As WLANs Grow, So Do Security Concerns

That's good news for corporations and home users that want to work untethered, but it also brings up security issues that solution providers must help their customers face.

"There's a great need for dispersed communication beyond the wire," said Norbert Sluzewski, president of DataVox Technologies, a New York-based solution provider. "But in every consideration of a wireless network, the first thing that must be addressed is security. It's our responsibility to make our customers aware of the need for security and the perils of not dealing with it."

The WorldWide WarDrive, a group that works to generate awareness of WLAN security issues, recently found that 70 percent of WLANs worldwide are completely unprotected,that is, they don't incorporate even the most basic security standards or protocols.

Some sources think that percentage might be even higher. Caston Thomas of Interworks Technologies, a solution provider based in Auburn Hills, Mich., recently drove through some of Michigan's business districts using a laptop and wireless gear and found that 80 percent of the WLANs were unprotected.

"This is a great marketing tool for me," Thomas said, adding that he frequently calls companies with unprotected WLANs to inquire about the security of their wire-free networks. "Lots of people are in denial, but once I explain to them the severity of the security issues, the typical reaction is, 'How soon can you come in?' "

The small number of companies that do protect their WLANs typically do so by using the Wired Equivalent Privacy, or WEP, standard. But even those companies have cause to be concerned: WEP, the encryption security protocol used by most 802.11b clients, was shown to be insecure in 2001, and the techniques for breaking into it were widely published.

To further complicate matters, even companies with secure WLANs can suffer security breaches if they permit their employees to log in from unprotected WLANs at home or from remote locations such as airports, said Thomas and Sluzewski.

Problems with WLAN security, in fact, often begin with equipment brought in from outside a company, said Eric Hemmendinger, research director for security and privacy at Aberdeen Group. "Lots of people try out wireless equipment at home, find out what they can do with it and then bring it to work without telling the IT department," Hemmendinger said. "A company can spend as much time, trouble and money as it wants putting security in place on a network, and one wireless access point can negate everything."

A handful of smaller vendors, including AirDefense, Bluesocket, Cranite Systems, Fortress Technologies and Vernier Networks, have developed products that segregate a company's unprotected WLANs from its protected wired network and monitor data sent between them.

"The larger security suppliers are delivering VPN security but haven't focused on VPNs in wireless environments," Hemmendinger said. "They're waiting to see how the market develops. If there's money to be made, they'll jump in."

Also, the IEEE is developing a new standard called 802.11g. Planned for release sometime next year, 802.11g will most likely include 802.11i, an enhanced security protocol. In the meantime, the Wi-Fi Alliance recently unveiled Wireless Protected Access, or WPA, a security protocol that is based on features of 802.11i and should be available early next year.