Controlling the Air Waves

Wireless local-area networks are notoriously insecure. So why do organizations offer wireless access to their networks or Internet even though it’s fraught with risks? Companies want to protect themselves rather than allow individuals to hook up Wi-Fi on their own.

In the absence of strong security standards, companies are cobbling together technologies, living with gaps, and hoping for the best.

Sure, there’s Wired Equivalent Privacy (WEP), the encryption approach that was supposed to make Wi-Fi—or “wireless fidelity”—connections as resistant to hackers as wired networks are. But enterprise-security experts say WEP is wimpy, partly because it relies on unchanging, shared encryption keys that are relatively easy to crack.

“We believe that WEP is useless, so we don’t use it,” says John Halamka, chief information officer at CareGroup Healthcare Systems, which has rolled out Cisco wireless networks in all six of its hospitals in Massachusetts. “Instead, we’re going with strong authentication and Web-based encryption.”

Unfortunately, no widely-supported standard has come along to improve on WEP. That’s a problem for information-technology managers because wireless networks transmit data—sometimes sensitive corporate or personal information—over open airways between desktop computers, laptops and other devices.

Wireless vendors have been haggling for years over a replacement security standard—802.11i—that promises strong encryption and authentication. Products using that standard aren’t expected until late next year at the earliest. In the meantime, vendors such as Microsoft and Cisco Systems have come up with an interim fix—801.1x—that incorporates some of the improvements expected in 801.11i. Because each vendor has implemented 801.1x differently in its products, network managers have difficulty supporting more than a single kind of wireless equipment or brand of access point.

Some networking pros accept known wireless-security holes, at least until vendors address the problem.

“We’re doing the best we can given a very fast-changing situation,” says Eric Barnett, wireless administrator at Arkansas State University. Two years after starting to deploy a wireless network that has grown to 93 Cisco access points, Barnett scrapped plans to use the Wired Equivalent Privacy standard when its flaws were revealed. But he can’t use Cisco’s proprietary version of 801.1x authentication, known as Cisco LEAP, either—as many as 10,000 campus Wi-Fi users can’t all be expected to have laptops equipped with wireless cards capable of working with Cisco.

Instead, Barnett has come up with a compromise: Cisco LEAP for those with compatible cards, and for all others, a much weaker scheme which checks a unique identifier in laptops and other devices before allowing them to access the network.

Despite security challenges, a growing number of organizations are adopting Wi-Fi technology. Infonetics Research predicts total spending on Wi-Fi technologies will increase from $1.68 billion in 2002 to $2.72 billion in 2006. While most of that spending has been by consumers and in such places as colleges and hospitals, enterprises are beginning to get onboard. A Yankee Group survey found that 37% of large enterprises are testing or deploying wireless networks, and another 14% expect to join them in the next 12 months.