Wireless LANs, the new 'secure' network

By Andrew R. Hickey, News Writer 27 Oct 2005 | SearchNetworking.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

Once considered a playground for hackers and malicious attacks, wireless networks are fast becoming more secure than their wired counterparts.

With encryption and authentication technologies like VPNs, Wi-Fi Protected Access (WPA) and WPA2 with 802.1x, the theory that a wireless LAN (WLAN) equals an unsecured LAN is obsolete.

"Your wireless network, in many cases, is more secure than your wired network," said Bill Terrill, senior analyst with Burton Group, a Midvale, Utah-based research firm.

According to Terrill, wireless network security holes are not typically the result of insecure products, but are left by network administrators who don't use the proper tools to their advantage.

"The biggest security threat to a WLAN is the network administrator who doesn't turn on the security and monitor the network," he said. "There's no reason an enterprise shouldn't have wireless security."

Lisa Phifer, vice president of Core Competence Inc. and a SearchNetworking.com expert, said most companies report that their biggest threat is the potential for WLANs to be used as a vector to penetrate a company's wired network.

Evaluating the threats

She said that fear explains the rising popularity of rogue access point detection systems to prevent rogues installed by employees inside the firewall or employees that accidentally connect to neighboring or attacking access points. Rogue access points, she said, circumvent existing network defenses.

"Your wireless network, in many cases, is more secure than your wired network." Bill Tirrell Senior Analyst, Burton Group

"An organization's primary defense against these … is wireless activity monitoring and incident response," Phifer said. "Today, there are many wireless intrusion detection and prevention systems that can help companies see what is happening over the air, in or near their premises."

Some products, Phifer said, also offer automated response capabilities, such as using wireless or wired containment techniques to disrupt a suspected rogue access point or using locator tools to track that access point down.

Phifer said, for the most part, hackers are no longer the concern they once were. Recent improvements to wireless security, like 802.11i, 802.1x and WPA2, have eliminated most wireless data confidentiality threats, and have provided the necessary toe-hold for implementing stronger WLAN access control and user authentication, she said.

"However, these improvements primarily improve the security of legitimate wireless activity," Phifer said. They don't do anything to prevent rogues, misconfigured stations, or denial-of-service attacks against the WLAN itself. Attackers can still exploit all of those weaknesses -- for example, by disrupting a WLAN's normal operation with deauthenticate or 802.1x-logoff packet storms."

Terrill agreed. "Because security of wireless LANs is so good, [hackers] can't get in anymore. Hackers can't get into your network, but they can disrupt it and that has potential to be a problem," he said.

One way hackers disrupt a wireless network is by sending disassociation packets to users on a company network. The packets force users to log off at the same time and log back on all at once, which overloads the server and takes down the network.

Dave Danielson, vice president of marketing for Blusesocket, a Burlington, Mass.-based vendor of intrusion detection systems for wireless networks, said the threat is no longer a black ski mask-clad hacker hunkered down in a business parking lot trying to get onto the network.

"The vast majority of things that happen now are mistakes," he said, adding that authorized users can be just as detrimental to a wireless network if they don't follow the appropriate procedures. "People who don't use the tools available are the biggest threat."

Monitoring the airwaves

Bluesocket this week introduced a new centralized radio frequency sensor that, Danielson said, protects networks by "looking at radio waves, monitoring them and making sure they're safe."

The centralized sensor, Danielson said, can monitor waves in an area the size of a four-story city block, whereas distributed sensors cover about 100 meters. The sensor finds and reports anomalies.

"There are a handful of very basic steps to secure a network," he said. "Radio frequency protection is a necessary and critical solution. Some assume the walls of buildings are fortresses or moats [to protect networks]. Wireless blurs this whole fortress feeling."

Trapeze Networks this week introduced a new security feature that integrates AirDefense sensors into Trapeze wireless access points. Bruce Van Nice, Trapeze's vice president of worldwide marketing, said the integration allows networks to be monitored 24/7 for trouble spots.

In the same vein, Andover, Mass.-based vendor Enterasys also added new wireless security products to its arsenal, including the AP4102 unified access point, the AP1002 thin access point and the 8400 wireless switch.

Pabhu Kavi, director of wireless products at Enterasys, said yesterday that the new products "make sure the traffic that flows is of the right type and between authorized parties."

The new products, Kavi said, block and rate-limit, virus-prone ports on a wireless network and assign security policies to users to dictate what they can and can't access.

For more information Read more about Trapeze's partnership with AirDefense Check out Lisa Phifer's article on network-borne attacks

"In a properly configured wireless network, security is pretty tight," he said. "But there are still a large number of deployments out there that haven't been properly tightened down. The general feeling is, if you have access to a network within the corporation, you're a trusted user. We think security is much more than having the latest encryption and authentication tools."

What makes Enterasys' line unique, Kavi said, is that it detects rogue access points, isolates them and automatically shuts down the port on the network to which it is connected, preventing an attack.

Before such advancements, Kavi said, wireless networks were easy targets.

The keys to successful WLAN security

The three keys to maintaining a secure WLAN, Danielson said, are to observe, monitor and protect. "You not only have to secure the users who get in with good intent," he said. "You also need to ensure the radio waves are secure from hackers and spies. You have to look at radio waves and monitor them to make sure they're safe."

Terrill said several leading vendors like Aruba Networks and Cisco Aironet offer security packages that verify most devices logging into a wireless network are up to date with antivirus protection, firewalls and tools that scan for other vulnerabilities. Other products, including radio frequency sensors, also provide protection, but someone needs to be available to respond any anomalies a sensor finds.

"Basically, the wireless side of security is solid, if you use it and use it right," he said. "It's all about common sense and using the tools available."

Phifer, however, said no network can be totally secure, despite all of the safeguards.

"The goal of any security program is to reduce risk to acceptable levels, based on business needs and costs," she said. "I firmly believe that most companies can make their wireless deployment safe enough, but I also believe that doing so requires diligence and planning."

Tags: WLAN Security,  Troubleshooting Wireless Networks,  Wireless LAN Implementation,  Wireless Network Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT WLAN Security Where can I find a wire driver that unblocks recognized passwords? Will using a VPN protect me against fake wireless hotspots? Fluke gets WLAN design, management, security cred with AirMagnet Is WPA2 secure enough for a commercial business wireless network? Health center cut cost securing wireless network edge with Aerohive Wi-Fi RTLS for WLAN management, location-based security, asset tracking Wireless LAN performance management and security standards beefed up How can I hide my WLAN's SSID in an Aruba AP-61? Wireless LAN security: SonicWall joins crowded WLAN market Stolen laptop recovery using remote access and wireless network SSIDs Troubleshooting Wireless Networks University tackles large-scale 802.11n wireless network management Why is my network adapter not working after a Vista Business upgrade? Meru reinvents wireless LAN troubleshooting and management APs drop connection in WLAN configured as a wireless mesh network How to plan for 802.11n wireless LAN upgrades Vendors strive to automate wireless LAN troubleshooting and management Fluke gets WLAN design, management, security cred with AirMagnet Wi-Fi RTLS for WLAN management, location-based security, asset tracking How radio frequency (RF) of microwaves alter wireless signal strength Distributed antenna systems and WLAN: A network management burden Troubleshooting Wireless Networks Research Wireless LAN Implementation University tackles large-scale 802.11n wireless network management Why is my network adapter not working after a Vista Business upgrade? How many wireless base stations can connect to 802.11g access points? 802.11n wireless APs bring IP video to sprawling Illinois high school No data cable? Wireless mesh networking the answer for Wi-Fi backhaul Integrated wireless and wired LAN: Brocade-Motorola deal ups the ante 802.11n WLAN architecture strategies: The 2.4 vs. 5 GHz band debate 802.11n upgrade: College ditches legacy network for new vendor 802.11n ratification will drive down wireless LAN prices How does Wi-Fi ad-hoc mode react when 802.11n and legacy peers are present?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 802.11a  (SearchNetworking.com) home agent  (SearchNetworking.com) iDEN  (SearchNetworking.com) radio frequency  (SearchNetworking.com) repeater  (SearchNetworking.com) spectrum analyzer  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary