Wireless security not an oxymoron

Wireless LANs became the industry’s laughingstock when reports surfaced about “parking lot attacks” on corporate networks. Now, WLANs are shaping up as the battleground for enhanced security products that could lead the way for the entire network industry.

WLANs are not inherently insecure. There is an explanation for why unauthorized individuals were able to wirelessly access corporate networks from parking lots: The people who installed WLANs at those firms never bothered to activate their built-in security features. Duh.

That’s not to say WLANs don’t pose unique security risks. Wireless hackers are hard to detect and trace, so WLANs are tantalizing targets. And employees unwittingly might compromise corporate security by attaching wireless access points to the corporate network without informing the IT department.

The parking lot attacks did real damage to the WLAN industry, coming just as WLANs gained widespread acceptance in companies and among hot-spot operators. The WLAN industry is growing, but not as fast as it would have. More importantly, wireless networks increasingly are interconnected with wired networks; it no longer makes sense to think of wireless security as an isolated problem.

So what should a first-class WLAN security product look like? It must address three fundamental concerns: privacy, access fraud and intrusion. Privacy can be assured by using an encryption mechanism that changes codes faster than hackers can crack them.

Hackers are continuously devising new strategies for penetrating networks. What’s needed to thwart access fraud is not merely a robust authentication technique, but a framework protocol letting vendors stay at least one step ahead of the hackers.

Detecting and tracing wireless intruders is arguably the final frontier of WLAN security. Detecting rogue access points is difficult but not impossible. Eavesdropping is a more intractable problem because eavesdroppers are normally passive. The ultimate solution might be to force even listeners to transmit from time to time.

Developing satisfactory WLAN security is a challenge. Security is only as good as its weakest link, so enhanced products must be implemented end to end. That means they must be based on universally accepted standards. Unfortunately, the IEEE 802.11 WLAN standards committee has a history of acting slowly.

The WLAN industry simply cannot afford to wait. When the Wired Equivalent Privacy standard proved vulnerable, the Wi-Fi Alliance quickly created Wi-Fi Protected Access (WPA). Now Cisco is trying to move things further along – and in its direction – through its Cisco Compatible Extensions program.

All networks are susceptible to eavesdroppers and gatecrashers. The key difference between the WLAN industry and the larger Internet community is that wireless vendors understand they can no longer get by with half measures. Everyone concerned about ‘Net security should follow closely, if not participate in, the development of enhanced WLAN security standards.