Is "wireless security" an oxymoron? Risk assessment, audits and encryption are important elements of a secure Wi-Fi network - Guest Column

Communications News, July, 2003 by Michael Sutton

Wi-Fi, or 802.11x networking, has achieved tremendous market penetration in the past two years, primarily due to low price and ease of use. Unfortunately, the very nature of its user-friendly design makes Wi-Fi an insecure technology. In spite of warnings, many companies continue to deploy these networks without regard to the risks--making the concept of "wireless security" an oxymoron.

In its default state, a Wi-Fi network is open to everyone. Wireless networks can be secured, but these measures require adequate planning before deployment. So, is the technology itself insecure, or are companies insecurely deploying the technology? With companies failing to implement available security controls, the answer is the latter.

Like all new technologies, Wi-Fi should never be deployed without an appropriate risk assessment. Wi-Fi should ultimately meet a business need, as security risks cannot be justified simply by a "cool" or convenient technology.

Once a Wi-Fi network gains approval, proper policies must be established. Define the appropriate data and activities to correspond with the level of security, and ensure that employees understand not just the policies, but also the risks.

Additionally, wireless policies should cover not only the LAN, but also third-party wireless networks (hotspots) where business may be conducted. Since hotspots are open, shared networks, these sites must be treated as insecure and policies must address whether such networks are acceptable in the first place. If so, users should, at a minimum, employ virtual private network technology to access company resources.

Wi-Fi networks can and should be more secure than wired counterparts. This may seem counterintuitive, given the number of insecure networks already deployed, but wireless networks should always use something wired networks rarely do--encryption.

The encryption scheme built into Wi-Fi is known as wired equivalent privacy (WEP). WEP, though, is not a complete security solution because it was never designed as one. If sensitive data exists on the network, a higher level of encryption is needed, such as the Advanced Encryption Standard (AES). Unfortunately, this generally requires users to stick with one vendor, as implementations offered by Wi-Fi vendors are proprietary, and rarely compatible.

Beyond encryption, authentication protocols further secure Wi-Fi infrastructure. One emerging standard, 802.1x, works in conjunction with extensible authentication protocol (EAP) to transmit traffic to and from authentication servers. An 802.1x/EAP solution can accommodate most authentication schemes from traditional user names and passwords to smart cards.

The challenge in deploying 802.1x today is one of compatibility. In order to authenticate using 802.1x, the client must support the protocol, either at the operating system level or through separately installed client software. Windows XP inherently supports 802.1x, but older versions of Windows require add-on products. This issue will diminish over time, as new versions of operating systems will likely support the protocol.

The IEEE has established a task group (802.11i) to address Wi-Fi security issues. When completed, the 802.11 standards will enable Wi-Fi vendors to develop hardware with compatible security controls. Until then, however, Wi-Fi users may be in the unenviable position of needing to maintain brand loyalty when deploying such advanced security features as strong encryption and network authentication. This must be taken into account when making the initial decision to deploy Wi-Fi. If immediate deployment is unnecessary, waiting for industry standards that should arrive later this year may be wise.

Once a Wi-Fi network has been deployed, do not relax. Security audits must occur regularly. Wi-Fi's low cost and ease of use also present a unique security challenge, due to the fact that with minimal effort a well-intentioned but misguided employee could deploy a rogue access point. One insecure access point creates a gaping hole in a network's security. Security audits should include scanning for unauthorized wireless networks.

Ultimately, Wi-Fi is here to stay. As with most technologies, the weak link in the Wi-Fi security chain is the human factor. A rush to deploy Wi-Fi without an appropriate risk assessment, policy development and security controls can be a disaster waiting to happen.

For more information from iDEFENSE: www.rsleads.com/307cn-261

Sutton is the director of product development for iDEFENSE, a security intelligence company in Reston, Va. Send comments for publication to guest@comnews.com.