After months of criticism from network specialists, the Wi-Fi community is starting to hit back. Wi-Fi networks, often portrayed as a security risk, are not really that at all. All they do is expose the risks that are in the corporate wired network, say the people selling Wi-Fi networks.
"The main security problem with wireless comes when an employee buys an access point at Dixons and plugs it into an insecure wired network," said Brice Clark, director of worldwide strategic planning for HP ProCurve. "The point that many people miss is that the first stage in creating a secure wireless network is to create a secure wired one."
This may sound like splitting hairs, but it represents a significant change in the marketing of wireless networks.
Security holds back Wi-Fi market
Till now, users who are worried about those networks have hesitated to put them in, seeing them as a security risk. Security is the number one factor putting corporate users off from adopting wireless LANs, according to Richard Webb, European network and WLAN analyst at Infonetics Research. The media perception that wireless LANs are insecure has delayed the market, he believes.
What Clark and others are pointing out is that wireless LANs are inevitable. If IT managers don't put them in, end users will bring access points into the office. If your wired network is not set up to be secure, even when extraneous equipment is plugged in, then you are in trouble, they say.
Wireless network vendors have been working hard to make wireless LANs more secure, particularly in replacing the insecure WEP encryption protocol with WPA. These moves are important, but it is more important to lock down the whole network.
For some time, HP has expressed this in a slogan which says the corporate network will become a public network. For too long, the enterprise has relied on physical security, expecting that every person connected to a corporate network is to be trusted. A public network, such as an ISP, has to work in a much more complex way. It needs to authenticate every user and limit their access to what their contract allows. For instance, the ISP lets anyone read its web pages, but allows subscribers only onto the webmail service, lets them edit their own web pages and prevents them from editing the ISP's own pages.
Wireless networks are not the only thing making the boundary of the network more porous but they are one of the most talked-about. If they provoke users to make their wired networks more secure, then they will actually have been a security boon, not a bane. "Wireless LAN brings out the underlying security problems in the wired LAN," says network analyst Chris Noble of the451.com. "It makes it really obvious that my wired LAN wasn't secure."
Focus on the whole network
So, if we have to shift our attention from securing wireless, to making the whole network secure enough to accept wireless, what do we do? Authentication is the first major thing to apply. "Port-based" 802.1X access control was designed for wired and wireless networks, at the instigation of Microsoft and HP, and is now built into most new enterprise Ethernet switches. Each user is identified as they sign on to the network.
Of course "port-based" authentication is not enough, as users linking to a wireless LAN do not have exclusive use of one port. Several users can connect to one access point, and then may move to another access point, coming into the network through a different port. "It is difficult to move to a new access point, and keep security as they move to other ports," says Mike Banic, director or marketing at Trapeze Networks (whose wireless switch promises a solution to this, of course). "The network must know who the user is, to maintain security."
802.1x refers authentication requests to a RADIUS (or other authentication) server attached to the network, so it fits easily with other security options. Until the user has authenticated, by exchanging a password with the server, he or she cannot perform any other action on the network. Whether or not a company plans to implement wireless LANs, it is a very good idea to implement 802.1x in order to make sure that any unexpected visitors on the LAN, through whatever route, can be rejected or have their access minimised.
There is a benefit here, of course. It is already a mark of a welcoming company to offer visiting executives with wireless laptops the opportunity to browse the web. 802.1x allows the company to offer "visitor net" privileges, of browsing only.
To incorporate 802.1x in wireless LANs, the IEEE has produced a bundle of security extensions to Wi-Fi, called 802.11i. While the IEEE dotted the i's and crossed the t's on 802.11i, a quick version of it was put out by the Wi-Fi community called WPA.
802.11i includes the Advanced Encryption Standard (AES) which replaces the weaker WEP, and the use of the extensible authentication protocol (EAP), although this standard was actually defined by the IETF as RFC2284. Unfortunately, EAP has several variants, including the Lightweight version, LEAP from Cisco, which is widely criticised to the extent that hacker Joshua Wright has created, and threatened to release, a tool called Asleap which can crack it.
Cryptography for safety's sake
Alongside the issue of authentication, there is the issue of encryption. It is a good idea to encrypt all traffic that goes across the wireless LAN.
In the early days WEP, with its static passwords, was deemed not good enough and users were encouraged to use VPNs, just as they would for remote access, even when in the office. WEP was replaced with other encryption algorithms, particularly the Advanced Encryption Standard (AES) used in 802.11i.
However, systems can only use encryption if they can communicate a key safely. "It is no good making encryption stronger, if the key can be taken out of the air," says Graham Melville, director of marketing at Symbol Technology. WPA and the nearly-standard 802.11i ensure that the key cannot be read, by using agreed ways to change it.
For the last few years, it has often been suggested, and usually by makers of processors used in encryption, that all the traffic on a LAN should be encrypted. Expect to hear this suggestion more often when wireless LANs become more widespread.
Everything in security is a trade-off. Make it too secure and legitimate users find it hard to log-on. Wireless shifts the terms of that trade-off, by making it far easier to access a network. This potentially allows more people to drop into a network, and exposes any weaknesses to more people.
If you see that as making the network more insecure, then that is your prerogative. The WI-Fi community would far rather you thanked them for bringing the problem to your attention.