Wi-Fi security has come a long way since two 20-somethings sat in the parking lot of a Lowe's store in Southfield, Michigan, hacked their way into Lowe's data centre in Wilkesboro, North Carolina, and downloaded customer credit card numbers. Two years on and many companies are still as vulnerable today as Lowe's was then.
Most experts agree that the weakest link in the enterprise today results from a failure to upgrade to the latest encryption and authentication technologies (read our wireless LAN security glossary for details of terms mentioned here, and read our parts list ).
Soft encryption, old authentication
"Early on a lot of wireless devices were simplistic at best, with a 40-bit WEP key and no support for authentication," says Richard Rushing, chief security officer for AirDefense.
In addition to WEP, another limited legacy approach to security is LEAP (Lightweight Extensible Authentication Protocol), originally a Cisco protocol for transporting authentication data. Cisco is now phasing out LEAP and other approaches in favor of PEAP (Protected Extensible Authentication Protocol), developed jointly by Cisco, Microsoft, and RSA Security.
In addition, most newer Wi-Fi networks now deploy 802.1x with stronger password-protection functions and AES (Advanced Encryption Standard) authentication.
Can you add features without upgrading?
But for many large companies a Wi-Fi network involves a multiyear rollout, which often precludes going back to square one and upgrading APs and client devices every time a newer technology is introduced.
If a company can't migrate to AES, which requires faster processors in the AP, then the company should consider using a VPN in house for its Wi-Fi network, says Roger Sands, vice president of enterprise development at Colubris Networks.
"Or at least use TKIP [Temporal Key Integrity Protocol], which is better than a static WEP key," Sands says.
A wireless network is an Ethernet jack outside the door
The truth is that wireless technology in general has an inherent weakness not shared by a wired network: A physical barrier can't protect wireless .
When wireless leaves the building it is the same as putting an Ethernet connection outside the door, Rushing says.
Because almost all of the basic gambits hackers used three years ago, such as the Evil Twin, DoS, and taking down all APs in order to put in a rogue AP when the system reboots, are still possible, the only real defense is to monitor and scan the airwaves for intruders, says Rich Mironov, a vice president at AirMagnet (as you might guess, he makes a scanner - AirMaget is reviewed here).
Security is commonsense
Despite all the high-tech gadgetry used by both good guys and bad, many security rules are commonsense, says Jack Gold, a principal at JGold Associates.
"Make sure people log out, don't leave devices hanging around, and make sure people aren't looking over your shoulder," Gold says.
All the experts spoken to for this article agreed that wireless is a magnifying glass, and if there is a security hole in your organization, wireless will magnify it.