Interview

The secret to secure wireless LANs

Kurt Ringleben, News Writer
What is the first thing a network manager should consider when planning to construct a secure WLAN?
The first consideration should be just how secure the wired local area network (LAN) is. Clearly the degree of security for the wireless LAN should reflect the corporate policy toward the wired LAN. In other words if a company doesn't encrypt their wired LAN they may not feel a need to encrypt their wireless LAN. It depends on how secure their network communications need to be. What other wireless security issues should you consider?
There are a couple basic things to do with wireless security. You need to turn it on. Forty percent of networks never turn on their wired equivalency privacy (WEP) security. It's very minimal, but you need to turn it on. There is a common misconception, people don't realize that the default is off and not on.
For more information

    Requires Free Membership to View

Best Web Links on wireless in the enterprise>

Talk to your peers about network security

Also develop policies that centralize control of all wireless, so that if managers want to buy wireless LANs with departmental funds then it is all controlled centrally, so you can deal with issues like (radio) interference and unauthorized access. What wireless authentication schemes provide the best security?
User based is better. The problem with device-based schemes is that the device can be stolen or spoofed. In other words if you're doing a Media Access Address (MAC) authentication, if somebody steals a machine and you don't update your records soon enough they can just log right in and the machine will be accepted. Also there are ways of imitating a MAC address so the access point thinks it's talking to certain node when it's really talking to a hacker. Can you explain the three WLAN protocols A, B and G? How do they differ in terms of security?
They don't. The three different network topologies have to do with way data is transmitted. They all fall under 802.11, so they all have the same basic security issues. No one is more secure than the other, although there is a slight advantage to 802.11a in terms of interference, because there is less traffic in that spectrum. What is a rogue access point and what danger do unauthorized access points pose to a WLAN?
A rogue access point is simply an access point that is not accounted for. It's not officially part of the network. It transmits and eventually becomes accepted as part of the network. The major danger is that on most networks, once you are part of the network there is no further protection scheme in place to limit access to network resources. So once you're in, you're in, and you have access to all the data that's on the network. In some cases companies have mistakenly put their WLANs inside the firewall so in effect once you're in the WLAN you're in the corporate wired LAN and access to everything including routers. What security measures can a network manager take that go above and beyond Wired Equivalency Privacy (WEP) keys?
Basically you can create a tiered security approach focusing on authentication, encryption and authorization. Essentially what you want to do is to authenticate at layer three, which means that you want to have a user ID and password that is authenticated. Generally that is done via Remote Authentication Dial-In User Service servers (RADIUS). Most of the vendors have proprietary support for what they call 802.1X authentication. You want to have that kind of authentication that goes well beyond the layer two authentication that you have with WEP. As far as the encryption, ideally you want to have 128-bit dynamic key encryption so that the key is changing all the time, so you don't have to do it manually. The problem with the WEP key is that it is static and the only standard WEP encryption is the 40-bit encryption key. How can virtual private networks (VPNs) provide security for a WLAN?
VPNs are on of the best ways to add authorization, which means that you're able to limit the resources that somebody is authorized to use. So even if they do make it into the network, past the WEP security to access key parts of the corporate network inside the firewall, they still have to wind up going through a VPN. So in effect, what you are doing is treating the WLAN as if it has the same level of insecurity as Internet access does. The alternative to a VPN is to use a virtual local area network (VLAN), but those can be a nightmare to administer keeping track of who belongs to what segments and so forth. Are there other problems?
A lot of times what happens is that people are buying WLANs with departmental money and not telling corporate. So you have all kinds of ad-hoc wireless in place. Since some people haven't disabled the broadcast functions in their access points essentially what happens is the access point accepts any signal that is broadcast to it and lets it join the network. What are some methods for detecting rogue access points?
There are all kinds of tools out there. The latest one is called Air Magnet; there are lots of others. Essentially what you wind up doing is a sweep looking for signals figuring out where the signals are coming from and who they belong to. What does the future hold for WLAN security, are there any emerging trends?
One is that 802.1X is moving towards fruition. There are some holes even in 802.1X but those will probably get ironed out for the next version. 802.11I is being developed which is going to be a much more sophisticated type of encryption which should be a big help. Those are the two major optimistic things to look for in terms of security. We're also starting to see more devices out there to monitor your WLAN.
Related Topics: WLAN Security, VIEW ALL TOPICS

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: