Friday, September 13, 2024

How to Improve on Wireless Security

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Elmer Fudd has been trying to keep that ”wascally wabbit” Bugs Bunny

out of his carrot patch since before Remington Rand built the first

UNIVAC. But, when you start talking about how to keep those wascally

hackers out of your wi-fi network, you’ll soon find yourself sounding

like Mr. Fudd himself.

First, there was WAP, then WEP, then WPA and now WPA2. But despite how

you sound, if you are looking to secure an enterprise WLAN, many industry

experts say WPA2 is your best bet.

”WPA2 provides an enterprise-class security solution for user

authentication and encryption,” says Michael Disabato, senior analyst at

the Burton Group.

Understanding wireless security requires a bit of a trip down memory lane

to see how the protocols have evolved over the years.

Wireless Application Protocol (WAP) was the first such protocol.

Introduced in 1997, it was designed, among other things, to secure emails

and text-based Web pages over cellular networks.

Wired Equivalent Privacy (WEP) is another protocol. With the rise of

wi-fi networks, came the need for a new security standard. Described in

the IEEE’s 802.11b spec, WEP uses a 40-bit encryption key and was

expected to provide the same level of security as hard-wired LANs. It

didn’t.

Wi-fi Protected Access (WPA) was the next attempt at improving security.

It includes a more advanced encryption method — Temporal Key Integrity

Protocol (TKIP) — and requires strong user authentication, including the

802.1x standard.

WPA2, also called 802.11i, is a security standard approved by the IEEE in

June of 2004. It incorporates WPA, but also uses the Advanced Encryption

Standard (AES), which has, so far, proven to be unbreakable and meets

federal security requirements (FIPS 140-2). It also includes key caching,

making it faster for a user to reestablish a dropped connection.

”WEP is insufficient to protect WLANs today from determined attackers,”

says DiSabato. ”WPA/WPA2 is a dramatic improvement in wi-fI security

that resolves all of WEP’s known weaknesses.”

Firms that are using WEP currently should make the switch over to WPA or

WPA2 in a hurry, according to analysts. However, moving from WPA to WPA2

is a harder sell unless the company needs to meet the federal requirement

for AES. Disabato says several of his company’s clients have cited the

complexity of deploying 802.1x as a show-stopper.

For example, John Halamka, CIO for the CareGroup HealthCare System in

Massachusetts, oversees a wireless network (802.11b/g) with 250 access

points covering more than 1 million square feet. He is currently running

WPA, and isn’t planning on upgrading.

”The major difference in what we run as a strict implementation of

802.11i is that we still use TKIP as the data confidentiality protocol,”

he explains.

While the CCMP (Counter-Mode/CBC-MAC Protocol) used with 802.11i is a

better cipher, it also requires support for AES which many or most of his

client devices don’t support.

”AES requires processing power on the AP and client that may not be

present to have a satisfactory experience in terms of output,” says

Halamka. ”The 802.11i will likely be in our future, but for now our

efforts are concentrating on converting from legacy Cisco to Cisco

Lightweight Access Point Protocol-based APs and extending coverage to

areas of the medical center that do not have them.”

Slow-Moving Vendors

Vendors, including Cisco, 3Com and NetGear, have equipment which supports

the new security standard. But for the next few months, at least, WPA

will continue to dominate. It seems the vendor community has been slow on

the uptake. Today, there are more than 600 products on the market with

WPA security features, compared to only a few dozen using WPA2. Thus it

can be difficult to roll out a complete WPA2 architecture at a reasonable

price.

Fortunately, one of the nice features of WPA2 is that it is backwards

compatible with WPA products.

What about upgrading existing WEP-based gear?

End users are advised to check with access point and network card vendors

to verify that the drivers or firmware are compatible with 802.11i or

WPA. Generally speaking, products more than two years old may not be

compatible.

In addition to the hardware, the operating systems must support WPA or

WPA2. WPA is supported in Windows XP Pro Service Pack 2, but support for

WPA2 is only provided in an update that must be installed separately.

Apple’s support for 802.11i can be found in Version 4.2 of its firmware

for the Airport access point and in Version 10.3 or higher of OS X.

The decision to move completely to WPA2, then, may not be entirely in

IT’s hands. The lack of available or affordable equipment may make it

necessary to transition to WPA.

The good news is that not all companies may require the full array of

802.11i protection. Companies should take a close look at exactly what

data they need to protect and to what degree, to determine whether it is

necessary to adopt the latest technology. WPA remains a viable option

that can provide adequate levels of security for less sensitive data.

DiSabato says if a company is already using WPA, in most cases, it makes

sense to wait a while for the 802.11i market to mature.

”If you do not have WPA installed, go straight to WPA2, and any company

that needs FIPS 140-2 certified security needs WPA2,” he says. ”All

others should plan on going to WPA2 within two to three years.”

It’s No Silver Bullet

One final caution: 802.11i is no all-out solution to wireless security.

It isn’t a case of install WPA or WPA2 and all security woes are over.

The fact is that 802.11i needs help. The University of Southern

California (USC), for example, has a wireless network covering the entire

campus that serves more than 6,000 users. The school has about 300 R2

access points from Enterasys Networks, Inc., which is based in Andover,

Mass., to keep unauthorized users from gaining access to the main LAN.

These units are on a separate wired network which runs back to the

datacenter for authorization before establishing a connection to any

other nodes.

”Treat your 802.11 networks just like your wired networks and apply

similar security,” says James Wiedel, USC’s director of networking. ”If

you treat them the same, then the only difference is how the information

is sent to the user, either over copper or over the air. It simplifies

things when you think of them in that fashion.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles