To increase the level of privacy, many vendors have adopted what is commonly known as triple-DES. This involves running the same DES algorithm three times, using three separate keys. Unfortunately, this is processor intensive, making it inappropriate for less powerful wireless devices. In addition, tripling the key length to 168 bits does not improve privacy significantly.

To provide strong encryption with improved performance, the National Institute of Standards and Technology selected Rijndael ("Rhine-doll") as the new advanced encryption standard (AES). Rijndael's low memory requirements and high performance make it suitable for mobile computing. The standard specifies three different key sizes: 128, 192 and 256. When selecting a VPN for wireless networks, choosing one that supports Rijndael yields improved performance and significantly stronger security.

Other attributes found in good WWAN VPNs include compression to increase perceived link speed; link optimizations to reduce protocol chattiness; and session persistence to handle times when the mobile station is in a coverage hole (where coverage is bad or blocked), detached from the network or suspended to conserve battery life. Session persistence is crucial, since it lets me user Keep me established session and VPN tunnel connected--even if a coverage hole is entered during an application transaction.

In Wi-Fi networks, poorly selected algorithms make for weak security. Users need to be able to roam to different subnets or networks while maintaining security associations. To make the mobile devices more usable, users have to be able to maintain their application sessions.

In WWANs, the network architecture sets the need for additional security measures. Coverage is spottier and the network is slower. Wireless users need session persistence, link optimizations and compression for the network to be usable.

In both types of networks, analysts recommend the use of VPNs for in-depth defense. The VPN should support standard security encryption algorithms and wireless optimizations suitable for today's smaller wireless devices.

Circle 255 for more information from NetMotion Wireless

Savarese is CTO of NetMotion, Seattle, WA, www.netmotionwireless.com