Executive Summary By Gartner's estimates, one in five companies has a wireless LAN that the CIO doesn't know about, and 60 per cent of WLANs don't have their basic security functions turned on. Governed by the 802.11 standard, WLANs transmit data by radio waves, signals that can be picked up by a $70 wireless network card. An audit for WLANs will help locate rogue installations and also determine how far the signal is transmitting. If the signal is stronger than it needs to be, the amplification level often can be turned down. Beyond that, CIOs have five options, depending on the sensitivity of the data and how the wireless devices are used. They can make sure there is full use of built-in security features, wall off the WLAN from the rest of the network, encrypt data end to end, implement proprietary security add-ons or wait on the creation of standards for new levels of encryption.
SOMETHING HAD BEEN bothering Peter Johnson ever since last November, when the announcement of security flaws in the standards used for wireless LANs boomeranged his wireless project for the US Army back to the drawing board. It wasn't that the initiative was delayed several months while Johnson bought encryption technology. It was those ads in the Sunday newspaper fliers for cheap wireless LAN hardware on sale at your local electronics store.
"The average person buys it because they say, 'Hey, I can run my computers off of one network'" and one Internet connection, says Johnson, former CIO of the Army's Program Executive Office of Enterprise Information Systems in Fort Belvoir, Virginia. "The technology is great. It's inexpensive. But this technology that's being sold for a couple hundred dollars doesn't come with a big red sticker that says, 'Warning, this is really insecure.'"
Welcome to the dark side of a technology that's actually cheap and easy to use. Whether or not CIOs like it, wireless local area network (WLAN) devices are being carried two-by-two into home and corporate offices by employees who see ads like those and don't know that the security of the devices is flawed. By Gartner's estimates, one in five companies has a wireless LAN that the CIO doesn't know about, and 60 per cent of WLANs don't have the most basic security functions turned on. Meanwhile, airports and Starbucks coffee shops are pushing wireless access, and a growing number of neighborhood associations and even just neighbors are offering public Internet access — grassroots-style — by installing wireless transmitters. All the user has to do is plug in a cheap network card, log on and start surfing.
"It's just so cool," gushes Gartner's John Pescatore, describing a recent conference where Cisco Systems gave every attendee a wireless network card — and left the security up to individuals. People e-mailed Pescatore questions during a speech rather than raising their hands. Maybe they turned off file-sharing in their operating systems and used a virtual private network to secure their laptops. Maybe they didn't. But they ate up the technology like jelly rolls at break time.
"It's not the IT shops leading the way," says Pescatore, who works from Gartner headquarters in Stamford, Conn. "It's the users." But (and you saw this coming, right?), it's the IT shops that ultimately must lead the way to better security.
Look, Ma! No Privacy!
What are these WLANs that everyone is talking about? Governed by the 802.11 set of standards created by the Institute of Electronic and Electrical Engineers (IEEE) in New York City, WLANs transmit data not by wires but by radio waves, in frequencies that don't require a license (2.4GHz and 5GHz). Setting up a WLAN is a little like plugging a cordless phone base into the telephone jack in a home office, then placing several cordless phones around your house to share that one jack. In WLAN parlance, the base is called an access point (and costs from $200 to $1,000), and the receiver is a wireless network card (which costs as little as $70). The end result is just plain neat. (Look, Ma! No cords!) But the signal can also be picked up by a neighbour using nothing more than a similar $100 wireless network card.
For that reason, security experts have always been leery of WLANs. Anyone with the right hardware can eavesdrop on network traffic or freeload Internet access. More seriously, a hacker could gain network access not just to the Internet connection but also to network resources. (Best Buy, for example, stopped using its 802.11b wireless cash registers this past spring after a hacker claimed to have stolen credit card information from the systems.)
The IEEE tried to solve those problems by building security into the 802.11b standard (also known as Wi-Fi), with an optional encryption capability known as wired equivalent privacy (WEP). The first problem was that the majority of WLAN users didn't bother to even turn on WEP. Then, last February, three researchers from the University of California at Berkeley announced that even when used properly, WEP was insecure because the security algorithm had weaknesses. A hacker who captured as little as 10 to 20 minutes of network traffic could decode the encryption scheme. That done, he could read all the network traffic he had captured and, until the next time the WLAN user changed the WEP key, he could also gain network access.
After the announcement, organisations with high security stakes — the Army, for example — banned WLANs without additional security, and everybody expected WLAN sales to collapse, at least until the IEEE hammered out new security protocols. But sales didn't drop off. In fact, quite the opposite has happened. The Meta Group predicts that by the end of 2002, 75 per cent of Global 2000 companies will have trial WLANs.
The good news is that there's no reason for WLAN security flaws to keep most businesses from enjoying the convenience of WLANs. But first, CIOs must know what they're dealing with.
The Hunt for Rogue WLANs
Joseph Magee used to be a CIO's most irksome problem: an MIS guy who brought WLAN equipment into the office just to play with. "Little does [that person] know that that signal sitting right there on his desk can easily be sniffed," says Magee, referring to the process of monitoring the airwaves for WLAN traffic.
"I was that guy once," admits Magee, a former chief security officer at an online brokerage who is now CSO at Top Layer Networks, a network security company in Westboro, Massachusetts. "I looked at what I plugged into on my screen, and a big financial corporation's name popped up on my laptop, and I looked across the street and saw their building. It freaked me out."
The tools that hackers or curious interlopers use to look for WLAN traffic can help with defense as well. By using tools such as NetStumbler, a Windows utility, or IBM's Wireless Security Auditor, CIOs can find out whether there are any rogue wireless LANs at the office.
They might be surprised, says Meta Group Senior Research Analyst Chris Kozup in Burlingame, Calif. "I've had customers who've done this, and one CIO found 27 rogue access points. That's just one example," he says. And that's just access points, each of which typically has 10 users.
Not only can an audit for WLANs help locate rogue installations, it can determine how far the WLAN signal is transmitting. Into the hallways? Out in the parking lot? Down the street? If the signal is stronger than it needs to be, the amplification level often can be turned down, or the device can at least be placed away from a window (which doesn't block a wireless signal as well as a wall).
Beyond that, CIOs have five main options in deciding what to do about these WLANs, depending on the sensitivity of the data and how the wireless devices are used.
1. Make the best of what's there.
Even though the security built into 802.11b devices is flawed, it's better than nothing. Simply enabling WEP can go a long way to improving security. Companies that are relying on WEP for keeping out snoopers will also need strict policies to make sure the key gets changed daily — at the minimum.
A couple of other built-in features can help with authentication too. One is the media access control (MAC) address. This is a unique address written into the firmware of a network card. An administrator can configure the network so that only certain MAC addresses can log on. (The weak link? A hacker can watch the airwaves for a successful log-on, change his own MAC address on his computer or laptop and then gain network access.) The second is the service set identifier (SSID), an alphanumeric ID hard-coded into a wireless device. If the client doesn't have the same SSID as the server, access is denied. Most users leave the SSID at its default settings, which can be looked up online, so administrators should be sure to change the default.
2. Segment the WLAN from the rest of the network.
If the data passing through the wireless LAN isn't sensitive, it may be enough to separate the traffic from the rest of the network. That can be done with firewalls, treating the wireless access point like any other router.
Another related option is a virtual LAN, which partitions the network and allows certain users to access only certain resources. That's the solution at Paul, Hastings, Janofsky & Walker, an international law firm based in Los Angeles, where in a few new conference rooms visiting clients can use free wireless Internet access. When a visiting user boots up a laptop with a wireless network card, it identifies a WLAN connection and a message appears: "Welcome to Paul Hastings' virtual network. Please click here for Internet access" — a modified version of the message coffee-slurpers get when they access the for-pay WLANs Starbucks has installed at many locations.
Theoretically, anyone nearby could get free Internet access, although CIO Mary Odson says the signal degrades noticeably near the windows, and even inside the building.
3. Encrypt data end-to-end with a VPN.
Within the next two years, Odson anticipates that her attorneys will also use WLANs regularly for accessing the network. In fact, she's so sure of this that as Paul Hastings designs new offices, she's spending less money on cabling. For transmitting sensitive legal documents and e-mail, she'll use a combination of virtual private networks and encryption, treating each attorney as a virtual user even if he is in the office.
For that scenario, even an improvement on WEP wouldn't work. WEP encrypts data between a wireless network card to the access point; a VPN encrypts data end-to-end. That kind of setup is already common in corporate America, especially for mobile employees. It isn't a perfect option, of course. Not only are VPNs expensive and difficult to scale, but they also limit IT's control over the data transmitted over the network, says Meta Group's Kozup. But he adds that this is still the option most organisations are choosing for securing their WLANs.
4. Find a proprietary solution.
There are other proprietary wireless solutions for CIOs who aren't content with these options. Major WLAN hardware vendors, including 3Com, Cisco and Enterasys Networks, are adding extra security capabilities into their products. Among them, Cisco's LEAP (light extensible authentication protocol), which automatically changes the WEP keys in less time than it would take a hacker to decode them, has gotten the most attention. Other companies known as wireless LAN gateway vendors — Bluesocket and Vernier among them — sell centralised servers that perform authentication, encryption, and handle additional management and security details.
The Army went the proprietary route. By the time you read this, it should have begun rolling out 11,000 access points that will connect 85,000 mobile Army users during the next four years. The Army's project is unique, not only because it carries sensitive information about battlefield logistics but also because the access points aren't permanently installed in an office. Instead, the access points are radios that travel along with troops. Each access point talks to a workgroup bridge that has computers cabled to it. The information on the WLAN is also encrypted using AirFortress devices from Fortress Technologies in Tampa, Florida.
Johnson won't give specifics, but he admits that the solution was expensive, which was especially painful because the WLAN project was already underway before he knew he'd need to purchase extra encryption. "Obviously we would have liked to use the native encryption within the radio" as planned, he says. "But since that is not doable we have had to incur the cost to put the device into the system."
5. Wait and see.
The trouble with proprietary solutions is that they are proprietary, and CIOs may find themselves locked into one vendor. Optimists hope that real security can be built back into WLAN devices some day. The IEEE is working on it. Standards currently in draft form would add two more levels of optional encryption: temporal key integrity protocol (or TKIP), a new version of WEP; and advanced encryption system (AES), which committee member Greg Chesson calls a super-scrambler. For WEP to be secure, users need to change the key every 200 packets of data or so, says Chesson, director of protocols at Atheros Communications, a Sunnyvale, Calif.-based company that makes chipsets for wireless LAN devices. In comparison, TKIP would require key changes every 30,000 packets, and with AES, users would need to change the key only every few billion packets.
The standards draft could be ratified by the end of 2002, with products starting to appear several months later, but Chesson is cautious of setting a date. "It's pretty rambunctious. It's a lot like the US Congress," he says of the IEEE meetings, describing heated discussions, a bog of details and votes based on party (vendor) lines. Meanwhile, for development purposes, Atheros has already let WLAN hardware vendors get their hands on updated chipsets that incorporate parts of the new AES security protocols. Analysts recommend that before making a purchase decision, CIOs should make sure that a vendor will be able to migrate to the standards once they are ratified, as Atheros promises.
Even then, though, there's no guarantee that the new security standards won't eventually be proven as flawed as the first. That's why plenty of testing and planning is in order. In Atlanta, the United Parcel Service is rolling out a WLAN project that processes nothing more sensitive than tracking information, and using that project as a test bed for how laptop users might also use WLANs.
"If you read some articles, it sounds like everything is solid and all there," says John Nallin, vice president of information services at UPS. "However, they're not always that solid. If that was the case, we wouldn't be testing it in our facilities, we'd just be plugging it in. When it's performing at the level we think it should be, we're going to utilise it because we do see the advantages."