In the short term, users should re-evaluate the threat of compromise to existing WLAN installations. Some users have either postponed or terminated existing WLAN deployments due to WEP concerns. For the next 18 to 24 months, users will be required to deploy additional solutions (for example, firewalls and virtual private network gateways) to guarantee network security. By 2004/05, corporate WLANs will integrate to the network through specialized gateways aimed at solving problematic security, management, roaming, and quality of service (QoS).

[an error occurred while processing this directive]

Step 1: Audit. Network security is particularly prone to compromise by WLANs because it's easy to install rogue access points within the network. The first step in securing WLAN segments is to perform a network audit to locate all rogue access points, thereby bringing them into compliance with the established policy, or disabling them completely. In the short term, enterprises should use products capable of detecting WLAN traffic (and thereby WLAN access points) by network monitoring vendors such as Sniffer Technologies and WildPackets. However, this approach is somewhat limited because it requires the network administrator to be within the proximity of the WLAN signal to detect the traffic. By year-end 2002, WLAN vendors (such as 3Com, Avaya, Cisco, Enterasys, and Symbol) will have incorporated within their network management tools the ability to detect remote access points. Users should establish a policy to ensure network audits are conducted regularly (every one to three months) to limit additional rogue access points.

Step 2: Authentication. Because WEP-based standards cannot be trusted (and vendor-proprietary WEP arguably only buys extra time), users must now be concerned with opening a back door into the enterprise. Users should focus on authentication (for example, RADIUS) for WLAN users. By year-end 2002, vendors will have incorporated the IEEE 802.1x user authentication standard into WLAN products to provide a replacement to the weak WEP-based authentication methods. A strong authentication method must be accompanied by the use of firewalls--treating the WLAN segment similar to the public Internet. Layer 2 virtual LANs will enable the partitioning of wireless LAN traffic into a single firewall, eliminating the need for multiple firewall devices. In addition to simply controlling access with authentication and network perimeter devices, users may also deploy intrusion detection system (IDS) capabilities as a way of proactively identifying breaches to the LAN segment. IDS products will enable the administrator to identify the specific access point or segment where the compromise has occurred, allowing network administrators to determine the physical location of the perpetrator.

Step 3: Confidentiality. Many organizations will not require additional security layers beyond Step 2. Users that have completed an assessment of the confidentiality requirements for their WLAN applications may determine certain segments are transferring information that has no commercial value and requires no encryption (such as bar code data from warehouse scanners). In these scenarios, it may be beneficial to enable basic WEP because a low-level encryption coupled with low-value information is an even stronger deterrent to compromise. In scenarios where users have confidential business or personal information crossing a WLAN, a virtual private network (VPN) approach is the most credible way of guaranteeing privacy. META Group recommends that you conduct assessments quarterly to determine the confidentiality requirements of changing traffic and user demographics.

Deploying LAN-based VPNs is not a simple or inexpensive proposition. Many users currently have existing VPN gateways deployed for remote-access connectivity. Although users may initially be able to leverage these existing products, scalability will quickly become a gating factor. Current VPN devices are capable of terminating anywhere from 40 Mbps to 100 Mbps of Internet Protocol Security (IPSec) traffic (running 3DES encryption and SHA-1 hashing with predominately small packets)--an amount sufficient for remote-access users connected via dial-up or cable/DSL modems. VPN gateways will be less scalable when terminating 802.11b, and more so 802.11a, traffic as each user requires 1 Mbps to 10 Mbps. With 802.11b networks and basic corporate applications (such as e-mail and HTTP), users should plan on a ratio of 300 to 500 users per single VPN gateway capable of 100 Mbps throughput. This ratio will decrease to approximately 100 to 200 users per 100 Mbps gateway as the application bandwidth requirements increase or access points migrate to 802.11a. Concerns associated with the VPN approach include the cost of additional gateways ($10,000 to $50,000), lack of ubiquitous client support, limited roaming (due to fixed termination devices), and the loss of management control (due to tunneled traffic).

Major WLAN vendors are hurrying to provide solutions, which include proprietary implementations of WEP, firewalls, intrusion detection, and VPN capabilities. A new breed of vendor (for example, BlueSocket and Vernier Networks), aiming to solve the mobility, security, QoS, and management problems associated with wireless LANs, has also emerged, though products remain in early stages. META Group anticipates that vendors will follow a multifaceted approach to defining the future of WLAN security--initially focused on integrating VPN capabilities directly into the access point, and the progressively focused on fixing the faults associated with WEP.

A Wireless LAN Security Update
First published on November 13, 2001
By Chris Kozup

Newsletters
	Tech Update Today eBusiness Update	Tech Update Weekly		All newsletters FAQ Manage my newsletters

[an error occurred while processing this directive]

[an error occurred while processing this directive]