The weaknesses of the IEEE 802.11 wireless LAN standards for security involve two basic issues:
* The length of the encryption key specified in the standard's Wired Equivalent Protocol (just 40 bits, currently).
* The fact that the standards don't specify how keys used to decrypt data should be distributed.
On this second point, many vendors tend to use static keys that are not changed often and are shared by all users - and can thus be easily compromised as networks grow. Experts say static key systems work pretty well for small businesses that have few users and are nimble enough to change keys frequently. But as the user population grows, shared keys become more vulnerable, and it becomes more of an administrative challenge to change them often.
The Wireless Ethernet Compatibility Alliance - the group that certifies vendor equipment for 802.11 standards compliance - has long suggested that vendors build extra security into their products. Some vendors have taken the advice to heart. Cisco and 3Com wireless LANs, for example, use dynamic, not static, keys that change with every network session and are tied to a user's logon/password. These companies, along with Proxim, also support 128-bit encryption so transmissions are harder to decode.
But, as mentioned in the last newsletter, the interoperability issue rears its head with vendor-by-vendor security solutions. Perhaps these 802.11 security leaders could form a " Wireless LAN Security Interoperability Alliance " or something-or-other, whereby they could collaborate on tighter security schemes that would be interoperable among multiple vendor platforms. In fairness, the IEEE Task Group I is investigating a similar interoperable authentication and key management system, but industry guesstimates are that it will likely not be part of the 802.11 standard until sometime next year.
So in the meantime, if you are concerned about an outsider walking by with an 802.11-enabled device and sniffing your packets through your wall, you can:
1) Stick with a single vendor, preferably one with value-added security.
2) Deploy your own security scheme using VPN or other security technology (for a price).
3) Hold off on wireless LAN deployment till the security/interoperability issue gets resolved (and forfeit the potential productivity benefits in the meantime).
4) Be sure, at a minimum, to enable Wired Equivalent Protocol on your system (it ships disabled by default) and cross your fingers.
RELATED LINKS
Network World Fusion, 08/06/01
Your 802.11 Wireless Network has No Clothes, University of Maryland
WEP security discussion, University of California at Berkeley
Cisco response to Berkeley research on WEP security flaws
Bluetooth 1.1 addresses earlier flaws
Network World, 08/13/01
Joanie Wexler is an independent networking technology writer/editor in Campbell, Calif., who has spent most of her career analyzing trends and news in the computer networking industry. She welcomes your comments on the articles published in this newsletter, as well as your ideas for future article topics. Reach her at joanie@jwexler.com.
Network World Wireless archive
Past newsletters.
