Searching for Wi-Fi Monitoring Security Solutions
|By Beth Cohen and Debbie Deutsch|
At the recent Boston 802.11 Planet Conference and Expo, the aisles and booths were bustling with activity, giving ample proof that Wi-Fi (Wireless Fidelity, or more properly, wireless networking) has finally come of age. The hardware gear venders ? switch, carriers, integrators, chip manufacturers, and antenna ? were all there in force, of course. However, the big news was that the show was dominated by vendors addressing network security, with new solutions from the network, software, and hardware perspectives.
Security has long been the Achilles heel of the wireless industry. Set aside the security issues, though, and the case for wireless networking is overwhelmingly compelling ? it's cheap, easy, and portable. Now that the industry is addressing the problem head-on with new solutions for manageable and acceptable network security, Wi-Fi may well be a choice that enterprises should be considering (or reconsidering).
According to an article in the April 26 issue of Barrons, a one-hour cruise in lower Manhattan last March revealed 622 Wi-Fi networks, with two-thirds of them wide open to unauthorized use. And don't think just because you are located in a suburban office park you can escape ? this problem is not limited to dense urban areas. Wi-Fi networks in multi-tenant office parks and employeesf residences can easily spill over into adjacent areas inside the same building, or into or across public thoroughfares.
Even more than with traditional hardwired LANs, network security is an essential complement to IEEE 802.11 network connectivity. After all, you are broadcasting your traffic over the air and have no direct control over who is listening or transmitting. Do you really want anyone with some inexpensive equipment and a criminal intent to be hacking your network? You cannot just assume that the PCs on the network are really the ones they claim to be, or that they are acting the way they are supposed to.
There are two major components to the security problem for Wi-Fi. One is assuring the privacy of the data transmitted over the network against eavesdroppers. The other is protecting the network itself against intrusion. Unauthorized PCs may attempt to piggyback on your network, stealing bandwidth that you are paying for. Even worse, unauthorized Access Points can be used to mount a variety of other nastier attacks, including listening to, diverting, or interrupting network traffic.
Because mobility is an essential aspect of Wi-Fi networks, old techniques that rely on stable, hardwired connections between switch ports and hosts (and other systems) are no longer sufficient to assure proper access control. Wi-Fi networks are orders of magnitude more vulnerable to MAC (Media Access Control) address spoofing than wired LANs.
The rising use of Wi-Fi for home networks may raise security concerns for organizations. With the increase in telecommuting and consulting, IT managers need to be alert to the possibility that employees are transmitting sensitive data over unsecured networks. As a result, the employeefs home needs to be at least as secure as his or her office environment.
Wireless Networking Security Solutions
Most industries are dominated by a few innovative players and a large number of copycats who hope to capitalize on technological breakthroughs. Wi-Fi security is no exception; many venders are selling variations on a few basic themes and approaches. One is the need for intrusion detection systems, while another is network management and integration with some type of back-end access control technology, most often RADIUS (Remote Authentication Dial-In User Service).
While the bad news about Wi-Fi is that intruders have greater opportunity to break into the network, the good news is that compared with wireline Ethernet, it is easier and less expensive to observe and collect information about nefarious Wi-Fi network traffic. Instead of having to monitor individual switches and their ports, one need only listen promiscuously to packets as they cross the air.
Real-time monitoring displays for Wi-Fi traffic dotted the show floor at the 802.11 Expo. Packets were analyzed and Wi-Fi hosts and access points were tracked on maps while windows and panes scrolled. As eye-catching or cluttered as the demonstrations might have been, these products addressed the separate problems of real-time detection of intruders and post-incident analysis of traffic.
There was comparatively less discussion of integrating real-time Wi-Fi monitoring with most companiesf installed bases of existing network management systems. Having a monitoring system that is integrated into your existing infrastructure would be infinitely more useful than yet another display for troubleshooting an incident after the fact.
Because the wireless networkfs composition and topology is flexible and inconstant, the monitoring equipmentfs footprint must adequately cover all of a Wi-Fi networkfs potential airspace. Several vendors offered hand-held meters to detect and measure Wi-Fi availability. Typically, these meters would be employed inside a company or used by a systems integrator to troubleshoot or check for adequate network coverage.
However, they can also be put to another more insidious use ? drive-by detection of other peoplefs networks. Most people who are doing it view it as a nerdy idea of a fun sport, but there are those who are practicing intrusion with more criminal motives. According to Special Agent Nenette Day of the FBI Boston Cybercrime Unit, it is not even clear that intrusion over an unprotected wireless network is officially a crime yet.
The Ideal, Integrated Security Solution
For Wi-Fi to be successful, access control must be easy to implement with minimal operations impact, capital outlay, and labor expenses. Vendors who highlighted access control often stressed the need for integrated enterprise network management of Wi-Fi and wired technologies. RADIUS is the most popular back-end technology in these vendorsf architectures, although not the only one.
Many vendors also address the need for scalability. Because Wi-Fi hosts are mobile, the access control systems perform more transactions per Wi-Fi host than an equivalent wired host. In addition, mobility highlights issues that are not usually factors in wired networks, such as controlling access based on physical location and network loading rather than just identity.
Unfortunately, the standards for wireless LAN security are in a state of flux. The original 802.11 standard includes a mechanism called gWireless Equivalent Privacyh (WEP) as an option. It addresses the use of encryption and distribution of keys. Various criticisms have been leveled at the WEP architecture design. As a result, the IEEE has gone back to the drawing board.
The IEEE 802.11i task group has been working on a new standard for MAC Enhancements for Enhanced Security. Draft 4.0 was circulated for votes in June. They have also specified the use of the 802.11x authentication framework. In the meantime, some vendors have extended or altered the implementation of WEP in their products. To add to the confusion, Cisco has introduced its own proprietary standard (LEAP), and the Wi-Fi Alliance has promoted the use of Wi-Fi Protected Access (WPA) for pre-802.11i equipment.
Should you invest in wireless technology or wait for the industry to mature a bit more? The wireless industry is still young; with so many start-ups, industry consolidation is inevitable. Some vendors will be acquired, while others simply will not survive. Since there is no way to be certain what will happen to your equipmentfs vendor, buying standards-based products is a form of life insurance for your capital investment in Wi-Fi.
It's good to see that the industry is finally putting security front and center. With the IEEE task force working on additional security enhancements, the quality of wireless product security will only improve. Still, unless you have very strong security requirements, todayfs wireless security will be ggood enoughh to meet your needs. Just make sure you purchase products that comply with the latest 802.11 standards ? and for goodness sake, do not forget to properly configure and enable the security features!
Related Sniffer & Network Monitoring Software: