Recently, while watching a television profile of former President Reagan, our memory was sparked by this line, addressed to audience during a debate with then-President Jimmy Carter: "Are you better off today than you were four years ago?" This phrase effectively guaranteed Reagan's ascension to Pennsylvania Ave. and the capture of the presidency.
We would like to borrow this phrase for a moment, and ask if enterprise users think they are better off today in terms of wireless than they were even a year or two ago? The answer, of course, is yes and no. That is, we are and yet we are not better off than we were in terms of wireless technology in general and specifically in terms of security.
Sure, wireless LANs are hot and getting hotter. Worldwide Wi-Fi revenues are expected to grow from $7 billion in 2003 to over $44 billion by 2008, averaging a 44 percent growth rate. U.S. sales of Wi-Fi expected to increase 19% next year, and right now more than half the companies in the U.S. employ some kind of wireless technology (depending on which research firm's figures you trust!). Many analysts (including us, with some reservations) believe that there will be a sizeable upturn in enterprise wireless adoptions next year due to the arrival of systems that support the Wi-Fi Protected Access (WPA) specification and the anticipated release of products (sometime mid-to-late 2004) that incorporate the IEEE's proposed wireless equivalent protocol standard.
The truth, however, is that right now the wireless security measures at most companies are pretty much at the same level it was one or two years ago, which means they are at risk for disruptions, unauthorized access and rogue attacks. In a survey of enterprise users conducted earlier this year, we found that most companies do not have strictly-enforced policies against misusing a wireless system or inserting wireless into a wired network. Most of these firms threaten dismissal, but really have no proactive way of identifying and isolating these attacks. In fact, most of these systems involve little more than monthly audits.
The situation is even direr at smaller companies, where IT budgets are about as slim as road kill on busy highway. Recently, we talked with one company that was looking for a security solution, but couldn't even afford the $2,500 for a handheld signal sniffer. As a result, they will most likely fall back on the solution most small companies adopt, which involves self-policing and a great deal of implied trust among employees and ex-employees.
Whenever we want an honest view of Wi-Fi security, we inevitably turn to our good friend and expert in this area, Mr. Al Potter. Al manages the Network Security Labs at ICSA Labs in Mechanicsburg, PA, and is a frequent speaker on wireless security topics. He is also involved in the IEEE's efforts to revise and put some armor plating on the current 802.11 wireless standard that goes beyond a lot of the third-party layered-on solutions that are now popular.
His opinion: If a user now has wireless and wants to secure it, then the best solution is to go beyond what an access point vendor supplies, and install third-party safeguards. Most of these safeguards employ WPA specifications, which are good and not so good.
Although WPA is the best we have right now in terms of wireless protection, and is available in dozens of products, it is essentially a collection of reference implementations. The idea in developing WPA was to fix the WEP (wired equivalent protocol) flaw, and to get it up and running as quickly as possible. The problem, however, is that in rushing to get WPA products into the market it was impossible to address and solve all of the problems the IEEE and others know are there, says Potter.
Also, since WPA does address some security problems in 802.11, it will most likely be incorporated into the coming IEEE standard (802.11i, which, by the way, may require users to purchase new products since these more secure products will not be entirely compatible with current and older standards). As a result of WPA's success and acceptance, developers of next-generation products are basically stuck with the same RC4 ciphers and memory footprint of existing devices -- a fact that does not tickle the fancy of most cryptographers.
So, not only does this mean that Wi-Fi hardware and software vendors will be building newer wireless architectures on an older chassis, but it also means that future systems will still be susceptible to denial of service (DOS) attacks. In fact, WPA is designed to rely on DOS as a solution against brute force attacks into a wireless system. Once an unauthorized entry or attack is realized, the system is designed to shut down the related wireless access point for about 60 seconds. This protects the data, but knocks that access pointy and supported service out in the process.
As a result, someone could use WPA's inherent protection scheme and weakness to simply knock a wireless network off-line for an extended period of time (by employing multiple and constant attacks to trigger the WPA protective shutdown). The really scary part is that anybody can use this DOS approach to knock out a system by drilling a few holes in a standard microwave oven and letting it rip through a company's wireless network -- since they operate within the same 2.4 GHz spectrum.
Most companies are willing to accept this DOS vulnerability and the trade-off in favor of increased data security and integrity. However, it is important to realize that we are still working with a wireless structure that is currently insecure, and will get a little better but not entirely secure before this time next year.
Our suggestion for enterprise users who plan to initiate or expand wireless projects next year with WPA products, and then perhaps move to a more secure IEEE standards-based environment: Proceed with caution. We agree with Al Potter's recommendation not to scrap prior systems in favor of newer ones until you are absolutely sure you have made a positive move.
We might add that users be very careful when it comes to highly proprietary solutions from a single vendor. Evolving standards will equate to more standardization and less technical tolerance for systems that don't necessarily play well with others. The idea is to adopt new wireless techniques and initiatives, but don't give up your flexibility to make changes and incorporate newer solutions.
Tim Scannell is the president and chief analyst with Shoreline Research, a Quincy, Mass.-based consulting company specializing in mobile and wireless technology and initiatives. Shoreline works with end users, looking to implement mobile solutions, and vendors, developing new products and seeking business and customer opportunities. The company also specializes in training and strategic planning projects. For more information on Shoreline Research and the company's strategic services please go to http://www.shorelineresearch.com.