Something had been bothering Peter Johnson ever since last November,when the announcement of security flaws in the standards used forwireless LANs boomeranged his wireless project for the U.S. Army backto the drawing board. It wasn't that the initiative was delayedseveral months while Johnson bought encryption technology. It wasthose ads in the Sunday newspaper fliers for cheap wireless LANhardware on sale at your local electronics store.
"The average person buys it because they say, 'Hey, I can run mycomputers off of one network" and one Internet connection, saysJohnson, former CIO of the Army's Program Executive Office ofEnterprise Information Systems in Fort Belvoir, Va. "The technology isgreat. It's inexpensive. But this technology that's being sold for acouple hundred dollars doesn't come with a big red sticker that says,'Warning, this is really insecure."
Welcome to the dark side of a technology that's actually cheap andeasy to use. Whether or not CIOs like it, wireless local area network(WLAN) devices are being carried two-by-two into home and corporateoffices by employees who see ads like those and don't know that thesecurity of the devices is flawed. By Gartner's estimates, one in fivecompanies has a wireless LAN that the CIO doesn't know about, and 60percent of WLANs don't have the most basic security functions turnedon. Meanwhile, airports and Starbucks coffee shops are pushingwireless access, and a growing number of neighborhood associations andeven just neighbors are offering public Internetaccess - grassroots-style - by installing wireless transmitters. All theuser has to do is plug in a cheap network card, log on and startsurfing.
"It's just so cool," gushes Gartner's John Pescatore, describing arecent conference where Cisco Systems gave every attendee a wirelessnetwork card - and left the security up to individuals. People e-mailedPescatore questions during a speech rather than raising their hands.Maybe they turned off file-sharing in their operating systems and useda virtual private network to secure their laptops. Maybe they didn't.But they ate up the technology like jelly rolls at breaktime.
"It's not the IT shops leading the way," says Pescatore, who worksfrom Gartner headquarters in Stamford, Conn. "It's the users." But(and you saw this coming, right?), it's the IT shops that ultimatelymust lead the way to better security.
Look, Ma! No Privacy!
What are these WLANs that everyone is talking about? Governed by the802.11 set of standards created by the Institute of Electronic andElectrical Engineers (IEEE) in New York City, WLANs transmit data notby wires but by radio waves, in frequencies that don't require alicense (2.4GHz and 5GHz). Setting up a WLAN is a little like plugginga cordless phone base into the telephone jack in a home office, thenplacing several cordless phones around your house to share that onejack. In WLAN parlance, the base is called an access point (and costsfrom $200 to $1,000), and the receiver is a wireless network card(which costs as little as $70). The end result is just plain neat.(Look, Ma! No cords!) But the signal can also be picked up by aneighbor using nothing more than a similar $100 wirelessnetwork card.
For that reason, security experts have always been leery of WLANs.Anyone with the right hardware can eavesdrop on network traffic orfreeload Internet access. More seriously, a hacker could gain networkaccess not just to the Internet connection but also to networkresources. (Best Buy, for example, stopped using its 802.11b wirelesscash registers this past spring after a hacker claimed to have stolencredit card information from the systems.)
The IEEE tried to solve those problems by building security into the802.11b standard (also known as Wi-Fi), with an optional encryptioncapability known as wired equivalent privacy (WEP). The first problemwas that the majority of WLAN users didn't bother to even turn on WEP.Then, last February, three researchers from the University ofCalifornia at Berkeley announced that even when used properly, WEP wasinsecure because the security algorithm had weaknesses. A hacker whocaptured as little as 10 to 20 minutes of network traffic could decodethe encryption scheme. That done, he could read all the networktraffic he had captured and, until the next time the WLAN user changedthe WEP key, he could also gain network access.
After the announcement, organizations with high security stakes - theArmy, for example - banned WLANs without additional security, andeverybody expected WLAN sales to collapse, at least until the IEEEhammered out new security protocols. But sales didn't drop off. Infact, quite the opposite has happened. The Meta Group predicts that bythe end of 2002, 75 percent of Global 2000 companies will have trialWLANs.
The good news is that there's no reason for WLAN security flaws tokeep most businesses from enjoying the convenience of WLANs. Butfirst, CIOs must know what they're dealing with.
The Hunt for Rogue WLANs
Joseph Magee used to be a CIO's most irksome problem: an MIS guy whobrought WLAN equipment into the office just to play with. "Little does[that person] know that that signal sitting right there on his deskcan easily be sniffed," says Magee, referring to the process ofmonitoring the airwaves for WLAN traffic.
"I was that guy once," admits Magee, a former chief security officerat an online brokerage who is now CSO at Top Layer Networks, a networksecurity company in Westboro, Mass. "I looked at what I plugged intoon my screen, and a big financial corporation's name popped up on mylaptop, and I looked across the street and saw their building. Itfreaked me out."
The tools that hackers or curious interlopers use to look for WLANtraffic can help with defense as well. By using tools such asNetStumbler, a Windows utility, or IBM's Wireless Security Auditor,CIOs can find out whether there are any rogue wireless LANs at theoffice.
They might be surprised, says Meta Group Senior Research Analyst ChrisKozup in Burlingame, Calif. "I've had customers who've done this, andone CIO found 27 rogue access points. That's just one example," hesays. And that's just access points, each of which typically has 10users.
Not only can an audit for WLANs help locate rogue installations, itcan determine how far the WLAN signal is transmitting. Into thehallways? Out in the parking lot? Down the street? If the signal isstronger than it needs to be, the amplification level often can beturned down, or the device can at least be placed away from a window(which doesn't block a wireless signal as well as a wall).
Beyond that, CIOs have five main options in deciding what to do aboutthese WLANs, depending on the sensitivity of the data and how thewireless devices are used.
1 Make the best of what'sthere.
Even though the security built into 802.11b devices is flawed, it'sbetter than nothing. Simply enabling WEP can go a long way toimproving security. Companies that are relying on WEP for keeping outsnoopers will also need strict policies to make sure the key getschanged daily - at the minimum.
A couple of other built-in features can help with authentication too.One is the media access control (MAC) address. This is a uniqueaddress written into the firmware of a network card. An administratorcan configure the network so that only certain MAC addresses can logon. (The weak link? A hacker can watch the airwaves for a successfullog-on, change his own MAC address on his computer or laptop and thengain network access.) The second is the service set identifier (SSID),an alphanumeric ID hard-coded into a wireless device. If the clientdoesn't have the same SSID as the server, access is denied. Most usersleave the SSID at its default settings, which can be looked up online,so administrators should be sure to change the default.
2 Segment the WLAN from therest of the network.
If the data passing through the wireless LAN isn't sensitive, it maybe enough to separate the traffic from the rest of the network. Thatcan be done with firewalls, treating the wireless access point likeany other router.
Another related option is a virtual LAN, which partitions the networkand allows certain users to access only certain resources. That's thesolution at Paul, Hastings, Janofsky & Walker, an international lawfirm based in Los Angeles, where in a few new conference roomsvisiting clients can use free wireless Internet access. When avisiting user boots up a laptop with a wireless network card, itidentifies a WLAN connection and a message appears: "Welcome to PaulHastings' virtual network. Please click here for Internet access" - amodified version of the message coffee-slurpers get when they accessthe for-pay WLANs Starbucks has installed at many locations.
Theoretically, anyone nearby could get free Internet access, althoughCIO Mary Odson says the signal degrades noticeably near the windows,and even inside the building.
3 Encrypt data end-to-end witha VPN.
Within the next two years, Odson anticipates that her attorneys willalso use WLANs regularly for accessing the network. In fact, she's sosure of this that as Paul Hastings designs new offices, she's spendingless money on cabling. For transmitting sensitive legal documents ande-mail, she'll use a combination of virtual private networks andencryption, treating each attorney as a virtual user even if he is inthe office.
For that scenario, even an improvement on WEP wouldn't work. WEPencrypts data between a wireless network card to the access point; aVPN encrypts data end-to-end. That kind of setup is already common incorporate America, especially for mobile employees. It isn't a perfectoption, of course. Not only are VPNs expensive and difficult to scale,but they also limit IT's control over the data transmitted over thenetwork, says Meta Group's Kozup. But he adds that this is still theoption most organizations are choosing for securing their WLANs.
4 Find a proprietary solution.
There are other proprietary wireless solutions for CIOs who aren'tcontent with these options. Major WLAN hardware vendors, including3Com, Cisco and Enterasys Networks, are adding extra securitycapabilities into their products. Among them, Cisco's LEAP (lightextensible authentication protocol), which automatically changes theWEP keys in less time than it would take a hacker to decode them, hasgotten the most attention. Other companies known as wireless LANgateway vendors - Bluesocket and Vernier among them - sell centralizedservers that perform authentication, encryption, and handle additionalmanagement and security details.
The Army went the proprietary route. By the time you read this, itshould have begun rolling out 11,000 access points that will connect85,000 mobile Army users during the next four years. The Army'sproject is unique, not only because it carries sensitive informationabout battlefield logistics but also because the access points aren'tpermanently installed in an office. Instead, the access points areradios that travel along with troops. Each access point talks to aworkgroup bridge that has computers cabled to it. The information onthe WLAN is also encrypted using AirFortress devices from FortressTechnologies in Tampa, Fla.
Johnson won't give specifics, but he admits that the solution wasexpensive, which was especially painful because the WLAN project wasalready underway before he knew he'd need to purchase extraencryption. "Obviously we would have liked to use the nativeencryption within the radio" as planned, he says. "But since that isnot doable we have had to incur the cost to put the device into thesystem."
5 Wait and see.
The trouble with proprietary solutions is that they are proprietary,and CIOs may find themselves locked into one vendor. Optimists hopethat real security can be built back into WLAN devices some day. TheIEEE is working on it. Standards currently in draft form would add twomore levels of optional encryption: temporal key integrity protocol(or TKIP), a new version of WEP; and advanced encryption system (AES),which committee member Greg Chesson calls a super-scrambler. For WEPto be secure, users need to change the key every 200 packets of dataor so, says Chesson, director of protocols at Atheros Communications,a Sunnyvale, Calif.-based company that makes chipsets for wireless LANdevices. In comparison, TKIP would require key changes every 30,000packets, and with AES, users would need to change the key only everyfew billion packets.
The standards draft could be ratified by the end of 2002, withproducts starting to appear several months later, but Chesson iscautious of setting a date. "It's pretty rambunctious. It's a lot likethe U.S. Congress," he says of the IEEE meetings, describing heateddiscussions, a bog of details and votes based on party (vendor) lines.Meanwhile, for development purposes, Atheros has already let WLANhardware vendors get their hands on updated chipsets that incorporateparts of the new AES security protocols. Analysts recommend thatbefore making a purchase decision, CIOs should make sure that a vendorwill be able to migrate to the standards once they are ratified, asAtheros promises.
Even then, though, there's no guarantee that the new securitystandards won't eventually be proven as flawed as the first. That'swhy plenty of testing and planning is in order. In Atlanta, the UnitedParcel Service is rolling out a WLAN project that processes nothingmore sensitive than tracking information, and using that project as atest bed for how laptop users might also use WLANs.
"If you read some articles, it sounds like everything is solid and allthere," says John Nallin, vice president of information services atUPS. "However, they're not always that solid. If that was the case, wewouldn't be testing it in our facilities, we'd just be plugging it in.When it's performing at the level we think it should be, we're goingto utilize it because we do see the advantages."