WLANs May Be Banned at Agencies

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,482338,00.asp

August 26, 2002 
By Carmen Nobel 

The proposed National Strategy to Secure Cyberspace plans to get tough
on wireless technology, saying that if secure WLANs don't exist,
federal agencies shouldn't use them.

The proposal aims to prevent the proliferation of unsecured wireless
LANs that run on the 802.11b standard, also known as Wi-Fi, according
to a draft of the strategy obtained by eWeek. The Bush administration
wants a moratorium on Wi-Fi WLAN networks until security is improved
and wants government IT users to avoid wireless products for sensitive
applications.

Developed by the President's Critical Infrastructure Protection Board,
the proposal, due Sept. 18, recommends that vendors change the default
configurations on WLAN gear to increase security, something critics
say would make the equipment difficult to use in both public and
private networks.

While the language is strong, security experts who work with
government agencies say they generally assume wireless products are
inherently insecure.

"Built-in wireless security I consider utterly beside the point and
put my trust in SSH [the Secure Shell remote connection protocol] in
the hope that the folks who are dedicated to making something
rock-solid secure do a better job with security than folks who are
dedicated to making and selling radio transceivers," said Steve Durst,
a research engineer at Skaion Corp., a North Chelmsford, Mass.,
security consultancy whose customers include the Air Force and the
Defense Advanced Research Projects Agency. "I tunnel everything
through SSH."

An IEEE task group is developing a standard called 802.11i to improve
the security of WLANs, but that technology is not due until the fall
of next year. Meanwhile, the vendor group Wireless Ethernet
Compatibility Alliance plans to support an improved encryption scheme
called SSN (safe secure network). The draft mentions 802.11i and SSN
as improvements, but it's unclear whether either would meet the
government's new criteria.

"WECA has been promoting that wireless LANs need to be secured," said
Dennis Eaton, chairman of WECA, in Mountain View, Calif.  
"Unfortunately, security and ease of use are the nemeses of each
other. Achieving both is a very difficult proposition."

The recommendation that WLAN equipment either come out of the box
secure or be disabled until users make it secure leaves some users
worried about future loss of Wi-Fi's plug-and-play capabilities.

When configuring WEP (Wired Equivalent Privacy), "different vendors'
interfaces don't seem to match. One has to enter the passwords in very
different ways," said Christopher Bell, chief technology officer of
People2People Group, in Boston. Bell said it took him almost 2 hours
to set up a secure access point, a notebook computer and a Pocket PC
device enabled with 802.11b. "I can't imagine many people would bother
to do what I did to get it all to work when simply turning off WEP
made it plug and go."

In addition to WLANs, the cyber-security strategy addresses the
Bluetooth wireless protocol, which is used primarily as a cable
replacement between devices. The draft's authors recommend that
Bluetooth developers build a better broadcast keying scheme, a feature
to prevent unlimited authentication requests and a more sophisticated
encryption procedure.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.