[ISN] Gearing up for wireless security

From: InfoSec News (isnat_private)
Date: Mon Jan 13 2003 - 00:31:19 PST

  • Next message: InfoSec News: "[ISN] Feds enlist hacker to foil piracy rings"

    http://www.fcw.com/fcw/articles/2003/0113/cov-plug4-01-13-03.asp
    
    By Brian Robinson 
    January 13, 2003
    
    If wireless users can endure one more round of debates about security
    standards, they may soon be able to buy actual products.
    
    It's no secret that built-in security functions lack current wireless
    local-area network products, a situation due largely to the inadequacy
    of Wired Equivalent Privacy (WEP), the first wireless security
    standard, which was introduced several years ago.
    
    But that could change as new standards take hold and the wireless LAN
    component market - estimated by the Aberdeen Group, a Boston-based
    consulting firm, to have exceeded $1 billion in 2002 - continues to
    attract heavy hitters such as Microsoft Corp., which recently said it
    would enter the market.
    
    The promise of secure wireless networking is once again being touted
    with the expected release in the next several months of the Wi-Fi
    Protected Access (WPA) standard, which is considered more secure than
    WEP.
    
    WPA is only an interim step toward a standard now dubbed 802.11i, set
    for release around the end of this year. The 802.11i standard is
    expected to finally nail wireless LAN security and make the products
    that use it more palatable to organizations that demand tight
    security.
    
    "With WPA coming out, we are back to where we should have been [with
    wireless LANs] two years ago," said Michael Disabato, a senior analyst
    with the Burton Group. "It hasn't met live-wire tests yet, but
    everyone is confident it is secure now and will allow for cross-vendor
    implementations."
    
    Meanwhile, the wireless LAN market is one of the few in the telecom
    arena that is growing, so vendors need to address security if they
    want to participate.
    
    Cisco Systems Inc., for example, has a WEP implementation for its
    Aironet wireless LAN solutions that is probably sufficient for
    situations in which strong security is not critical. But the company
    is marketing the Cisco Wireless Security Suite, based on the IEEE
    802.1x specification, as a stronger security provider. The
    specification, a core component of WPA, provides authentication at the
    user and server levels.
    
    "This is admittedly a prestandard release, but 802.1x is real now, and
    because it's implemented in software, we feel very comfortable we'll
    easily be able to move to a post-standard release of this product,"  
    said Vince Spina, director of systems engineering for Cisco's federal
    operations.
    
    Wavelink Corp. last year came out with a workaround for WEP's ills,
    namely its relatively weak 40-bit encryption, static encryption keys
    and lack of a key distribution method. The Wavelink solution is a
    cross-vendor solution that allows for dynamic key rotation. It
    monitors wireless devices and access points in the network at regular
    intervals and supplies them with new keys so that hackers do not have
    enough time to break the key encryption.
    
    For organizations that can handle the extra demands on processing
    power and network traffic overhead involved, virtual private networks
    probably offer the most robust security since the wireless side of the
    network becomes an integral part of the overall enterprise security
    infrastructure. Products such as Check Point Software Technologies
    Ltd.'s Secure VPN include features such as integrated certificate
    authorities, which provide stronger security than what is currently
    built into wireless LANs.
    
    However, the cost and complexity involved with installing VPNs puts
    this solution beyond most small and medium-size organizations' reach.  
    That drove Latis Networks Inc. to develop its Border Guard Wireless
    solution, which gives network administrators the ability to manage
    rogue wireless access points and limit device access to the network,
    or deny access completely.
    
    Latis works on the assumption that a wireless LAN has to be handled as
    a major part of an overall network security plan, said Mitchell
    Ashley, Latis' vice president of engineering and chief technology
    officer. However, the company may be ahead of the market, he admitted,
    since "we are not yet at the point where everyone even agrees on the
    need for a firewall equivalent for wireless."
    
    Robinson is a freelance journalist based in Portland, Ore. He can be
    reached at hulliteat_private
    
    ***
    
    Secure solutions
    
    A glimpse at some wireless local-area network security products:
    
    
    Vendor: Cisco Systems Inc.
    
    Product: Cisco Wireless Security Suite.
    
    What it does: Provides user and device authentication for Cisco
    Aironet wireless LAN solutions.
    
    
    Vendor: Latis Networks Inc.
    
    Product: Border Guard Wireless.
    
    What it does: Enables network administrators to detect rogue wireless
    access points and control device access to the network.
    
    
    Vendor: Wavelink Corp.
    
    Product: Wavelink Mobile Manager and Wavelink Avalanche.
    
    What it does: Monitors wireless devices and access points in the
    network and supplies users with regularly changing encryption keys to
    thwart hackers.
     
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 13 2003 - 03:13:07 PST