Although 802.1x solves a major part of the wireless security puzzle for enterprise users, small office/home office (SOHO) users like me are unlikely to set up a RADIUS server in our homes. To solve this problem, the Wi-Fi Alliance introduced Wi-Fi Protected Access. WPA incorporates the 802.1x Extensible Authentication Protocol (EAP) and Dynamic Key Distribution models with a Message Integrity Check feature. For SOHO users, WPA includes a preshared key option (i.e., matching passwords), which eliminates the need for a RADIUS server to authenticate against. In contrast to WEP's static, manually entered keys, WPA automatically distributes cryptographically strong keys on a per-user, per-session, or per-packet basis. Because WPA is a superset of 802.1x, it retains server-based authentication for enterprise use. Unfortunately, to deploy WPA you must have compatible APs and clients. The Wi-Fi Alliance announced the first certified WPA-compatible products on April 29, including APs (and AP reference designs) from Atheros Communications, Broadcom, Cisco Systems, and Intersil and adapters from Intel and Symbol Technologies. Linksys, which offers one of the most common low-end AP and client solutions, recently released for its 802.11g products a firmware update that supports the official 802.11g specification and WPA. You might be able to upgrade your existing AP and adapter firmware to support WPA, so check with your hardware vendor.
In the Meantime ...
While we wait for vendors to supply WPA-compatible hardware, we can take several steps to secure our APs. Most of today's APs provide at least WEP-based security, many let you filter specific media access control (MAC) addresses, and some let you disable public advertisements of the SSID. None of these steps will provide perfect security—WEP is vulnerable to brute-force attacks and MAC addresses can be spoofed—but they'll slow down casual hackers. In addition, you can use a firewall with an AP and monitor the firewall's logs for hack attempts. But before you can take any of these steps, the administrator or AP owner must know that a problem exists.
The most important solution to the problems I've been discussing is education—and that's where readers of this column can help. If you own a notebook PC or handheld mobile device with a wireless card, I urge you to perform a site survey in your office and a war drive around your home. Software to perform these surveys such as NetStumbler is available for free. If you find a rogue AP in your office, you'll want to have a long talk with whomever installed it and make sure that it's properly secured. If one of your neighbors is running a wide-open AP, you might want to have a chat with him or her as well or perhaps leave a copy of this article where that person can find it.
Of course, conducting site surveys of every installation isn't practical for most enterprise IT managers. Instead, they need a software solution that inspects data from the APs, routers, and possibly the wireless mobile devices themselves and automatically alerts the IT staff when the software detects an unauthorized AP. Several software products address this requirement. AirDefense RogueWatch detects wireless APs automatically, in conjunction with the company's proprietary wireless Intrusion Detection System (IDS). AirWave offers optional wireless and wireline rogue AP detection modules as part of its AirWave Management Platform (the wireless module works only with select APs). Wavelink provides rogue AP detection as part of its Wavelink Mobile Manager product—the software generates a report of all APs within range of each mobile device and compares this information against a list of authorized APs. And Cisco Systems has announced that it will provide rogue AP detection in fourth quarter 2003, including a firmware upgrade to Cisco Aironet 1100 and Aironet 1200 series routers, as part of its Structured Wireless-Aware Network initiative.
By taking appropriate steps to secure our own APs and educating the general public about the dangers of leaving residential and SOHO APs wide open, we can bridge the gap until advanced technologies such as WPA and 802.11i become widely available. I think taking these steps is in everyone's interest.
Note: In my August 2003 Mobile & Wireless column, I discussed wireless Voice over IP (VoIP) as a potential mobile killer app. It turns out I'm not alone. Since that column went to press, I've learned that Toshiba will include VoIP software with its Tablet PCs, Pocket PCs, and conventional notebooks, so stay tuned.
End of Article
Prev. page
1
[2]
next page -->
