LAS VEGAS -- Will Wi-Fi systems ever be safe enough for companies to implement without overspending on security?
Despite recent advances in wireless LAN (WLAN) security touted by a group of Interop 2005 panelists this week, experts agreed that there are still many confusing security issues likely to prevent companies from implementing corporate wireless networks.
Panel moderator David Piscitello, president of Chester Springs, Pa.-based consulting firm Core Competence Inc., said many companies ask him whether the Wired Equivalent Privacy (WEP) wireless security standard is sufficient to secure corporate data, even though WEP has a number of shortcomings that make it vulnerable to attack.
WEP's numerous problems were confirmed by Dan Harkin, chief security architect for Trapeze Networks Inc., a Pleasanton, Calif.-based Wi-Fi hardware vendor. He said aside from having no message integrity check and forcing users to rapidly re-key, WEP packet collisions typically occur every 5,000 packets, meaning that a skilled hacker using a packet-sniffing application could breach a company's security in 12 minutes or less.
Complicating matters further, panelist Kevin Walsh, director of product technology at Funk Software in Cambridge, Mass., said an incredible amount of legacy Wi-Fi equipment and other mission-critical network devices like bar code scanners are hardwired to only use WEP.
Even 802.11i, the Wi-Fi security standard approved by the IEEE last summer (also known as WPA2), has its issues.
Michael Maggio, president and CEO of Wi-Fi management vendor Newbury Networks Inc., said 802.11i is an improvement over WEP, largely because it requires new encryption key protocols, such as Temporal Key Integrity Protocol and Advanced Encryption Standard.
However, Maggio said interoperability limits with older systems and a lack of 802.11i products that comply with the government's Federal Information Processing Standards can make implementing 802.11i equipment more difficult than it often seems.
"The sooner vendors get 802.11i embedded into their products, the better," Maggio said, "but that's not all that's needed."
Taking it a step further, Walsh added that network administrators lack a clear set of guidelines to help them make decisions regarding 802.11i authentication schemes and credentials, making it difficult to manage Wi-Fi security across a distributed user base.
Panelist Pat Calhoun, co-founder and chief technology officer for Airespace, a Wi-Fi vendor recently acquired by Cisco Systems Inc., said 802.11i doesn't address the growing need for wireless intrusion detection, plus few hot spots have yet to implement 802.11i.
The advent of 802.1X -- a WLAN security framework relying on a central authority for authentication -- has given companies another option for securing the air, Maggio said, by packaging together a number of good application layer security techniques.
However, Piscitello said following Microsoft's guidelines for implementing 802.1X, instructions commonly used by smaller businesses looking for a starting point was "like putting a spoon in my eye," because of the complexity involved and the number of additional security systems that need to be put in place for certificate authentication.
None of the information was surprising to attendee Richard Frank, a network architect with manufacturer Material Sciences Corp., in Elk Grove Village, Ill.
Even though Frank's company, which maintains a Wi-Fi network for more than 500 users, has already spent some money on advanced wireless security gear, it has yet to be implemented because the management complexity involved is too burdensome for his six-person IT staff, and justifying the need for additional personnel is always tough.
"We're always driven by the need to keep things secure," Frank said, "but the task of retraining users to use a new authentication scheme is a challenge. We've found that what we think may be the best authentication solution may not be feasible from a manpower perspective."