• United States
Contributing Writer

Six options for securing wireless LANs

Jun 04, 20033 mins
Network SecurityNetworkingSecurity

* Lessons from Network World's Security Technology Tour

People are fond of saying that they aren’t going to roll out wireless LANs because they are insecure. Joel Snyder, a Network World columnist says that’s bunk. He says you can do it and the truth is that you will roll out WLANs because they are “too cheap to ignore.”

Snyder, a senior partner with Opus One, delivered this message to IT managers attending Network World’s Security Technology Tour.

He says there are six options for securing WLANs that are relatively easy to do. And to not do them is putting your company’s data at risk.

The first method he points to is WEP, or the Wired Equivalency Protocol. Snyder says WEP is incredibly compatible with current wireless networks and is simple to set up. The downside, he says, is that the protocol provides encryption, but no user or per-packet authentication.

Another option is 802.1X, which does provide user authentication. 802.1X can  be rolled out in either a wired or wireless environment and includes per-session WEP keys. Snyder says the best thing about 802.1X is that it lets you authenticate the user at the link layer, before they have complete access to your network.

Coming over the horizon is 802.11i, a security standard for wireless networks that is being worked on by the IEEE. The standard will enhance WEP to provide a per-packet re-keying mechanism, Snyder says.  It also features a message integrity check to halt packet tampering. The standard is expected to get a seal of approval by 2004.

Go onto any Web site and chances are you’re using Web authentication, another method Snyder says can help you shore up your WLAN. It’s easy to implement and use, however, it’s also easy to hijack and eavesdrop on sessions over the Web. You have to recognize the trade-off when you choose this method.

Finally, Snyder says there are the two options of IPSec and IPSec passthrough. IPSec, he says, is the strongest security model, using the same structure as for Internet remote access. However, you do need client software, which creates deployment and upgrade challenges.

The benefit of IPSec passthrough, he says, is its ease of integration with existing VPNs. One drawback to this approach is its difficulty in dealing with guest users.

Snyder says it’s important to take a long hard look at your network and decide which of these methods makes sense for the types of traffic you are supporting.