How to secure a wireless Lan

Stuart Okin and Ian Hellen at Microsoft UK give their opinion on how different forms of data encryption can protect wireless Lan...

Stuart Okin and Ian Hellen at Microsoft UK give their opinion on how different forms of data encryption can protect wireless Lan users and corporate data from unwelcome snoopers

After more than a decade of unrealised promises, wireless networks are finally here. At home, in the workplace, at public hotspots in hotels, airports, coffee bars and trains, wireless local area networks pervade our world. Although WLans are providing organisations with unprecedented ease of access to network data and services, are they safe to use? Too often the answer is no.

Many WLan deployments in businesses and homes are not secure. To compound matters, the basic security defined in the Institute of Electrical and Electronics Engineers 802.11 WLan standards - known as Wired Equivalent Privacy - is badly flawed in both concept and implementation. WEP was designed for a more innocent age; one where viruses and hackers were a more distant threat than in today's hostile cyberworld. Basic WEP protection of a WLan can now be broken in a matter of hours with readily available tools and relatively little technical knowledge.

Although most of the security community agree that basic WEP is inadequate, there is not such clear agreement on what is the best way to secure a WLan.

How to secure small wireless networks

The options available depend on the type of organisation you are trying to protect. In home networks and small offices the cost of a sophisticated network security system is often not financially viable. Until recently, the only option for smaller businesses was to use basic WEP security and hope for the best.

The Wi-Fi Alliance - the industry consortium that governs wireless compatibility standards - has produced a wireless security standard called Wi-Fi Protected Access. WPA includes an option to use a simple shared key, or password to control access to the network. Unlike the use of a shared key in WEP, WPA is not vulnerable to the same attacks. Because of its simplicity, it is ideal for smaller installations of a few computers.

To use WPA in this mode, called a pre-shared key mode, wireless access points, network interface cards and client operating systems all have to support WPA. Many Wi-Fi suppliers have released firmware upgrades for their access points and network interface cards, which are published on their websites. If you are buying new equipment, look for WPA support before you buy.

How to secure larger networks

Using WPA pre-shared keys becomes difficult to manage in networks with more than a few access points or more than 100 users but there are several options for larger installations.

Although basic WEP has been discredited as a viable solution for corporate WLans, the WEP encryption capabilities of existing network hardware can be leveraged to produce a robust security solution. Using an IEEE protocol called 802.1x, users of the WLan can be securely authenticated using either public key certificates or per-user passwords. Either of these methods give a much higher level of security than basic WEP shared passwords.

Authentication by 802.1x requires the use of the Radius (Remote Authentication Dial-In User Service) protocol and an authentication database such as Active Directory. Radius is a radio frequency control standard implemented by a consortium of large suppliers.

Using 802.1x and Radius gives the ability to rapidly and automatically update the encryption keys used to protect network data on the WLan. This removes the vulnerabilities of WEP while using the same network hardware.

WPA provides stronger forms of data encryption and key management than existing WEP hardware and can be used with Radius and 802.1x authentication to provide high-grade WLan security. WPA will require firmware upgrades for network hardware and support for WPA on client computers.

A standard known as Robust Secure Networking is tipped to supersede WPA. RSN, otherwise known as 802.11i, is in the final stages of standardisation by the IEEE. It is essentially a superset of WPA and promises to deliver higher levels of security.

Alternatives to WLan native security

Prior to the arrival of solutions based on 802.1x and WPA, analysts and suppliers proposed solutions using virtual private networks or proprietary security schemes. Although these addressed many of the security problems of early WEP security, they often proved to be expensive and cumbersome to implement. With the advent of WPA and RSN, their future seems limited.

Security at public wireless hotspots

Commercial public wireless sites, known as hotspots, have appeared in airports, hotels, coffee bars and numerous other locations. Although these are convenient, there are no standards and no guarantee of security. Special precautions should be taken:

  • Always use and enable a personal firewall. Even if you have not intentionally connected to a hotspot, your computer is still visible and open to attack across a Wi-Fi network

  • Use secure VPNs to connect to your corporate network. This prevents any other wireless user viewing your network transmissions

  • Use secure web (Secure Sockets Layer) connections when browsing sensitive data

  • Take special care when using any unsecured form of communication. Assume that anyone else on the wireless Lan can read what you are sending, so do not send or download anything you consider sensitive

  • Ensure your system is configured with the latest service packs and patches to close known vulnerabilities.

Stuart Okin is chief security strategist and Ian Hellen is principal consultant for the security solutions team at Microsoft UK. Okin will be speaking at Enterprise Wireless Technology 2003 at London's Olympia 2 on 19-20 November

This was first published in November 2003



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Wireless networking



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: