Making enterprise WLANs safe for prime-time
By Lisa Phifer
Just as 802.11-based WLAN infrastructure products have grown up, WLAN security has had to mature as well.
"Enterprises have finally calmed down and are beginning to realize that WPA/WPA2 does give them the basic authentication and encryption they need," said Joel M Snyder, Senior Partner, Opus One. In late 2002,Wi-Fi Protected Access (WPA) enabled legacy device upgrades by simply patching around WEP cracking flaws. Two years later, version 2 (WPA2) lets new devices employ a stronger, more efficient cipher, AES.
But many are starting to panic about new security concerns. "How do we take this reliable, authenticated channel and properly integrate it into our network," asks Snyder. "Issues like Denial of Service, reliability, throughput, and management are notching the security discussion up to look at the bigger – and honestly, much more difficult – picture."
Putting the basics to bed
In her 2007 WLAN State of the Market study, researcher Joanie Wexler found that security remains the top barrier to enterprise WLAN expansion. "Fifty-two percent of respondents chose security as one of their two biggest challenges," said Wexler. At 24 percent, the next biggest challenge was WLAN reliability/stability due to unlicensed spectrum.
According to Wexler, WPA2 use spiked from 22 percent in 2005 to 38 percent in 2006, but held steady last year. "Perhaps the reason for stagnation is that 36 percent still use VPNs over wireless [connections]," explained Wexler. "And many retailers and manufacturers using legacy handhelds can't upgrade to WPA2 because of memory and processing constraints."
Burton Group Senior Analyst Paul DeBeasi predicts that enterprises will continue to use outdated security. "I frequently hear from enterprises that use WEP. They know that WEP is not secure, but inertia, upgrade cost, and complexity create roadblocks that they can't seem to navigate," said DeBeasi. "Enterprises need to be reminded that [WEP] significantly increases vulnerability."
Going farther, faster
Farpoint Group Principal Craig Mathias believes that "WPA2 is all that is going to matter as .11n adapters come on line." Interim measures like WPA were created to grandfather less capable WEP devices. 802.11n reach and speed may offer sufficient motivation to finally retire old gear. In fact, 802.11n products cannot pass Wi-Fi certification without WPA2.
DeBeasi thinks that 802.11n will shine a spotlight on networks with weak security. "802.11n will drive pervasive mobility in the enterprise," he said. "As wireless spreads, networks with weak security (e.g., using WEP, no WIPS) will become increasingly vulnerable. When enterprises deploy 802.11n, they should use that opportunity to strengthen their security."
Wireless IPS is a widely-accepted best practice for managing the business risk introduced by wireless. WIPS provides full-time, distributed monitoring of all Wi-Fi traffic, responding automatically to detected intrusions and policy violations. Gartner projected this market would double last year, following in the footsteps of enterprise WLAN deployment.
But experts noted a shift in WIPS architecture this year. "The top security trend that I see is the merging of WLAN infrastructure, management systems, and WIPS into a tightly-integrated system, either within or between vendors," said Devin Akin, Chief Technology Officer of The CWNP Program, the popular certification test series for wireless professionals.
Indeed, partnerships have grown between enterprise WLAN and WIPS vendors. For example, AirTight SpectraGuard has been paired with gear from 3Com, Cisco, Colubris Networks, Extreme Networks, Siemens, Extricom, LVL7, NextHop, and Ruckus Wireless. Similar relationships exist between other WLAN and WIPS vendors: AirDefense partners with Motorola, Nortel, Trapeze, and Enterasys, while AirMagnet partners with Aruba and Divitas.
But DeBeasi predicts that overlay WIPS will be marginalized by WLAN vendors that offer embedded WIPS. "Aruba's purchase of Network Chemistry will accelerate this trend," predicted DeBeasi. "Aruba and Cisco will integrate sensors into their APs and enhance their WIPS software. Air Defense and AirTight are between a rock and a hard place as [WLAN] vendors provide [embedded WIPS capabilities as] more cost effective substitutes."
Whether overlay or embedded, availability and reliability concerns will also drive expansion of enterprise WIPS products. "The second most prevalent trend that I see is the addition of physical layer monitoring to link layer WIPS," said Akin.
Enterprise WIPS can currently draw attention to security violations and performance problems. However, sensors and APs are 802.11 devices – they can only hear 802.11 traffic. Unfortunately, many DoS "attacks" reported by WIPS turn out to be caused by non-malicious competition for the over-crowded 2.4 and 5 GHz bands.
Spectrum analyzers look beyond 802.11, however, assessing the source and impact of all transmissions at the frequencies used by enterprise WLANs. Because interference can be sporadic, integrating spectrum analysis into both WLAN planning and on-going monitoring systems makes sense. For example, Cognio's Spectrum Expert has been integrated into AirMagnet Enterprise WIPS, while MetaGeek Wi-Spy pairs with planning systems from Ekahau and VisiWave.
Finally, Mathias emphasizes that WLAN security by itself isn't sufficient. "We've made excellent progress with WPA2, [but it] only secures a tiny piece of the overall value chain," he said. "I recommend strong authentication with any mobile device and sensitive data stored on it, with similar authentication and encryption at the [destination server]."
Mathias predicts that mobility-enabled VPNs (like those now offered by Columbitech, IBM, and NetMotion) will be used to secure both WLANs and WWANs. "Even though all of the major [WWAN] technologies support encryption and authentication, the enterprise should have control of information security, not the carrier," said Matthias. "This is going to become very important with converged solutions, which are the next big direction for wireless."