[ISN] WLANs May Be Banned at Agencies

From: InfoSec News (isnat_private)
Date: Tue Aug 27 2002 - 06:01:30 PDT

  • Next message: InfoSec News: "[ISN] DOD may pull key net from the Internet"

    http://www.eweek.com/article2/0,3959,482338,00.asp
    
    August 26, 2002 
    By Carmen Nobel 
    
    The proposed National Strategy to Secure Cyberspace plans to get tough
    on wireless technology, saying that if secure WLANs don't exist,
    federal agencies shouldn't use them.
    
    The proposal aims to prevent the proliferation of unsecured wireless
    LANs that run on the 802.11b standard, also known as Wi-Fi, according
    to a draft of the strategy obtained by eWeek. The Bush administration
    wants a moratorium on Wi-Fi WLAN networks until security is improved
    and wants government IT users to avoid wireless products for sensitive
    applications.
    
    Developed by the President's Critical Infrastructure Protection Board,
    the proposal, due Sept. 18, recommends that vendors change the default
    configurations on WLAN gear to increase security, something critics
    say would make the equipment difficult to use in both public and
    private networks.
    
    While the language is strong, security experts who work with
    government agencies say they generally assume wireless products are
    inherently insecure.
    
    "Built-in wireless security I consider utterly beside the point and
    put my trust in SSH [the Secure Shell remote connection protocol] in
    the hope that the folks who are dedicated to making something
    rock-solid secure do a better job with security than folks who are
    dedicated to making and selling radio transceivers," said Steve Durst,
    a research engineer at Skaion Corp., a North Chelmsford, Mass.,
    security consultancy whose customers include the Air Force and the
    Defense Advanced Research Projects Agency. "I tunnel everything
    through SSH."
    
    An IEEE task group is developing a standard called 802.11i to improve
    the security of WLANs, but that technology is not due until the fall
    of next year. Meanwhile, the vendor group Wireless Ethernet
    Compatibility Alliance plans to support an improved encryption scheme
    called SSN (safe secure network). The draft mentions 802.11i and SSN
    as improvements, but it's unclear whether either would meet the
    government's new criteria.
    
    "WECA has been promoting that wireless LANs need to be secured," said
    Dennis Eaton, chairman of WECA, in Mountain View, Calif.  
    "Unfortunately, security and ease of use are the nemeses of each
    other. Achieving both is a very difficult proposition."
    
    The recommendation that WLAN equipment either come out of the box
    secure or be disabled until users make it secure leaves some users
    worried about future loss of Wi-Fi's plug-and-play capabilities.
    
    When configuring WEP (Wired Equivalent Privacy), "different vendors'
    interfaces don't seem to match. One has to enter the passwords in very
    different ways," said Christopher Bell, chief technology officer of
    People2People Group, in Boston. Bell said it took him almost 2 hours
    to set up a secure access point, a notebook computer and a Pocket PC
    device enabled with 802.11b. "I can't imagine many people would bother
    to do what I did to get it all to work when simply turning off WEP
    made it plug and go."
    
    In addition to WLANs, the cyber-security strategy addresses the
    Bluetooth wireless protocol, which is used primarily as a cable
    replacement between devices. The draft's authors recommend that
    Bluetooth developers build a better broadcast keying scheme, a feature
    to prevent unlimited authentication requests and a more sophisticated
    encryption procedure.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 09:28:24 PDT