Joel Snyder: Securing the wireless LAN

Wireless LANs are too inexpensive to ignore, but security has stymied many network managers looking to bring wireless into the corporate fold. There’s a lot of information and misinformation out there about issues and approaches. Here are some simple strategies to help guide your path.

First, educate yourself. The best place to start is Matthew Gast’s “802.11 Wireless Networks: The Definitive Guide.” Digest what Gast has to say and you’ll be far ahead of the power curve.

The Internet has a lot of data and opinions on wireless, but it’s difficult to get perspective on things without a good background primer. You need to put this into the context of corporate security. What threats are you worried about? How sensitive is the data on the wireless LAN? What vulnerabilities do you need to guard against? Sniffing? Denial of service? Freeloading? Impersonation? You’ll never establish an appropriate 802.11 security policy for your corporate network if you don’t think about these things now.

Second, do something to start. Wired Equivalent Privacy (WEP) is still an awful technique – it’s like giving everyone in the company the same password and never changing it. But that doesn’t mean you shouldn’t use it. The theoretical attacks on WEP exploited by tools such as WEPcrack are blocked by modern firmware. In some recent testing using current releases of 10 different enterprise-class access points and eight different client cards, Initialization Vector-based attacks on WEP were no longer effective.

Use WEP and at least you’re not blasting your wireless LAN out to any passerby. During some war-driving exercises last month, I found that more than half of the wireless LANs I could “see” from my car were not even using WEP to protect their data.

Third, arm yourself. Wireless tools like Airmagnet are fabulous for enterprise network managers. If you only have a few access points to worry about, a laptop or PocketPC with some public domain tools such as NetStumbler is a fine start. But without at least some tools, you’re completely in the dark about the 2.4-GHz aura beginning to surround your network.

Fourth, prepare your strategy. For now, 802.1X-based authentication is the up-and-coming technology to help resolve basic wireless security problems. Or, go down the VPN path and treat wireless users the same way you treat remote-access VPN clients. Either works fine with off-the-shelf hardware.

Over the long run, the IEEE 802.11i standard will lay out a path to higher security for wireless networks that combines 802.1X authentication with better key management than is available on WEP. But that standard is still being cooked, and it will be a year or more before things completely settle.

Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at