Security tools play catch-up to wireless

NIST says take these four steps

  • Set a wireless security policy

  • Standardize device configurations to reflect the policy

  • Control and manage the configurations

  • Train users in security awareness
  • All the vulnerabilities of wired networks apply to wireless ones'and then some, the National Institute of Standards and Technology has warned agencies.

    Reasonable security for a wireless LAN takes at least as much attention as a wired network, NIST said in a draft of Special Publication 800-48 that was released recently for public comment. 'Agencies should understand that maintaining a secure wireless network is an ongoing process,' NIST said.

    Powerful attraction

    Users see the obvious attraction of mobility with IEEE 802.11 wireless LANs. Even better, their data rates can range up to 11 Mbps for 802.11b equipment and 54 Mbps for 802.11a, over distances of 50 to 300 feet or farther.

    But 'when you add bandwidth, you give up range and coverage,' said Tom Dowd, principal product manager for wireless access point maker Intermec Technologies Corp. of Everett, Wash.

    As with most emerging technologies, security for wireless was only an afterthought.

    The original security component of the IEEE 802.11 standard was the Wired Equivalent Privacy protocol, which has been criticized for weak encryption and poor key management. A subsequent enhancement, 802.1x, authenticates wireless clients more securely at an access point and strengthens encryption. But it has weaknesses, too.

    NIST suggests patience. Vendors and standards bodies are 'aggressively working towards more robust, open and secure solutions,' the draft said. 'It may be prudent for some agencies to simply wait for these more mature solutions.'

    Meanwhile, vendors are working to layer on more protection for their existing wireless products.

    'The biggest problem with security is that people don't use it,' said Mark Shapiro of access point maker Proxim Inc. of Sunnyvale, Calif. Shapiro said the flawed WEP can be adequate with a little help from virtual private networking.

    A VPN encrypts the connection between client and wireless network, which cuts the risks of eavesdropping and unauthorized access.

    'Many administrators feel confident about that because they are familiar with VPNs,' said Lynn Lucas, Proxim's marketing director.

    Joint efforts

    Some VPN and wireless vendors are joining forces. Bluesocket Inc. of Burlington, Mass., last month announced its wireless gateway will interoperate with the SSH Sentinel VPN client from SSH Communications Security Corp. of Palo Alto, Calif. The disadvantage is that mobile VPN users must reauthenticate at each new access point.

    'In general, 802.1x is going to scale better' than a VPN, Lucas said. It uses dynamic key distribution and rekeying to improve encryption.

    Essential to 802.1x security is strong user authentication. Intermec has partnered with Funk Software Inc. of Cambridge, Mass., to provide strong authentication for its enterprise-level 802.1x access points.

    The 802.1x standard does not specify an authentication method, but one of the most-used is the remote authentication dial-in user service protocol. Funk Software developed its Odyssey RADIUS server exclusively for wireless LANs. The server authenticates access requests from users according to a set policy.

    'The market has chosen user name and password' as the most common authentication requirements, Funk vice president Joseph Ryan said. Odyssey supports other types such as tokens, software certificates and biometric identifiers.

    In another approach, Symbol Technologies Inc. of Holtsville, N.Y., replaces the conventional wireless access point with access ports connected to its Mobius Axon wireless switch. The switch works through the Ethernet connections to the ports to examine packets coming from them. Symbol's MobiusGuard software handles authentication, key management and encryption.
    Another new wrinkle in wireless security is location-enabled networking from Newbury Networks Inc. of Boston. Newbury's LocaleServer identifies the source of an access request based on a signal-strength signature unique to each wireless network card in a given environment.

    It can locate a signal to within 10 or 15 feet, 'so a little buffer area is necessary,' said Chuck Conley, Newbury VP of marketing.

    The security policy must define where access is permitted to keep freeloaders or hackers from piggybacking.

    None of these products or standards is adequate alone. Adequate wireless security requires proper configuration of access points and servers; strong authentication, encryption and key management on the wireless side; and firewalls, intrusion detection and physical security on the LAN side.

    Two variables determine the level of security that will be needed on any wireless LAN: the sensitivity of the data sent over the wireless segment, and the resources available to wireless users.

    About the Author

    William Jackson is freelance writer and the author of the CyberEye blog.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above