So are hackers. The security provisions in wireless networks have lagged since the inception of wireless LANs (WLANs), and the technology's popularity has widened the gap. As a result, many networks are exposed to attack. Wireless is difficult to secure, but too popular to ruthlessly police.
"It's very much like the internet age was ten years ago," says Michael Maggio, CEO of Newbury Networks. "We have discovered a very disruptive technology, there's so much you can do with it, and so we're scurrying, as the enterprises are, to come up with something to make it easier to use." Security is an afterthought. "People are still thinking of cool things they can do with it."
One of those things is voice over IP (VoIP). The convergence of data and telephony has advantages for enterprise users and, when combined with wireless networking, the advantages multiply. With existing investments in VoIP network equipment and WLANs, the combination is an obvious direction to take. Customer demand is skyrocketing, says Andy Zmolek, a senior security specialist with Avaya. Avaya, among other VoIP manufacturers, offers a portfolio of wireless handsets for VoIP networks.
But Zmolek expresses concern, too: not only are security standards in wireless networks lagging, environments driven by specific applications (such as voice) are lagging even further, he says, with neither customers nor vendors making much headway to improve.
"There are some enormous potential issues, but not necessarily a lot of awareness," says Zmolek. "The solutions will begin to address it when the customers say 'Hey, this is important to me and I don't want to have these weaknesses'."
VoIP is only one example of this, says Maggio. In many environments, the applications are advancing so fast that the standards are far behind. "It's true that the hot topic of the day is VoIP over WLANs, but there are so many other applications – the medical environment. Think about a doctor walking around with a tablet PC and Wi-Fi being able to get access to patient records immediately when they walk into their room. But the standards will not catch up in the foreseeable future," he says.
Wireless security splits into two streams. There is a set of standards integrated into wireless protocols to offer a degree of security, and there are alternative techniques to tighten security further (such as using VPN technology on top of the WLAN connection).
The standards begin with Wired Equivalent Privacy (WEP), encryption intended to protect wireless connections from eavesdropping. WEP is part of 802.11b, the 11 Mbps extension to the base 802.11 standard introduced in 1999.
The problem with WEP is that it is easily broken. An attacker with passive access to the network (within range of the signal and no need to be actively authenticated) can break the encryption. The hacker can then eavesdrop on network traffic or access the network if no other access mechanism is used.
"There are many attacks that rely on capturing data and doing analysis on that data," says Zmolek. "These are easier to accomplish because they don't require someone to physically tap into a line, just sit out in the parking lot. That is why enormous care has to be taken when designing these protocols and solutions."
The problem, he explains, is that protocols were designed before anyone knew what problem they were meant to be addressing. For example, WEP offers no user authentication mechanism.
"What's happened is the attraction of the technology has been such that it becomes widely deployed because of what you can do wirelessly. On the flip side, an understanding of the inherent risks involved has been fairly limited. It's only after the emergence of specific attack tools that any steps whatsoever have been taken," says Zmolek.
As flawed as WEP is, most networks do not even use it. A recent survey of U.K. businesses by the Department of Trade and Industry found that one in five wireless networks have WEP enabled. Wardriving surveys of major U.S. cities find dozens of exposed networks.
Some administrators ignore the risks, says Andy Mulholland, CTO of Capgemini (formerly Cap Gemini Ernst & Young). "For most people, the attractiveness of being able to use wireless technology outweighs the risk, and they are prepared to take the balance of risk and say 'I think I'll do it anyway'."
Greater security is available, but not widely supported. Wi-Fi Protected Access (WPA) is a more advanced protocol for wireless networks, supported in the newer 802.11a and 802.11g standards. However, WPA is an interim solution intended to be replaced with another standard, 802.11i, in the near future. WPA, using more robust key exchange and encryption, is a subset of 802.11i and will be forwards compatible, but many vendors are biding their time, delaying WPA support until the full standard is approved and available.
Notably, that group includes all the wireless VoIP suppliers, meaning that to implement VoIP handsets on a WLAN today requires access points to enforce WEP at best, even if they could already offer WPA. And the risk of interoperability problems grows accordingly.
"There's an interplay between customer demand and vendor response," says Zmolek. "Customers won't demand more security until they feel there's a risk. And if the vendors don't talk about the risk, it creates this feedback loop that tends to make vendors say 'Well, it's too expensive and customers don't want it.' So it doesn't get into the product."
Capgemini, which provides security consulting services, learned this first-hand last year. A greenfield site for a new campus in the Netherlands was too good an opportunity to miss. The firm evoked "all those things that are on the 'You really ought to do this' list," says Mulholland. The campus now has 6,500 users in a completely wireless environment.
Securing the network, he continues, involved more than WEP. "We use extensive controls on PCs – we have a Radia suite which checks that your machine is configured successfully, updates your anti-virus software, and does some other tricks. We have very heavy management on individual PCs to make sure people don't change things, are using the latest versions of any protection and, on top of that, we have a [suite] called MIS Connect, which includes protective measures. That does not completely remove risk, but it certainly reduces it to a reasonable level."
Just as early-adopter trends emerge in other technologies, the same is true of security – some users demand higher levels of protection. But with standards unratified, the result is workarounds and bolt-ons which might haunt their original proponents with lack of interoperability or security vulnerabilities.
In VoIP, for example, wireless networks lack sufficient quality of service (QoS) facilities (the WLAN QoS standard, 802.11e, is still in draft). Meanwhile, proprietary solutions like Spectralink Voice Priority (SVP) are used, which can tie customers to single suppliers of access points to ensure compatibility, which in turn creates dependence on that AP supplier's adoption of emerging security standards.
And there are problem security areas as well. Cisco's LEAP (Lightweight Extensible Authentication Protocol) was promoted as a means to secure wireless networks before deploying WPA and its full-blown extensible authentication protocol (EAP) facilities. LEAP works by cycling WEP encryption keys on a per-session (or in-session) basis, making attacks based on sniffing traffic much more difficult. However, last August, Joshua Wright, a researcher, demonstrated techniques to attack LEAP using offline dictionary attacks on captured data, which is largely analogous to the existing attacks on WEP. Last month, after Wright's "asleap" attack tool was released, Cisco issued an advisory to its clients recommending LEAP be abandoned in favor of EAP Flexible Authentication via Secure Tunnelling (EAP-FAST), Protected EAP (PEAP) or EAP-TLS.
EAP-FAST is another Cisco protocol. Wright says he is "a little suspicious about some of the accommodations in EAP-FAST to allow anonymous key exchange," but to date there is no known attack against the protocol.
Mulholland has seen this pattern before. "It's the PC problem revisited," he says. "I remember vividly how PCs came about in the beginning, which was people buying them because they were a solution, and it was three, four, five years before the corporate problem of everyone having bought different PCs and networks in different departments surfaced. It became an issue and a liability that resulted in a pretty wholesale replacement of both.
"All these markets go in a couple of stages. First-adopter enthusiasm then becomes enterprise stability. If you look back at pretty well everything that caught on very fast, whether it was the PC, whether it was the internet, whether it was mobile phones, they've all caught on through the end-user adoption, then afterwards there's been a catch-up by the enterprise saying 'Oh, we need to manage this better'."
At the moment, the market is trying to catch up. "The problem is that we're looking at wireless the way we looked at wired and we're trying to solve security in the same way," says Maggio. "But the problem with wireless is that there are no walls. It goes all over the place. It's not like Ethernet. It's not a port you can assign to, or a place you can limit the input of the data and know what's going to come out the other side."
The only successful strategy is to rethink wireless security, says Mulholland. "One of the defining features of traditional security is to put a ring around the enterprise and keep everybody inside the ring. By definition, it's very difficult to treat wireless in that way. The whole attraction to wireless is that wherever I am, I can have a connection. The fortress mentality just doesn't fit the bill at all. You're saying 'I don't want a fortress, and I don't want to be inside the fortress all the time. I need to be outside and I need to have connections.' You need a different security model."
This is true of the modern application space, says Mulholland. "We're moving to a model that many people would call client services, which is to say any device can interact with any service. Now that model by definition doesn't allow you to draw a boundary wall and put a fortress around everything. That's the move to deperimeterisation overall. If you can't draw a line around the enterprise and say everybody inside is safe and everybody outside is not safe, then you have to secure at the lowest common denominator. That could be my machine, or my phone. It might an RFID tag. It might be digital rights on a document. The whole point is the available pieces of both hardware and software are moving around,so it would be better to secure those individually and then have a policy about how they are used. That's where security is trying to take us."
Zmolek adds: "We don't want to put people off – the benefits definitely outweigh everything else."
Mulholland agrees: "By using the new technology and not wiring up the campus in the first place, we've taken about 30-32 percent out of our MIS costs. With that kind of figure, I think it's worth spending a little bit on some of the extra features on security to actually control those machines."