After years of development, certain specifications now provide basic
guidelines for wireless security at both the commercial and more stringent
enterprise levels, but it remains up to wireless users to decide what level of
security, beyond those basic guidelines, they require and how to implement
it.
“Selling security solutions is like selling insurance-people only buy
enough to mitigate their own [perceived] personal risk,” explained Ken
Evans of Fortress Technologies.
Indeed, today’s mandated security
requirements offer minimum levels of security. Not surprisingly, much of the
wireless security industry is, therefore, devoted to assisting sensitive
industries or organizations in implementing additional layers of protection to
meet industry-, company- or department-specific policies.
Among the first
attempts at a security standard for wireless was Wired Equivalent Privacy. The
specification, which was cracked within weeks of its release, is blamed by many
for the paranoia surrounding the lack of security in wireless communications,
especially in sensitive organizations like the U.S. federal government,
according to Evans.
Following the failure of WEP, enterprises, anxious to
implement wireless, turned to virtual private networks, designed for remote
enterprise workers, for wireless protection. But VPNs-though they serve their
purpose in securing small numbers of remote connections-were not designed for
everyday use, and their vulnerabilities also showed through.
Indeed, Evans
suggests there is now an 80- to 90-percent presence of wireless local area
networks in enterprises. “But to say that has been a purposeful or
well-thought-out implementation would be misleading,” he added.
After WEP
disappointed, the IEEE then released WPA, which proved to be slightly better, as
an interim solution while it developed the recently ratified 802.11i standard,
otherwise known as WPA2, in reference to its WPA roots.
WPA2 incorporates
stronger encryption and more authentication and offers a solid foundation from
which the wireless industry can build, explained John Fossaceca, an engineer at
3e Technologies International Inc.
The Wi-Fi Alliance plans to begin testing
802.11i products for interoperability this September, meaning products will not
be ready for market until after that.
WPA2 uses a form of Advanced Encryption
Standard known as AES-CCMP along with 802.1x for authentication, while WEP and
WPA used RC4 encryption, which was “relatively easy for hackers to
break,” said Fossaceca.
Eventually, WPA2 will satisfy 60 percent to 70
percent of the marketplace, predicted Evans, but more sensitive industries,
companies or departments will be required to overlay their own policies to
ensure protection. “The right policy and the right technology over wireless
networks and devices,” are required, Evans explained.
The federal
government offers a prime example. The government’s first policy, implemented in
response to the failure of WEP, was overarching and unrealistic: no wireless.
Later it chose a broad policy that gave sectors within the government
flexibility to implement proprietary security solutions tailored to it. For
example, the Department of Defense implemented a top-down policy, which the Army
worked within to create its own standards, and the Army National Guard tweaked
to align with its needs.
Both Fortress and 3eTI offer security solutions that
meet and go beyond existing specifications to organizations, including the
government.
Other industries like financial and healthcare also may use WPA2
as a foundation for wireless security, but industry-specific laws and
regulations, related to privacy, for example, could require they overlay
additional protection.
Some of those additional layers of protection serve to
secure separate points of vulnerability not commonly associated with risk.
Cranite Systems Inc., for example, offers a software solution designed to
protect a user while logging into the network, which according to Cranite, is
among the most vulnerable of any session. At that point, personal information,
including log-in names, passwords and credit-card information, can be seen and
retrieved by hackers.
Vernier Networks Inc. meanwhile recently released a
security platform to protect enterprises from attacks on their wired and
wireless networks. The comprehensive solution takes a “guilty until proven
innocent” approach to security enterprise networks.
Devices themselves
also offer points of vulnerability. “A handheld device is part of the
network,” not a threat to it, explained Scott Schelle, chief operating
officer of Bluefire Security Technologies. Bluefire’s solution includes software
that goes directly on devices to protect them in case of loss, theft, attacks
and viruses, and an enterprise console from which companies or carriers can
manage wireless devices.
Extended Systems also recently launched a security
offering that provides “on device” encryption capabilities for
personal digital assistants, smart phones, laptops and tablet PCs. The solution
allows information technology personnel to track mobile devices connecting to
corporate servers and control network access based on the device or its
user.
In summary, regulator-offered best-practices guidelines in the form of
specifications like WPA2 represent great first steps in securing wireless
communications. But, moreover, best practices lay a foundation from which
wireless security companies can build solutions. “There will always be a
thriving market for vendors that provide above-and-beyond security
solutions,” said Evans.
