Securing wireless LANs is a growing challenge with no easy solutions. The need to spend time, money and staff to beef up security is hobbling the technology, even so customers still spent $US1.68 billion on wireless gear in 2002 and are expected to spend $US2.72 billion by 2006, according to Infonetics Research.
The IEEE is expected to fix wireless LAN security flaws by year-end with a new standard to be called 802.11i. This will purportedly clear up the problems identified with its predecessor called Wired Equivalent Privacy (WEP), namely that its authentication messages are forged easily and its encryption keys are poorly protected.
In the meantime, users that require secure wireless LANs are turning to supplemental security. While IP Security (IPSWec) addresses the security problems, it is not perfect and brings along all the shortcomings it has in a wired network.
For example, the technology handles only IP traffic, not IPX or Appletalk. It requires client software on all the remote machines. IPSec tunnels are point-to-point, so multicasting traffic wastes a lot of bandwidth setting up all those tunnels.
“It’s kind of like the question about IPSec in general: it works well for some people, and doesn’t work well for others,” senior partner with Opus One, Joel Snyder, said.
Adding wireless into the mix was not going to change that very much.
IPSec works for Christopher Misra, network analyst for the University of Massachusetts at Amherst, that installed wireless hot spots in five public areas on campus last year for student use.
The hot spots were secured using Cisco Systems VPN gear Misra already had for a wired-network project. Because of WEP’s weaknesses, he decided on IPSec.
In the UMass network, each remote machine has a VPN client that creates a secure session with a VPN server located on the LAN side of the wireless access points. This prevents unauthorised machines from tapping into the network or picking off unsecured communications between authorised machines and the campus network.
Misra said he was satisfied IPSec secured the network, but it was not easy to implement. For security reasons, he wanted the wireless network to be logically separate from the wired network, and that required careful design.
“The complexity for us was in implementing the parallel network over our existing backbone,” he said.
Misra set up a separate virtual LAN (VLAN) for the access points and wireless clients to segregate the traffic and restrict where users can go on the network for security reasons.
“This required us to configure [VLAN] trunks to each building where we wanted to implement a wireless network,” he said.
Other challenges included installing clients on all student-owned machines, creating work for the help desk to assist technology-challenged users, he said.
Macintosh users are out of luck because IPSec gear won’t support it.
Another potential problem with IPSec is that VPN sessions could break when users move from one access point to another because the IP address changes. The break can freeze other applications, forcing users to reboot.
“It’s not a great way to handle mobility if you’re moving around,” vice-president of network security at VPN vendor WatchGuard Technologies, Mark Stevens, said.
The wireless security companies that offer an alternative to IPSec address some of these problems.
Ecutel has developed a technology that keeps application sessions alive when wireless devices move between access points. The transition becomes unnoticeable to users, the company said.
These security boxes sit on the LAN side of access points and typically include a firewall, authentication support and encryption. Some of these products, such as those from Bluesocket and ReefEdge, also do some management of wireless bandwidth by applying quality-of-service restrictions.
Fortress’ airFortress gear consists of three elements: client software; an appliance that handles encryption and network-layer authentication; and access-control-server software residing on a Windows NT server in the LAN.
The client includes a key it shares with the appliance for machine authentication, then the access control server confirms that the remote device is authorised to use the network, and the user is challenged for name and password.
All traffic between the wireless machines and the airFortress appliance encrypts using Data Encryption Standard, Triple-DES or Advanced Encryption Standard encryption. Because the communication is bridged through the access point using source media access control address and destination MAC address, each packet, including Layer 3 headers, is encrypted.
This prevented hackers from gaining information about the wired network to which the wireless gear grants access, Fortress said.
A single airFortress appliance deals with all the access points in a network, so it can smoothly maintain communications as the mobile machines move between access points.
IT specialist for the Syracuse, New York, police department, Pat Phelps, chose the Fortress option.
He said part of Fortress’ attraction was that it offered security through obscurity. Hackers would not focus on trying to break its technology once a commercial standard was adopted, he said.
“Whatever standard comes out people will put their effort in trying to crack that,” Phelps said. While they are necessary now to secure wireless LANs, these add-ons might become less popular after the IEEE finishes its 802.11i standard.
“When new authentication and encryption standards get put in place later this year, you probably won’t need to use VPNs,” an analyst with The Burton Group, Dave Kosiur, said. “Then wireless security will be sufficiently strong.”
“The entire attraction of wireless is its ease of use,” network engineer for Trimble Navigation, Paul Forbes, said. “If it isn’t essentially transparent to the user, what is the point? Why not jack in on a wired port?”