Is Wireless Security a Lost Cause?

As enterprises continue to invest in wireless devices and networks, IT specialists will be faced with the growing challenge of maintaining and improving the security of those networks.

In many cases, they are getting the financial assistance they need to achieve this goal. Global spending on overall security and business continuity will grow at twice the speed of IT spending, reaching more than US$116 billion by 2007, according to research firm IDC. Corporate spending is IT professionals’ top priority, the firm found, with 40 percent of about 1,000 IT managers rating security as their top concern.

Also, almost 25 percent of businesses now are installing wireless LANs, according to Forrester Research.

“Maybe 10 to 15 percent of the total installed base in the United States are doing mission-critical applications over wireless networks today,” Tim Scannell, president and chief analyst at Shoreline Research, told the E-Commerce Times.

Where the Tech Is

This surge in wireless network adoption has occurred in the past couple of years despite the prevalence, until recently, of a relatively weak standard called WEP for ensuring WLAN security. However, although the number of wireless networks grew, WEP’s use of a static encryption key hampered security and dissuaded many organizations from adopting mobile technology, Kevin Walsh, director of product management at WLAN security firm Funk Software, told the E-Commerce Times.

The emergence of a better standard called WPA — WiFi Protected Access — has encouraged more businesses to invest in this technology, according to Walsh.

“Some people did not feel comfortable with wireless technology until WPA became available,” he said. “It fixes the encryption problems of WEP.”

However, he noted, WPA is not perfect either. “Some people want to wait for 802.1X,” which is the next stage in the evolution of wireless securitystandards.

Small Steps

WPA is a step in the right direction, agreed Brant Cooper, vice president of corporate strategy at network analysis company WildPackets. “I think WPA is pretty secure,” he told the E-Commerce Times. “It’s way better than WEP, but not as secure as most security measures in use commonly today, such as SSL used to encrypt secure Web transactions, or VPN technology used to secure communications office to office, or remote user to home office.”

WPA, which is not recognized by the IEEE, is based on draft three of that organization’s upcoming 802.11i standard, which is expected to be finalized in the next few months, Robert Moskowitz, senior technical director of ICSA Labs at TruSecure, told the E-Commerce Times.

“There’s really no technical flaw seen between draft three and draft seven,” said Moskowitz, who is participating in the review process for 802.11i. “Draft seven is what’s going to the sponsor ballot.”

On the Horizon

Although WPA may not be much different than the eventual 802.11i security standard, that latter standard is likely to become dominant when it is released.

In fact, vendors most likely will start shipping 802.11i products in 2004, even if a final version of the protocol is not released until early 2005, Moskowitz noted.

“I believe we will see more and more companies looking toward 802.1X and other uses of EAP — Extensible Authentication Protocol — as the protocol defines a number of beneficial requirements or must-haves, such as: mutual; self-protecting; immune to dictionary attacks; and produces session keys,” said Ollie Whitehouse, director of security architecture at @stake, in an interview with the E-Commerce Times.

Getting Hit On

Despite its relative newness, there already have been some successful attacks against WPA networks. One reason is that the protocol relies on preshared keys, according to Moskowitz. In addition, it can capture a four-way handshake, reducing the amount of privacy between people working together. “A preshared key is bad,” he said. “Unless you want to develop a random preshared key, it doesn’t work.”

If it recognizes a threat, WPA will shut down an access point for 60 seconds, then restart. However, someone could attack an access point continually, creating a denial-of-service situation, said Shoreline Research’s Scannell.

“WPA is better than WEP, but we still have a way to go before true wireless network security,” he noted. “A lot of cryptologists don’t like WPA because it’s based on older ciphers. It’s borrowing a lot of elements from the wired world.”

In contrast, 802.11i uses Advanced Encryption Standard (AES), Walsh said. “Since it’s using that, it puts a lot of people at ease. AES is something the government put forth as a way to do business. 802.11i is better because of that and a number of different things. AES is going to raise it to a level where the industry deems it is secure.” Still, he noted, “You have to deploy it correctly.”

Safe and Sound?

Amid ongoing evolution, the future looks quite bright for wireless network security — so long as vendors, purchasers and the user community pitch in.

“In Q1 to Q2 2004, expect the larger vendors to drive home and resolve a majority, if not all, of the remaining security issues in the 802.11 protocol family — or attempt to,” @stake’s Whitehouse said. “It is our expectation that by the end of Q3 or early Q4 2004, the best-of-breed vendor solutions will have been formalized, reviewed and ratified by the IEEE and other industry bodies to form the basis of secure 802.1X solutions designed for all sectors of the market. The biggest question remaining will be: How quickly does this reach the shelves of your local PC store for John and Jane Doe, and how easy will it be to deploy, manage and maintain?”

In fact, due in part to all the scrutiny wireless networks generally endure, they eventually may be even more secure than hardwired installations, said David Yach, senior vice president of software at Research In Motion, developer of the BlackBerry handheld device.

“I think, in many respects, wireless may leapfrog wire-line security,” he told the E-Commerce Times.

Buy in Bulk

Although wireless security may remain out of the technical and financial reach of many individuals and small organizations, large companies likely will be able to ensure the same level of security for wireless as for wired networks, Whitehouse agreed.

“Medium to large enterprises … typically have the technical capabilities and resources required to architect, deploy and maintain a secure solution,” he said. “Also, typically in the [large companies] there is a greater financial or regulatory incentive to reap the benefits of wireless technologies without jeopardizing the security of the corporation’s digital assets.”

Indeed, people — not technology — may prove to be the weakest link in wireless security, Moskowitz cautioned.

“Is it perfect? Come on, now. It’s not perfect,” he said. “The human factor’s what gets you in. In a house of 100 windows, it only takes one broken one for a crook to get in. There are things people can do. If you use bad keys, it is attackable. If you use the wrong EAP method, you’re opening yourself up to attack. If you don’t do your verification properly, someone can still get in.”

Amid these warnings, he offered a bit of advice: “Set your policies and rules up right. Don’t make it so a person has to create a password that’s so hard for them to work with that they have to tape it to their system.”