[ISN] Protocol used for 802.11b standard is not strong enough for information at official use only security status, expert says

From: InfoSec News (isnat_private)
Date: Thu Aug 23 2001 - 02:12:31 PDT

  • Next message: InfoSec News: "[ISN] VA to certify project security"

    http://www.gcn.com/20_24/security/16838-1.html
    
    By WILLIAM JACKSON 
    GCN STAFF
    August 20, 2001
    
    Wireless networks are fast to set up and flexible enough to let
    workers roam through an office or campus.
    
    But you would not want to trust anything sensitive to todays 802.11b
    wireless LAN standard, said Maj. David A. Nash, an electrical
    engineering and computer sciences instructor for the U.S. Military
    Academy at West Point.
    
    The Army has a moratorium on wireless LAN use, said Lt. Col. Daniel
    Ragsdale, director of the departments information technology and
    operations center.
    
    They're flushing out a lot of security issues, Ragsdale said. Ragsdale
    and Nash attended sessions on wireless LAN security at last months
    Black Hat Briefings in Las Vegas.
    
    Not enough, off balance
    
    Although improved standards are on the way, current wireless security
    is inadequate and does not scale well, said Mandy Andress, president
    of ArcSec Technologies Inc. of Dublin, Calif.
    
    The IEEE 802.11b Ethernet standard operates in the 2.4-GHz band at
    data rates up to 11 Mbps. Products for the forthcoming 802.11a, which
    delivers up to 54 Mbps in the 5-GHz band, should be available late
    this year.
    
    A more secure version of the standard is under development that will
    provide key management and 128-bit Advanced Encryption Standard
    encryption. But for now, methods to control wireless LAN access and
    prevent eavesdropping are not completely secure.
    
    Access can be defined by a devices media access control layer address,
    but such addresses are easy to discover and spoof, and managing the
    lists is difficult for large networks, Andress said. Virtual private
    networks cut down wireless mobility by requiring users to authenticate
    themselves when roaming from one server to another. And small VPNs are
    not cost-efficient.
    
    Tie it tighter
    
    An open-source program called SLAN, for Secure LAN, available at
    slan.sourceforge.net, works like a VPN but is simpler, Andress said,
    and not very scalable.
    
    Wired Equivalent Privacy, a wireless security protocol, does not use
    strong enough encryption and is vulnerable to attack. All users of a
    particular access point share the same encryption key, which is a
    serious weakness.
    
    WEP is a fundamental vulnerability on 802.11b networks, Nash said. Not
    until its weaknesses are thoroughly repaired will wireless networks be
    suitable for classified, sensitive or even official-use-only
    information, he said.
    
    Despite weaknesses in current products, Ragsdale said, wireless
    networking does have a role in noncritical environments, such as at
    the military academy.
    
    Were in the business of teaching people computer science, he said. But
    until more security is built in to standards-compliant products,
    government should be wary of putting its LANs on the air, he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 04:41:43 PDT