Don't lose another moment's sleep over wireless security concerns. The latest public and private wireless networks feature security measures that can make them as -- or more -- secure than their wired counterparts.
February 1, 2001
With current projections calling for the number of remote users to grow by 40 to 60 per cent annually, the corresponding demand for increased flexibility and mobility in the workplace has prompted rapid adoption of wireless local area networks (LANs). The reason for this increased demand is simple: wireless LANs add flexibility, scalability and security to a network, while cutting overall costs.
Despite these advantages, one issue that is continually raised about wireless networking is security. A common misconception about wireless technology is that it is insecure. However, both public and private wireless LANs feature several security measures that can actually make them more secure than their wired counterparts.
Most people consider wireless LANs vulnerable to attack or infiltration, since information is transmitted through the air. Wireless LANs use radio frequency (RF) technology, transmitting and receiving data over the air, and minimizing the need for wired connections. However, Spread Spectrum technology is the core of most RF LANs, and these systems are designed to be resistant to noise, interference, jamming and unauthorized detection.
UNDERSTANDING SPREAD SPECTRUM
Spread Spectrum technology was developed by the military over 50 years ago as a secure wireless technology to improve message integrity and security. This technology works by modulating a radio signal “pseudo-randomly” so that it is difficult to decode. Two types of Spread Spectrum technology are available — direct sequence, which works by spreading the radio signal over a wider band, and frequency hopping, which works by shifting the signal from frequency to frequency.
Radio signal modulation provides some security. However, because the signal can be sent great distances (for interbuilding applications), you do risk interception. Employing different encryption methods helps to maintain the highest levels of security for your network, and most Spread Spectrum products include encryption.
Encryption is always necessary to keep information secure. Wireless LANs use the IEEE 802.11 standard, which includes a security technique known as Wired Equivalent Privacy (WEP). The WEP standard is designed to make the link integrity of the wireless medium equal to that of a cable.
WEP is based on the use of 64-bit keys and the popular RC4 encryption algorithm. Users who do not know the current key (password) are excluded from network traffic. WEP protects against eavesdropping and guards against unauthorized access of the wireless network. Through strong encryption methods, even if data is intercepted, it cannot be decrypted. Encryption methods vary between public and private wireless LANs, as each one has its own particular authentication requirements.
The main difference between security for public and private wireless LANs is access control. Access control governs a user’s ability to make a connection to a particular network, computer or application, or to a specific kind of data traffic. Access control systems are generally implemented using firewalls, which provide a centralized point from which to permit or deny access.
A private LAN resides within a company, meaning that only members of that company have access to the network. In contrast, a public LAN resides in a public domain (e.g. an airport) and can be accessed by anyone wishing to log in (usually for a price). Diverse access requires different forms of security in order to protect users from network compromise.
Security over a private wireless LAN uses a shared encryption key to provide access to the network. This means all employees use the same security key to access the network. Employees possess a previously distributed key that locks and unlocks the data. However, in a public wireless LAN network, “per user per session” encryption is used to access the LAN, meaning individual nodes must be security-enabled before they are allowed to participate in network traffic.
Public LAN security has several advantages over private wireless LAN security. The most important of these is ease of management. In a private wireless LAN environment, every time an employee leaves the company the encryption key has to be changed in order to protect the information stored on the LAN. However, if the key becomes known, all of the data can be decrypted. This makes network management difficult and time consuming for the IT manager. With a public LAN infrastructure, users are given individual passwords to the network. This inherently creates a more secure network that provides the additional flexibility of allowing vendors and suppliers to use your network resources without fear of privileged company data being compromised.
THE HUMAN TOUCH
Protection of company information is a high priority. Yet, despite the tightest network security, it is the human element that wreaks the most havoc. In fact, internal breaches are the most common and most damaging forms of network compromise. Disgruntled former employees, hackers, viruses, Internet-based attacks, and industrial espionage are an unfortunate fact of life in any form of networking today. And, it is almost impossible to control this type of intrusion from someone with the right motivation and access to the proper equipment.
Risks to security include both physical and higher level vulnerabilities. Higher level vulnerabilities are those at the programming level. For example (in both wireless and wired LANs), if the data is encrypted but the source and destination addresses are not, an intruder can see the direction and the amount of the data traffic. This higher-level vulnerability has to be protected by the network operator whose job it is to safeguard the network root key. Perhaps future technology holds the key to absolute network security.
As wireless LAN technology evolves, security protocols will have to keep pace to maintain the same level of security that exists today. The future of wireless LANs will include higher data rates, from 11 Mbps to 54 Mbps, that will enable greater processing speed and larger packets of information to be processed. It will also include the adoption of new applications (such as Voice over IP) and interoperability with third-generation cellular networks.
The challenge will be to maintain the base level security required by the organization, as users move between these various infrastructures and devices. This will actually create a complex web of per-user, per-session, per-infrastructure, per-device encryption that counters any advantage a hacker might have.
A LOOK AT WEP
The WEP option to the 802.11 standard is one of the first steps in addressing user security concerns. Manufacturers are only now beginning to support 128-bit key lengths. Longer key lengths will provide a level of security that will continue to stay steps ahead of the computing power required to break codes.
To enhance WEP security, users need to use a Radius Server, which uses familiar account name and password, which then confirms Authorization, grants Access and begins Accounting the session (AAA Security). These rights are given by association (working for that organization, in the right department), by payment (hotel room internet access), or by membership (airline member lounges, etc.) This function is an effective way of controlling access and the security of network data.
The management capabilities of wireless access points will continue to improve, providing IS management with more information, security and configuration options, and making network breaches more difficult. Some of these improvements have already begun to enter the marketplace. Features such as “per user, per session” encryption provide higher levels of security to each wireless session. Also, features such as automatic encryption, key generation and distribution will help a company save money by eliminating the need for manual intervention by IT managers.
As we move towards an even more mobile workforce, technologies that enable resource and information sharing will be
in greater demand. In time, tomorrow’s security infrastructures for wireless networks may borrow from today’s cellular networks, enabling you to unplug your laptop from your office and walk across the street to another building — while retaining your network connection and security capability.
Protecting valuable information is a great responsibility, but guaranteed network security unfortunately does not exist. All LANs are vulnerable to some level of insider curiosity, outsider attack and eavesdropping. A person with enough resources can break into any network, whether it is wired or wireless, public or private.
No one wants to risk having LAN data exposed to the casual observer or open to malicious mischief. That being said, steps can and should always be taken to preserve network security and integrity, using the numerous security features available today. By combining security measures from public and private, wired and wireless networks, businesses can achieve a very high level of network security for their wireless networks.CS
John C. Williams is the Data Product Specialist at Avaya Canada, Markham, ON, where he works with company sales teams and their partners to promote a wide range of data products. He has a wide range of experience in the Wireless LAN marketplace, and has worked for several years specifying, designing and implementing Wireless LAN solutions throughout Canada.