| meijin 2003-05-09, 9:42 am |
| Here is an article with a link to the full report that some of you may find interesting.
===========
Report: New Battle for WLAN Security
By Jay Wrolstad
Wireless NewsFactor
May 08, 2003
The IEEE standards-setting organization is hard at work on a more comprehensive solution. That appears to be 802.11i, a more robust security technology standard that will be required in all Wi-Fi certified products by this fall.
The attacks have been well documented; hackers armed with laptops, wireless LAN cards and beam antennas are cruising the streets, effortlessly accessing private wireless local area networks with impunity.
As a result, there has been much hand-wringing among businesses regarding Wi-Fi technology, with many firms expressing legitimate concerns about the security of such wireless broadband systems, or a reluctance to deploy them at all.
After a few bumps in the road, strides have been made in Wi-Fi (802.11b) security technologies designed to thwart "war drivers" and others accessing the networks without authorization. For the most part, these efforts have been intended to ease the fears of enterprises transmitting sensitive information over the airwaves.
The Internetworking Connection
A report from Datacomm Research suggests the problem is not that wireless networks are inherently insecure, but that wireless hackers are generally untraceable, using an invisible link to infiltrate the system. This, combined with the fact that networks are increasingly combining wired and wireless connections, has made improved security a top priority for the wireless LAN industry.
According to Datacomm president Ira Brodsky, a key consideration for WLAN security is internetworking. "The Internet today is a collection of wired and wireless networks, with businesses communicating internally and externally," he told NewsFactor. "People are always working in open systems."
Now that wired and wireless networks are being combined, often by adding an access point to a wireline network, the focus should be on integration of these two network types, and on making the security features strong enough to track and identify all users of a network, Brodsky said. Two basic solutions have emerged: privacy through encryption, and authentication of network users.
"By necessity, the wireless LAN industry is in the forefront of networking security, solving the same problems that face the e-commerce industry and others that allow outside access to a corporate network," he said.
Help Is on the Way
The Wi-Fi Alliance, an industry trade group, took it on the chin when its initial Wired Equivalent Privacy (WEP) encryption key was hacked, and has since developed the Wi-Fi protected access (WPA) as a stop-gap encryption and authentication measure. Meanwhile, the IEEE standards-setting organization is hard at work on a more comprehensive solution.
That appears to be 802.11i, a more robust security technology standard that will be required in all Wi-Fi certified products by this fall. It is based on an authentication protocol (802.1X) for both wired and wireless local area networks.
And it cannot arrive too soon, according to IDC analyst Abner Germanow. "Wi-Fi is the first technology that was rejected en masse because of security issues," he told NewsFactor, describing WEP as "a piece of junk." WPA is an improvement, because -- unlike WEP -- it underwent testing and peer review, said Germanow.
WLANs at first were deployed in remote, closed environments, where the security problem was less noticeable, but in the past year or two have spread as businesses and consumers sought the benefits of wireless broadband, Germanow said. "You don't need physical access to the network, you only need proximity to it, which creates unique challenges," he added.
Management Issues
Perception is still a problem, noted Yankee Group analyst Sarah Kim, who said a survey done by her research organization shows that users are not satisfied with Wi-Fi security measures. She told NewsFactor that tying together network management and security is a critical step for enterprises launching private WLANs.
"It's all about securing the airspace inside and outside the building and monitoring who is using the network," Kim said. "There is no single solution. With larger deployments, each part of the organization has to address its own security requirements-in warehouses or remote offices."
Brodsky concurred, suggesting that a framework for wired and wireless security that leaves room for growth and the evolution of network technologies should be an industry goal.
And, he said, security is an even more serious issue for public WLANs than for private networks, since service providers cannot afford widespread fraud through unauthorized access to the thousands of hotspots being deployed in airports, hotels and shops.
Standards Support Is Critical
According to some industry observers, standing in the way of a broad-based security platform are proprietary offerings that may distract industry participants from developing a more comprehensive solution. For example, Datacomm cited Cisco's CCX (Cisco Compatible Extensions Program), a proprietary solution that is gaining traction in the industry.
"Most companies now realize that their innovations can become part of an industry standard, and that opportunity rests in offering improvements to their product," Brodsky said. "But Wi-Fi companies need to keep their eyes open and use a solution that addresses common problems, not one that works only on a single system."
For the Wi-Fi industry, the hope is that equipment manufacturers will get behind security standards, Aberdeen Group analyst Isaac Ro told NewsFactor. "Products featuring new Wi-Fi standards such as 802.11a and 802.11g are being introduced without adequate security features, creating confusion among buyers -- especially enterprise users," he said.
Still, said Ro, security issues are being addressed slowly but surely, and a comfort zone should be achieved that will assuage businesses adding Wi-Fi technology. Says Germanow, "Unfortunately, the industry had to react to problems after they occurred, but now they are getting it mostly right."
Hopes for bulletproof security in wired or wireless networks are unrealistic, said Brodsky. "The WLAN industry has to be ahead of the Internet industry. Everyone in the Internet industry should be looking at the developments coming out for Wi-Fi." This includes wireless carriers rolling out their data networks, which Brodsky said should consider working with the Wi-Fi industry in creating security solutions.
Datacomm Research's new Wi-Fi security report, Wireless LANs & Cisco's CCX: the Battle for Network Security, is available online at http://www.datacommresearch.com/com...ary/wlanccx.asp |