Once considered a playground for hackers and malicious attacks, wireless networks are fast becoming more secure
than their wired counterparts.
With encryption and authentication technologies like VPNs, Wi-Fi Protected Access (WPA) and WPA2 with 802.1x, the theory that a wireless LAN (WLAN) equals an unsecured LAN is obsolete.
"Your wireless network, in many cases, is more secure than your wired network," said Bill Terrill, senior analyst with Burton Group, a Midvale, Utah-based research firm.
According to Terrill, wireless network security holes are not typically the result of insecure products, but are left by network administrators who don't use the proper tools to their advantage.
"The biggest security threat to a WLAN is the network administrator who doesn't turn on the security and monitor the network," he said. "There's no reason an enterprise shouldn't have wireless security."
Lisa Phifer, vice president of Core Competence Inc. and a SearchNetworking.com expert, said most companies report that their biggest threat is the potential for WLANs to be used as a vector to penetrate a company's wired network.
Evaluating the threats
She said that fear explains the rising popularity of rogue access point detection systems to prevent rogues installed by employees inside the firewall or employees that accidentally connect to neighboring or attacking access points. Rogue access points, she said, circumvent existing network defenses.
Some products, Phifer said, also offer automated response capabilities, such as using wireless or wired containment techniques to disrupt a suspected rogue access point or using locator tools to track that access point down.
Phifer said, for the most part, hackers are no longer the concern they once were. Recent improvements to wireless security, like 802.11i, 802.1x and WPA2, have eliminated most wireless data confidentiality threats, and have provided the necessary toe-hold for implementing stronger WLAN access control and user authentication, she said.
"However, these improvements primarily improve the security of legitimate wireless activity," Phifer said. They don't do anything to prevent rogues, misconfigured stations, or denial-of-service attacks against the WLAN itself. Attackers can still exploit all of those weaknesses -- for example, by disrupting a WLAN's normal operation with deauthenticate or 802.1x-logoff packet storms."
Terrill agreed. "Because security of wireless LANs is so good, [hackers] can't get in anymore. Hackers can't get into your network, but they can disrupt it and that has potential to be a problem," he said.
One way hackers disrupt a wireless network is by sending disassociation packets to users on a company network. The packets force users to log off at the same time and log back on all at once, which overloads the server and takes down the network.
Dave Danielson, vice president of marketing for Blusesocket, a Burlington, Mass.-based vendor of intrusion detection systems for wireless networks, said the threat is no longer a black ski mask-clad hacker hunkered down in a business parking lot trying to get onto the network.
"The vast majority of things that happen now are mistakes," he said, adding that authorized users can be just as detrimental to a wireless network if they don't follow the appropriate procedures. "People who don't use the tools available are the biggest threat."
Monitoring the airwaves
Bluesocket this week introduced a new centralized radio frequency sensor that, Danielson said, protects networks by "looking at radio waves, monitoring them and making sure they're safe."
The centralized sensor, Danielson said, can monitor waves in an area the size of a four-story city block, whereas distributed sensors cover about 100 meters. The sensor finds and reports anomalies.
"There are a handful of very basic steps to secure a network," he said. "Radio frequency protection is a necessary and critical solution. Some assume the walls of buildings are fortresses or moats [to protect networks]. Wireless blurs this whole fortress feeling."
Trapeze Networks this week introduced a new security feature that integrates AirDefense sensors into Trapeze wireless access points. Bruce Van Nice, Trapeze's vice president of worldwide marketing, said the integration allows networks to be monitored 24/7 for trouble spots.
In the same vein, Andover, Mass.-based vendor Enterasys also added new wireless security products to its arsenal, including the AP4102 unified access point, the AP1002 thin access point and the 8400 wireless switch.
Pabhu Kavi, director of wireless products at Enterasys, said yesterday that the new products "make sure the traffic that flows is of the right type and between authorized parties."
The new products, Kavi said, block and rate-limit, virus-prone ports on a wireless network and assign security policies to users to dictate what they can and can't access.
What makes Enterasys' line unique, Kavi said, is that it detects rogue access points, isolates them and automatically shuts down the port on the network to which it is connected, preventing an attack.
Before such advancements, Kavi said, wireless networks were easy targets.
The keys to successful WLAN security
The three keys to maintaining a secure WLAN, Danielson said, are to observe, monitor and protect. "You not only have to secure the users who get in with good intent," he said. "You also need to ensure the radio waves are secure from hackers and spies. You have to look at radio waves and monitor them to make sure they're safe."
Terrill said several leading vendors like Aruba Networks and Cisco Aironet offer security packages that verify most devices logging into a wireless network are up to date with antivirus protection, firewalls and tools that scan for other vulnerabilities. Other products, including radio frequency sensors, also provide protection, but someone needs to be available to respond any anomalies a sensor finds.
"Basically, the wireless side of security is solid, if you use it and use it right," he said. "It's all about common sense and using the tools available."
Phifer, however, said no network can be totally secure, despite all of the safeguards.
"The goal of any security program is to reduce risk to acceptable levels, based on business needs and costs," she said. "I firmly believe that most companies can make their wireless deployment safe enough, but I also believe that doing so requires diligence and planning."