Controlling the Air Waves
Wireless local-area networks are notoriously insecure. So why do organizations offer wireless access to their networks or Internet even though it's fraught with risks? Companies want to protect themselves rather than allow individuals to hook up Wi-Fi on their own.
In the absence of strong security standards, companies are cobbling together technologies, living with gaps, and hoping for the best.
Sure, there's Wired Equivalent Privacy (WEP), the encryption approach that was supposed to make Wi-Fi—or "wireless fidelity"—connections as resistant to hackers as wired networks are. But enterprise-security experts say WEP is wimpy, partly because it relies on unchanging, shared encryption keys that are relatively easy to crack.
"We believe that WEP is useless, so we don't use it," says John Halamka, chief information officer at CareGroup Healthcare Systems, which has rolled out Cisco wireless networks in all six of its hospitals in Massachusetts. "Instead, we're going with strong authentication and Web-based encryption."
Unfortunately, no widely-supported standard has come along to improve on WEP. That's a problem for information-technology managers because wireless networks transmit data—sometimes sensitive corporate or personal information—over open airways between desktop computers, laptops and other devices.
Wireless vendors have been haggling for years over a replacement security standard—802.11i—that promises strong encryption and authentication. Products using that standard aren't expected until late next year at the earliest. In the meantime, vendors such as Microsoft and Cisco Systems have come up with an interim fix—801.1x—that incorporates some of the improvements expected in 801.11i. Because each vendor has implemented 801.1x differently in its products, network managers have difficulty supporting more than a single kind of wireless equipment or brand of access point.
Some networking pros accept known wireless-security holes, at least until vendors address the problem.
"We're doing the best we can given a very fast-changing situation," says Eric Barnett, wireless administrator at Arkansas State University. Two years after starting to deploy a wireless network that has grown to 93 Cisco access points, Barnett scrapped plans to use the Wired Equivalent Privacy standard when its flaws were revealed. But he can't use Cisco's proprietary version of 801.1x authentication, known as Cisco LEAP, either—as many as 10,000 campus Wi-Fi users can't all be expected to have laptops equipped with wireless cards capable of working with Cisco.
Instead, Barnett has come up with a compromise: Cisco LEAP for those with compatible cards, and for all others, a much weaker scheme which checks a unique identifier in laptops and other devices before allowing them to access the network.
Despite security challenges, a growing number of organizations are adopting Wi-Fi technology. Infonetics Research predicts total spending on Wi-Fi technologies will increase from $1.68 billion in 2002 to $2.72 billion in 2006. While most of that spending has been by consumers and in such places as colleges and hospitals, enterprises are beginning to get onboard. A Yankee Group survey found that 37% of large enterprises are testing or deploying wireless networks, and another 14% expect to join them in the next 12 months.
Many see Wi-Fi—and the new applications it enables—leading to tangible payback. Clerks at stores owned by Orlando, Fla.-based beverage retailer ABC Fine Wines & Spirits, for example, save about five hours per week now that they scan incoming inventory and place resupply orders using Palm handheld devices and a Symbol wireless network instead of paper and fax. Multiply that time savings by 150 stores, and you're talking big bucks, says Guy Ledbetter, ABC's help desk manager.
Business furniture maker Steelcase is testing phones that work over the Wi-Fi network covering public areas on the company's Grand Rapids, Mich., campus, says information-services director Bob Krestakos. Once in use, the Internet Protocol phones will take a big bite out of Steelcase's corporate cell-phone bill, up to 30% of which represents calls made within the Steelcase headquarters.
Some organizations use the 801.1x approach for wireless authentication and encryption, even though there are multiple implementations of the young standard. That inconsistency means it's difficult to make wireless access points and wireless devices from different vendors work securely together.
CareGroup's Halamka, for example, uses Cisco's LEAP to secure his wireless network, but only because doctors and other hospital personnel use company-supplied laptops equipped with LEAP-compatible network cards and software.
That won't work for providing wireless Internet access to hospital visitors who bring along their own laptops. For them, Halamka plans a different tack: install a wireless-security gateway that can authenticate visitors with any kind of laptop. The gateways can also be used for some wireless-management functions such as automatically controlling how much Wi-Fi bandwidth is parceled out. Such gateway products are not inexpensive. Enterprise versions of Bluesocket gateways, for example, capable of supporting 100 users, start at $6,000 and go up to $13,000 for a 400-user version.
With mixed results, some organizations are tinkering with wired security technologies for the wireless world. Last March, at the University of Massachusetts at Amherst, network analyst Christopher Misra extended an existing virtual private network to cover a new Cisco wireless network. Because it was already installed, staff knew how to manage it. And the private network offers strong encryption via the Internet security protocol that uses public keys.
But that approach also caused complications—it requires users to have specific software installed. While most Windows laptops come with virtual private network software built in, the same is not true of many handheld devices or Macs. Also, such virtual connections aren't designed for mobile applications, and connections often get dropped as wireless users roam between access points. Misra is now considering augmenting the approach with Bluesocket's Wi-Fi security gateway.
One thing that Misra and other technology managers are not considering, however, is backing away from wireless until security standards become more solid. "People are used to wireless now and expect it," says Steelcase's Krestakos, who supports more than 1,000 Wi-Fi users today. "It's improved [teamwork] and collaboration. The benefits outweigh the risks."
reless Security Dynamics">
Wireless Security Dynamics
Category: Wireless local-area network security
What it is: Hardware and software for authenticating wireless network users, encrypting wireless network traffic and monitoring and managing wireless network access points.
Key Players: AirWave, Avaya, Bluesocket, Cisco, Enterasys, Fortress Technologies, Funk Software, Intel, Meetinghouse, Proxim, ReefEdge, Symbol, Vernier, Wavelink
What's Happening: Absent strong security standards, many enterprises are going ahead with wireless, plugging security holes as best they can.
Expertise Online: www.weca.net/opensection/ protected_access.asp
-Fi for Gen Y">
Wi-Fi for Gen Y
St. John's University
Executive Director for Information Technology
New York, N.Y.
Manager's Profile: Tufano oversees information-technology planning and operations on the five-campus private university with 18,000 students. His team supports 2,900 on-campus computers as well as Web-based applications, some of which give students wireless access to pay fees and look up grades online.
Why Wi-Fi: University leaders decided all students should be provided with laptops and Internet access "for educational reasons," Tufano says. Because students spend much of their time in common areas such as the library, "it made no sense to try to provide Internet access without wireless."
The Project: This past spring, Tufano's team began rolling out a wireless network that will eventually cover "all areas of the university except two parking garages and outdoor athletic fields. And we're looking at those."
The Cost: $7 million covers the wireless network on campus plus IBM Thinkpad notebook computers given to 3,000 freshmen. In part to pay for the program, St. John's increased tuition by 10% this year.
The Original Security Plan: Tufano hoped to protect Wi-Fi traffic with a version of the interim 801.1x protocol called the Protected Extensible Authentication Protocol (PEAP). He says St. John's picked that protocol over Cisco's version of the standard-in-the-making—called LEAP—because "PEAP has much broader industry support, while LEAP is more proprietary to Cisco."
What Had to Change: Because he couldn't be sure that all student laptops would initially be able to work with PEAP, Tufano came up with a revised security plan: Protect faculty and administrator laptops with PEAP; use less-secure static 128-bit encryption keys that rely on the Wireless Equivalent Privacy standard; and authenticate the Internet addresses of student machines before allowing access to the network.