Gearing up for wireless security

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2003/0113/cov-plug4-01-13-03.asp

By Brian Robinson 
January 13, 2003

If wireless users can endure one more round of debates about security
standards, they may soon be able to buy actual products.

It's no secret that built-in security functions lack current wireless
local-area network products, a situation due largely to the inadequacy
of Wired Equivalent Privacy (WEP), the first wireless security
standard, which was introduced several years ago.

But that could change as new standards take hold and the wireless LAN
component market - estimated by the Aberdeen Group, a Boston-based
consulting firm, to have exceeded $1 billion in 2002 - continues to
attract heavy hitters such as Microsoft Corp., which recently said it
would enter the market.

The promise of secure wireless networking is once again being touted
with the expected release in the next several months of the Wi-Fi
Protected Access (WPA) standard, which is considered more secure than
WEP.

WPA is only an interim step toward a standard now dubbed 802.11i, set
for release around the end of this year. The 802.11i standard is
expected to finally nail wireless LAN security and make the products
that use it more palatable to organizations that demand tight
security.

"With WPA coming out, we are back to where we should have been [with
wireless LANs] two years ago," said Michael Disabato, a senior analyst
with the Burton Group. "It hasn't met live-wire tests yet, but
everyone is confident it is secure now and will allow for cross-vendor
implementations."

Meanwhile, the wireless LAN market is one of the few in the telecom
arena that is growing, so vendors need to address security if they
want to participate.

Cisco Systems Inc., for example, has a WEP implementation for its
Aironet wireless LAN solutions that is probably sufficient for
situations in which strong security is not critical. But the company
is marketing the Cisco Wireless Security Suite, based on the IEEE
802.1x specification, as a stronger security provider. The
specification, a core component of WPA, provides authentication at the
user and server levels.

"This is admittedly a prestandard release, but 802.1x is real now, and
because it's implemented in software, we feel very comfortable we'll
easily be able to move to a post-standard release of this product,"  
said Vince Spina, director of systems engineering for Cisco's federal
operations.

Wavelink Corp. last year came out with a workaround for WEP's ills,
namely its relatively weak 40-bit encryption, static encryption keys
and lack of a key distribution method. The Wavelink solution is a
cross-vendor solution that allows for dynamic key rotation. It
monitors wireless devices and access points in the network at regular
intervals and supplies them with new keys so that hackers do not have
enough time to break the key encryption.

For organizations that can handle the extra demands on processing
power and network traffic overhead involved, virtual private networks
probably offer the most robust security since the wireless side of the
network becomes an integral part of the overall enterprise security
infrastructure. Products such as Check Point Software Technologies
Ltd.'s Secure VPN include features such as integrated certificate
authorities, which provide stronger security than what is currently
built into wireless LANs.

However, the cost and complexity involved with installing VPNs puts
this solution beyond most small and medium-size organizations' reach.  
That drove Latis Networks Inc. to develop its Border Guard Wireless
solution, which gives network administrators the ability to manage
rogue wireless access points and limit device access to the network,
or deny access completely.

Latis works on the assumption that a wireless LAN has to be handled as
a major part of an overall network security plan, said Mitchell
Ashley, Latis' vice president of engineering and chief technology
officer. However, the company may be ahead of the market, he admitted,
since "we are not yet at the point where everyone even agrees on the
need for a firewall equivalent for wireless."

Robinson is a freelance journalist based in Portland, Ore. He can be
reached at hullite () mindspring com.

***

Secure solutions

A glimpse at some wireless local-area network security products:


Vendor: Cisco Systems Inc.

Product: Cisco Wireless Security Suite.

What it does: Provides user and device authentication for Cisco
Aironet wireless LAN solutions.


Vendor: Latis Networks Inc.

Product: Border Guard Wireless.

What it does: Enables network administrators to detect rogue wireless
access points and control device access to the network.


Vendor: Wavelink Corp.

Product: Wavelink Mobile Manager and Wavelink Avalanche.

What it does: Monitors wireless devices and access points in the
network and supplies users with regularly changing encryption keys to
thwart hackers.
 
 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.