Avoid Wireless LAN Security Pitfalls
by Dave Juitt - CTO, Bluesocket Inc. - Friday, 17 January 2003.
Wireless Local Area Networks (WLANs) are taking off. Enterprises are turning to WLANs in droves because they offer mobility and huge cost advantages. In fact, studies show that wireless workers are more productive, less pressured and save businesses money. Gartner, Inc., for instance, finds WLANs to be cheaper to install than wired LANs, especially for small organizations. And once they're in, wireless LANs are less expensive to operate and maintain.

But wireless LANs are not everywhere they could be. Enterprises have heard the horror stories of competitors and crackers sitting in a parking lot and accessing the corporate network. Unfortunately most of these stories are true. Gartner predicts that by the end of this year, a third of all enterprises will suffer a serious security exposure due to a wireless LAN.

The reason? The main protector of wireless LANs, the Wired Equivalent Privacy (WEP) standard, remains full of holes. Research from Cahners' In-Stat and META Group suggest the lack of security is the biggest deterrent to widespread adoption of WLANs.

But the more IT professionals learn about WLAN technology, and its newer

security options, the better moving to wireless sounds.

Why isn't every LAN a WLAN?

Wireless will probably never completely replace wired local area connections. Wires have an slight advantage in security and today maintain a dramatic edge in speed.

WLANs, while far slower than their wired counterparts, are multiplying in performance. And more importantly, some very smart and dedicated developers are whittling away at the security problems.

WLAN security is generally breached the same way as any other system - a hacker or two discovers a weakness and devise a mode of attack that is then shared and used by the hacker community at large. Script kiddies, or crackers without a lot of technical background, can implement these attacks too easily and wreak havoc on your network. It's essentially: point, click and break in!

But not all attacks are aimed at compromising corporate security. Some are built to demonstrate and ultimately lead to a fix. While problems with WEP have been known for years, the dam really burst in July of 2001 when noted cryptographers Fluher, Mantin and Shamir unveiled the Rapid Passive Attack. The Rapid Passive Attack demonstrated that it is relatively easy and fast to break WEP encryption.

A month later, a team from AT&T Labs successfully implemented the attack and concluded that WEP is "totally insecure." That same month, the AirSnort program was released, letting anyone penetrate WEP weaknesses in virtually any unwired network. Now there are a host of tools for script kiddies, including WEPCrack, and Dnsniff.

The Web makes these break-ins even easier to perpetrate. A trouble maker can simply hop over to Netstumbler.com, a free site that tracks over 8,000 access points, including MAC addresses, performance variables, and other information making it simpler to crack into wireless networks.

The WLAN industry, knowing the huge benefits this technology provides, has been fighting back. In June 2001, the IEEE standards body responsible for defining WEP released its specification for the 802.1x standard, which defines how various wireless technologies can increase the number of secure key exchanges between devices and servers. The absence of key mangagement was of the principal flaws of WEP. Frequent re-keying makes it more difficult to have unauthorized access to wireless networks.

That new spec is already making in-roads. Microsoft Corp. built 802.1x into its Windows XP operating system, and many major wireless vendors such as Bluesocket, Cisco and Funk are touting 802.1x support.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th