Gearing up for wireless security
- By Brian Robinson
- Jan 12, 2003
If wireless users can endure one more round of debates about security standards, they may soon be able to buy actual products.
It's no secret that built-in security functions lack current wireless local-area network products, a situation due largely to the inadequacy of Wired Equivalent Privacy (WEP), the first wireless security standard, which was introduced several years ago.
But that could change as new standards take hold and the wireless LAN component market — estimated by the Aberdeen Group, a Boston-based consulting firm, to have exceeded $1 billion in 2002 — continues to attract heavy hitters such as Microsoft Corp., which recently said it would enter the market.
The promise of secure wireless networking is once again being touted with the expected release in the next several months of the Wi-Fi Protected Access (WPA) standard, which is considered more secure than WEP.
WPA is only an interim step toward a standard now dubbed 802.11i, set for release around the end of this year. The 802.11i standard is expected to finally nail wireless LAN security and make the products that use it more palatable to organizations that demand tight security.
"With WPA coming out, we are back to where we should have been [with wireless LANs] two years ago," said Michael Disabato, a senior analyst with the Burton Group. "It hasn't met live-wire tests yet, but everyone is confident it is secure now and will allow for cross-vendor implementations."
Meanwhile, the wireless LAN market is one of the few in the telecom arena that is growing, so vendors need to address security if they want to participate.
Cisco Systems Inc., for example, has a WEP implementation for its Aironet wireless LAN solutions that is probably sufficient for situations in which strong security is not critical. But the company is marketing the Cisco Wireless Security Suite, based on the IEEE 802.1x specification, as a stronger security provider. The specification, a core component of WPA, provides authentication at the user and server levels.
"This is admittedly a prestandard release, but 802.1x is real now, and because it's implemented in software, we feel very comfortable we'll easily be able to move to a post-standard release of this product," said Vince Spina, director of systems engineering for Cisco's federal operations.
Wavelink Corp. last year came out with a workaround for WEP's ills, namely its relatively weak 40-bit encryption, static encryption keys and lack of a key distribution method. The Wavelink solution is a cross-vendor solution that allows for dynamic key rotation. It monitors wireless devices and access points in the network at regular intervals and supplies them with new keys so that hackers do not have enough time to break the key encryption.
For organizations that can handle the extra demands on processing power and network traffic overhead involved, virtual private networks probably offer the most robust security since the wireless side of the network becomes an integral part of the overall enterprise security infrastructure. Products such as Check Point Software Technologies Ltd.'s Secure VPN include features such as integrated certificate authorities, which provide stronger security than what is currently built into wireless LANs.
However, the cost and complexity involved with installing VPNs puts this solution beyond most small and medium-size organizations' reach. That drove Latis Networks Inc. to develop its Border Guard Wireless solution, which gives network administrators the ability to manage rogue wireless access points and limit device access to the network, or deny access completely.
Latis works on the assumption that a wireless LAN has to be handled as a major part of an overall network security plan, said Mitchell Ashley, Latis' vice president of engineering and chief technology officer. However, the company may be ahead of the market, he admitted, since "we are not yet at the point where everyone even agrees on the need for a firewall equivalent for wireless."
Robinson is a freelance journalist based in Portland, Ore. He can be reached at firstname.lastname@example.org.
A glimpse at some wireless local-area network security products:
Vendor: Cisco Systems Inc.
Product: Cisco Wireless Security Suite.
What it does: Provides user and device authentication for Cisco Aironet wireless LAN solutions.
Vendor: Latis Networks Inc.
Product: Border Guard Wireless.
What it does: Enables network administrators to detect rogue wireless access points and control device access to the network.
Vendor: Wavelink Corp.
Product: Wavelink Mobile Manager and Wavelink Avalanche.
What it does: Monitors wireless devices and access points in the network and supplies users with regularly changing encryption keys to thwart hackers.
Brian Robinson is a freelance writer based in Portland, Ore.