Wireless/Mobile /

Overcoming WLAN security threats

By Joanie Wexler
Network World Wireless in the Enterprise Newsletter, 03/27/02

Enterprises like the flexibility and productivity afforded by wireless LANs, but many still do not feel overly confident that the security risks are worth it. What's the answer? How do you balance the productivity benefits of local mobility with the risk of potential data security breaches? Or should you?

" The threat is large, " acknowledges Jason Smolek, an analyst for enterprise networks at IDC. He indicates that security concerns could be one reason that last year there were just 8 million WLAN shipments (including network interface cards, access points, and bridges), while the installed base of wired network cards alone is 500 million.

As noted in the last newsletter, one issue is that unauthorized access points (AP) installed by users can become launch pads for denial-of-service attacks. Mutual authentication schemes, in which the AP is authenticated as well as the user, help reduce this risk. These schemes are among the enhancements that some WLAN system vendors have made to the Wired Equivalent Privacy (WEP) protocol specified in the IEEE 802.11 WLAN standard.

Some WLAN system vendors offer additional Layer 2 WEP reinforcements, such as dynamic session-based encryption keys. Dynamic keys - keys that are changed by a central resource randomly - are more difficult for intruders to crack than static keys, which are specified in the basic WEP standard. Some WLAN vendors also offer Layer 3 virtual private network technology that uses IPSec's 3DES encryption. However, the Advanced Encryption Standard (AES), sanctioned by the U.S. government, is belatedly on the roadmap for 802.1x. " AES takes 125 trillion years to break, " according to Smolek, who says the algorithm should show up in 802.11 products in software next year, but that hardware implementations might take two to three years.

In addition, there are some third-party companies that have built their businesses on the WLAN security threat. Some make relatively inexpensive wireless gateway appliances that you install between the WLAN network and the wired network. These companies include the likes of BlueSocket, SMC, and Vernier Networks.

Some third parties, such as Cranite Systems, Columbitech, NetMotion and ReefEdge, offer similar capabilities in server software. These systems identify and verify users attempting to access corporate resources, either by acting as authentication servers themselves or by serving as a proxy server that passes authentication information to back-end RADIUS servers and back to clients through the access points. Some operate at Layer 2 and others at Layer 3.

Future newsletters will look under the covers at the various approaches to securing your WLAN environment.