A multi-layered approach to wireless security

In spite of wireless technology`s many benefits companies are still reluctant to deploy end-to-end wireless solutions. One of the key reasons for this is security, or the lack of. In this article Wolfgang Held, network consultant at 3Com SA discusses the wireless security issues companies face today and provides some valuable insight and workable solutions to overcome them.

Wireless connectivity is emerging as an increasingly attractive strategy for linking users and devices. It is less costly, easier to deploy, and more flexible than hard-wired solutions. In addition to supporting mobile users, wireless meets day-to-day, mainstream desktop computing requirements as well.

What has slowed its widespread adoption, however, is the perception that wireless lacks the security of wired networks. As digital threats increase in their frequency and severity, many organisations are shying away from wireless solutions until they offer truly robust protection.

This concern is justified. The Wi-Fi (Wireless Fidelity) standard, which ensures proven interoperability among wireless equipment, was developed to provide both consumers and enterprises with easy implementation.

However, Wi-Fi`s 40-bit, shared-key WEP (Wired Equivalent Privacy) security, which all Wi-Fi certified products have, delivers only baseline protection, not an end-to-end security solution.

Although this level of security is adequate for most SOHOs [small offices/home offices] it does fall short for enterprise users who want to deter casual eavesdropping on their wireless networks or drive-by hackers looking for an open wireless system.

Wireless, after all, lacks the physical protection of cabling. Someone, for example, could hack into a wireless connection, deploy a rogue access point to access the wired LAN, or even steal a user`s device MAC address and username and easily appear as an authorised user.

Even the 128-bit encryption offered by many Wi-Fi solutions today may not deter determined hackers and malicious attacks. Moreover, many users make simple mistakes. They forget to activate WEP, leaving their wireless connections defenceless.

Additionally, enterprises assume that all Wi-Fi products are similar. In reality, while they do conform to basic standards, many offer advanced security functionalities.

Enterprises can achieve robust security through a systematic, multi-layered approach.

They first need to evaluate the areas of the network most exposed to risk and assess the levels of security required. For example, publicly accessible Web and extranet servers housing sensitive data typically require greater protection than other areas of the network.

Also, the wireless link between the access point and the client needs to be reinforced with multiple security layers. Likewise, network resources dedicated to school administrators and faculty must be more secure than areas of the network accessible to students.

Companies, therefore, need to deploy the wireless security capabilities that address the weaknesses, adding layer upon layer of functionality until the protection is commensurate with the risks.

For basic security requirements and minimum risk exposure levels, 40-bit WEP and 128-bit shared key encryption may be sufficient if organisations have the IT resources to manually change the WEP encryption keys on a regular basis.

Yet WEP is a shared key environment, which means if a user`s key is compromised, the hacker potentially can access proprietary information and network resources. Additionally, as the network expands in size, IT or network administrators may be hard-pressed to keep pace with the wireless network`s management.

For another layer of wireless security, enterprises can shift to an authentication mechanism that is "user-based" rather than "device MAC address-based." Even if a user`s laptop is stolen, the thief still requires the user`s username and password to gain access the network.

For more sophisticated protection, enterprises can turn to wireless access point-administered dynamic key management, which some wireless vendors offer as an additional layer of security.

This multi-tiered strategy ensures that each user has a unique key that is constantly changed. Even if a hacker does break the encryption and gain access to the network, the hacker`s key will only work for a short period of time, limiting potential damage.

The next class of security centralises control by leveraging existing wired network infrastructure safeguards. Enterprises today already use RADIUS and VPNs (Virtual Private Networks) capabilities to protect their networks beyond their physical boundaries.

RADIUS centrally authenticates remote users, while VPNs provides a secure, end-to-end tunnel over an "un-trusted" network-which, in the case of remote users, is the Internet, and, in the case of wireless applications, is the wireless network itself.

Enterprises can apply these capabilities on their wireless networks, thereby leveraging existing mechanisms and elevating wireless security.

Rather than having to manage a separate list of MAC addresses or users within each wireless access point, enterprises can simplify administration by having a single database within RADIUS, which provides a more efficient, scalable, and centralised authentication mechanism.

In addition to the above mentioned layer 2 security mechanisms, such as WEP and MAC-address filtering, VPN offers an enhanced layer 3 security capability. If you allow direct access to your internal systems over a wireless LAN, moving the wireless LAN outside the firewall and requiring users to access the network over an IPSec VPN with RADIUS-enabled authentication would be a far more secure alternative.

Enterprises can also take advantage of the IEEE 802.1X security standard. 802.1X, which defines port-based, network access control used to provide authenticated access for Ethernet networks, can also be applied to 802.11 wireless LANs.

The standard promotes enterprise-scale deployments of secure wireless and wired networks by defining ways for user identification, centralised authentication, and dynamic key management to work across products made by different manufacturers.

Recognizing the need to provide improvements in security and authentication mechanisms, the IEEE`s 802.11 Task Group (i) is working on new, stronger security for Wi-Fi networks.

Among the enhancements, the upcoming wireless security 802.11i will include a new encryption engine called AES (Advanced Encryption Standard).

WECA (Wireless Ethernet Compatibility Alliance) is also set to incorporate 802.11i into its Wi-Fi certification, once it is standardised

For these reasons, enterprises should consider standards-based wireless solutions to keep pace with the industry`s innovations. By taking a multi-layered approach to security, they can confidently turn to wireless networks knowing they will deliver levels of protection sufficient for today`s world.