When we last looked at wireless LAN security, we painted a fairly bleak picture. At that time, virtual private...
networks (VPNs) were the best way to fix the well-known vulnerabilities in the Wireless Encryption Protocol (WEP), which guards most wireless LANs. But VPNs cost as much as $1,500 per wireless access point (AP) and often forced you to lock yourself into one vendor's gear.
Since then, we've seen progress on both the product and standards fronts. It now costs as little as $200 to link an AP to an existing VPN using wireless security "appliances" from the likes of Bluesocket Inc., ReefEdge Inc. and SMC Networks Inc. Leading vendors such as Cisco Systems Inc. and Microsoft are already supporting beefed-up encryption and authentication standards that close some of the holes in WEP.
The appliance approach
The well-known vulnerabilities in 802.11b WLANs include the ease with which sniffing tools can decode the encryption keys used by the 802.11b WEP. One way around those flaws is the use of a VPN that uses encapsulation and encryption to provide a private "tunnel" for data through a public network.
Bluesocket, Vernier Networks Inc. and ReefEdge all take advantage of the built-in support for IPsec (Internet Protocol Security) built into Windows 2000 and Windows XP to provide VPN capabilities for wireless LANs, says Chris Kozup, senior research analyst at Meta Group Inc. Their products, as well as those from Proxim Inc. create a distributed architecture for securing and managing wireless area networks from a central point, rather than from each client or each access point.
Bluesocket's wireless gateways sit between an organization's wireless access points and the corporate network, while Vernier's Control Server provides centralized security configuration and management to distributed Access Managers, which do the actual enforcement of network security and resource usage policies.
Of the appliance vendors, "ReefEdge has done probably the best job of scaling down and scaling up their products" for customers ranging from single sites to large enterprises, says Kozup. ReefEdge's CS50 combines the functions of a control server (authentication and enforcement of network access policies) and of a gateway (wireless LAN traffic management and IPsec encryption), at prices as low as $6,000 for a configuration supporting six to eight access points.
Alexandria, Va.-based Ecutel Inc. "has focused on offering mobility across different mediums" such as wired and wireless LANs, says Kozup. Ecutel's recently announced Viatores 4.0 supports both the IPsec security protocol as well as the Mobile IP protocol for routing messages among different types of mobile devices and boasts a redesigned graphical user interface to ease set up and administration.
Security managers may still face challenges, though, in integrating wireless security tools with other network management or other authentication rule engines. ReefEdge, for example, offers a plug-in connecting it to Computer Associates International Inc.'s Unicenter management framework but is still working on such links to Hewlett-Packard Co.'s Unicenter and to IBM's Tivoli. Trading user permissions and similar information with other policy databases requires writing to the ReefEdge Application Programming Interface.
Help is already available from products based on the 802.1X standard for port-based network access control. 802.1X works with the Extensible Authentication Protocol (EAP) to allow wireless clients using various authentication methods to communicate with the Remote Access Dial-In User Service servers many companies already use to authenticate wired remote users. EAP is already supported (with some proprietary twists) by vendors such as Microsoft (in Windows XP), Cisco Systems Inc., Funk Software Inc. and LeapPoint Technologies Inc. With the combination of EAP and 802.1X, the client and server perform a mutual authentication and create a unique decryption key for each communication session, making it harder for hackers to detect and decode WEP encryption keys.
The 802.11i spec will eventually support the Advanced Encryption Standard (AES), a more powerful follow-on to WEP. But AES is at least 18 months away from deployment, says ReefEdge Chief Technology Officer Sandeep Singhal, especially since customers will have to upgrade 802.11b access cards to new cards with dedicated encryption chips to avoid heavy performance hits when they move to AES.
Chasing the rogues
Wireless "sniffer" products such as WildPackets Inc.'s AiroPeek NX, Network Associates Inc.'s Sniffer Wireless 4.7 and the free NetStumbler can help you find rogue (or unauthorized) APs installed by users that create hidden security holes in your network. IBM is working on a Distributed Wireless Security Auditor which uses authorized wireless clients to detect rogue APs (Read more here.) By the end of this year, Kozup expects WLAN vendors such as 3Com Corp., Cisco, Enterasys Networks Inc. and Symbol Technologies to ship network management tools that can find unauthorized APs.
Kozup also recommends scanning for rogue APs by monitoring Media Access Control address tables and using SNMP queries to provide lists of devices on the network. Such regular checks should be combined with common-sense steps such as making sure WEP is enabled and keeping wireless traffic on a separate sub-network.
"Our advice isn't to batten down the hatches and try to keep (wireless LANs) away, because you can't," says Kozup. "Take a proactive approach. There are means out there to protect these networks." But they're only good if you use them.
About the author
Robert L. Scheier, a former technology editor at Computerworld, often writes about security issues from Boylston, Mass. He can be reached at email@example.com.