New practices in wireless security: advanced security solutions will help protect both wired and wireless networks.Unlike external traffic entering a wired network that is policed by firewall and intrusion-prevention technologies, wireless LANs lack the equivalent physical control, exposing information assets to a greater level of risk. Of even more concern is the mobility of the devices connecting to wireless LANs and the increased exposure this introduces to the internal network.
The weak security of wired equivalent privacy Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. (WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. ) has been well documented. Network administrators frequently choose not to implement WEP's shared key technology so as nor to give a false sense of security. Others choose to implement WISP simply to increase the work factor required to hack into the network.
Stronger security options for 802.11 WLAN See wireless LAN.
WLAN - wireless local area network networks (Wi-Fi) are now available, and others will be offered in the near future. The immediate cure to WEP's ailments is Wi-Fi protected access (networking, security) Wi-Fi Protected Access - (WPA) A security scheme for wireless networks, developed by the networking industry in response to the shortcomings of Wired Equivalent Privacy (WEP). (WPA WPA: see Work Projects Administration.
in full Works Progress Administration later (1939–43) Work Projects Administration
U.S. work program for the unemployed. ), which offers two configuration options, one targeted at home users and smaller networks, and the second designed for larger networks.
WPA preshared key (WPA-PSK WPA-PSK - Wi-Fi Protected Access Pre-Shared Key ) is best suited for small businesses and home wireless networks. A shared key, or password, is configured in the wireless access point (WAP (1) (Wireless Access Point) See access point.
(2) (Wireless Application Protocol) A standard for providing cellular phones, pagers and other handheld devices with secure access to e-mail and text-based Web pages. ) and any wireless laptop or desktop devices. WPA-PSK generates a unique key for each session between a wireless client and the associated WAR The unique key used in the client-to-access-point communications makes reverse engineering of the preshared key more difficult for would-be attackers.
WPA-PSK uses more advanced security techniques to encrypt and monitor the message stream. While WPA-PSK still uses the RC4 encryption standard used in WEP, it implements temporal key See session key. integrity protocol (TKIP See WPA. ), which provides per-packet key mixing, a message integrity check and a re-keying mechanism. TKIP's algorithms and method-integrity checking techniques prevent the unwanted decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. of and tampering with packets in the wireless message stream.
One pitfall pit·fall
1. An unapparent source of trouble or danger; a hidden hazard: "potential pitfalls stemming from their optimistic inflation assumptions" New York Times. of WPA-PSK is that the preshared key is subject to dictionary attacks (guessing of commonly used passwords). Good password-management techniques, such as long passwords, and the mixing of alphanumeric characters Noun 1. alphanumeric characters - a character set that includes letters and digits and punctuation
character set - an ordered list of characters that are used together in writing or printing and punctuation marks are required to help reduce the chance of a successful attack.
RADIUS FOR LARGER NETWORKS
Larger networks can use WPA 802.1X/EAP, or Radius, for implementing WPA security. While more complicated to set up than WPA-PSK, this method can leverage an existing network and directory infrastructure to require a unique user ID and password for each wireless user connecting to the WLAN.
Rather than relying on a predefined shared key, WPA 802.1X/EAP employs a user ID and password to authenticate each wireless device when it associates with a WAR The credentials supplied are validated against a Radius server or a directory server (such as Windows Active Directory) supporting the Radius protocol.
Once the device is authenticated, WPA 802.1X produces a unique master key for that wireless device's session. TKIP is then used to distribute this key to the client. The same encryption and message-integrity checking implemented in WPA-PSK is used from this point forward.
Additional wireless security options will be offered through the 802.11i standards efforts. 802.11i will include implementation of TKIP, as well as advanced encryption standards (AES). The stronger encryption offered by AES will require WAP hardware upgrades due to the CPU-intensive nature of AES.
Microsoft Windows See Windows.
(operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. is also doing its part to support WPA in Windows XR The upgrade is free to Windows XP The previous client version of Windows. XP was a major upgrade to the client version of Windows 2000 with numerous changes to the user interface. XP improved support for gaming, digital photography, instant messaging, wireless networking and sharing connections to the Internet. users and can be installed simply through Windows Update An updating service on Microsoft's Web site that enables users to obtain bug fixes and new features for their version of Windows. Windows Update components analyze your PC's configuration and display a list of appropriate downloads for your individual system. . The Windows WPA patch is also beneficial in that prior to connection it identifies to the end-user WAPs that do not use adequate security settings.
Most WAPs now ship with WPA options or can be easily upgraded in a matter of minutes A Matter of Minutes is an episode from the television series The New Twilight Zone. Cast
A word to the wise, though: most WAPs still ship with no security enabled, so be sure to configure the security set tings on all WAPs. Additional WAP security recommendations are:
* Change the administrator password using good password-management techniques.
* Change the default service set identifier In Wi-Fi Wireless LAN computer networking, a service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as part of that network. (SSID (Service Set IDentifier) The name assigned to a wireless Wi-Fi network. All devices must use this same, case-sensitive name to communicate, which is a text string up to 32 bytes long. ) to a non-descriptive SSID, using the same good password-management techniques.
* Disable broadcasting the SSID.
* Limit the broadcasting range to the coverage area that is actually needed.
* Enable the onboard firewall if you are using a combination router/ WAP in home and small office situations.
* Do not enable remote management of the WAP unless the device has been adequately secured.
WPA, however, is not the final answer to security. The most recent wave of worms, Trojans and viruses demonstrate how vulnerable even wired network defenses are to attacks against devices behind the firewall. Many of these attacks take advantage of normal activities end-users perform, such as opening zipped attachments, clicking on links or running executables disguised as security patches.
Wireless devices have added risk because they frequently connect to other networks. Wireless devices commonly connect to Wi-Fi networks at the local coffee shop, at the airport terminal, in hotel rooms and lobbies, at customer and vendor locations, as well as at employees' home networks. This increased exposure means increased risk, but there are some existing and emerging technologies that can significantly reduce this exposure.
Personal firewalls only provide limited defenses via explicit firewall policies that restrict access to the device. These defenses can be misconfigured or rendered impotent by the actions of unknowing end-users. Even centrally managed personal firewalls have yet to prove their viability in quickly adapting to new threats when managing a large number of devices.
A new focus on end-point security is now emerging. End-point devices, wireless in particular, are considered untrusted and must be subject to greater scrutiny prior to connecting to the network. Each newly connected wireless device should be quarantined and examined for evidence of being compromised, as well as for compliance with network security policies, before being allowed to access the network.
These policies should include requiring the latest critical security patches and up-to-date antivirus software, restricting file-sharing and peer-to-peer applications, and enforcing operating system, browser and application security settings. Devices should be re-examined regularly during the session to ensure that actions during the session have not opened the device to attack or allowed the device to act as a launching pad for attacks against the rest of the network.
Existing technologies can be used to script some of these security tests. Newly emerging products automate the application of these policies when devices connect to the network.
Consider the implications of solutions that require client software installation or utilize less-desirable ActiveX technologies. Easier-to-manage clientless solutions are available that eliminate installation requirements and minimize the staff-resources needed for ongoing management.
Securing end-point devices limits exposure to the rest of the network, just like securing WAPs with WPA locks down access to the WLAN and ensures authorized access only. Using both of these techniques increases the network defenses of any wireless network implementation.
For more information from StillSecure: www.rsleads.com/408cn-261
Mitchell Ashley is CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. and VP of engineering at StillSecure, Louisville, Colo.