Stopgap solutions precede more permanent fix

"Oops." That's been a common reaction among venders to the recent problems that have emerged from security functions built into the 802.11 wireless local-area network standards.

Ratification of the first version of the standard in 1999 benefited users because it led to delivery of interoperable products with lower prices. But as government agencies began to deploy systems based on the standard, a number of security flaws emerged. The problems centered mainly on the standard's encryption technique, Wired Equivalent Privacy (WEP).

To comply with federal encryption export rules that existed when development of the standard began in 1997, the specification limited public encryption keys to 40 bits, whereas more sophisticated techniques use 128 bits, which is significantly more powerful.

Also, the standard relies on a technique known as static keys — software used to open and close messages in which the code used to encrypt transmissions remains the same for a period of time — an hour or sometimes more — leaving it more vulnerable to intrusions than techniques that change the code more frequently.

Together, the vulnerabilities open up wireless LANs to intruders.

"Hackers can download free programs from the Internet that break WEP security functions," said Scott Turik, security product director at Paladin Technologies Inc., a Schaumburg, Ill., reseller. "Theoretically, they could get into a wireless LAN in about an hour in a best-case scenario and several hours in another instance."

The limitations became known in the summer of 2001 and concern has been mounting ever since.

"Recently, [information technology] departments have been in panic mode because of the 802.11 security flaws," said Chia-Chee Kuan, chief technology officer at AirMagnet Inc., a Sunnyvale, Calif., wireless network security vendor.

Such feelings have been fueled by reports issued by agencies such as the National Institute for Standards and Technology. NIST warns that wireless LANs are insecure and should not be used to transfer confidential information. As a result, vendors reported that government agency IT staffs have been walking down hallways and literally pulling the plug on their wireless LAN deployments.

Suppliers have taken immediate and long-term approaches to solving the problem.

"In the short term, users can add proprietary security products to their wireless LANs, so agencies will have secure links between their sending and the receiving points," said David West, senior system engineering manager for Cisco Systems Inc.'s federal operations.

The Energy Department's Hanford site in Richland, Wash., did this by integrating a new wireless LAN into its existing security infrastructure, which, among other measures, uses an encryption authentication solution from RSA Security Inc.

"Our [wireless] LAN users go through the same security process that we use for our telecommuters and remote workers," said Bob Mahan, computer security specialist at DOE.

In the long term, standards are emerging to help solve the problem. The Institute of Electrical and Electronics Engineers Inc. is developing the 802.11i standard. It features the Extensible Authentication Protocol, which supports 128-bit encryption and a new authentication process. Vendors expect the standard to be completed by the end of the year and compliant products to become available next year.

The security flaws slowed wireless LAN deployments during the past six months, but the technology's long-term prognosis remains rosy.

"Wireless LANs offer government agencies tremendous benefits in terms of mobility and flexibility," said Michael Disabato, an analyst with the Burton Group, a Salt Lake City market research firm. "As vendors put the current security issues to rest, users will feel more comfortable with the technology and sales will go up."