In the beginning, there was WEP. And WEP was no good. It quickly became apparent Wired Equivalent Privacy, the original encryption protocol for wireless networks, could be broken very easily with simple tools.
Today, says Chris Kozup, senior manager of mobility solutions for Cisco Systems Inc. in San Jose, Calif., there are known techniques for breaking WEP encryption in less than a minute. “There should be no doubt that WEP as a protocol is flawed,” he says.
So network security experts created Wi-Fi Protected Access (WPA). Then everything was good. Or was it?
White paper
WPA IS BREAKABLE
Actually, no. While better than WEP, WPA has also turned out to be breakable. “The TKIP protocol specifically has been shown to be weak,” says Joshua Wright, a wireless security instructor for the SANS Institute and senior security researcher for Aruba Networks Inc. in Sunnyvale, Calif., referring to the Temporal Key Integrity Protocol, the somewhat-improved encryption protocol at the heart of WPA.
So after WPA came WPA2, also known as 802.11i, the current state of the art in encryption for wireless networks. WPA2 replaces TKIP with Advanced Encryption Standard (AES), a stronger protocol approved by the U.S. government for protecting classified data.
“It offers greater security and authentication,” says Stewart Wolfe, senior manager in charge of the Greater Toronto Area information security team for consulting firm KPMG, “and addresses some of the challenges WEP had.”
So with the advent of WPA2, are 802.11 networks finally secure?
No, for two main reasons.
FEW USE AES
The first is that WPA2 is like safety equipment – it only protects you if you use it, and many people who should use it don’t. Sri Sundaralingam, vice-president of product management at Mountain View, Calif.-based wireless security vendor AirTight Networks, Inc., estimates 30 to 40 per cent of wireless networks in business still use WEP, the same proportion the original WPA, maybe a tenth no encryption protocol at all, and less than 10 per cent have implemented WPA2 with AES.
The picture is even bleaker with home wireless networks, many of which use no encryption – and that’s not necessarily irrelevant to your business if employees are taking company data home with them.
“I think part of it is that a lot of people still don’t understand the risks around using WEP,” Wolfe observes. The cost of 802.11i implementations is also a factor, particularly in organizations with older networking equipment that doesn’t support AES. For them, upgrading to AES could mean replacing network devices. It’s possible to implement 802.11i but with TKIP encryption, Wolfe says, but that isn’t as secure.
Kozup says organizations with network devices made in the last three or four years can and should run WPA2. But in industries like retail, where there tends to be a broad range of devices such as bar-code readers, many used for a good many years before being replaced, legacy equipment may hinder upgrades to the newer protocol.
Kingston General Hospital in Kingston, Ont., has wireless network coverage throughout its patient-care areas and in most administrative areas – around 95 per cent of the facility is covered, says Bob Schaefer, manager of telecommunications and distributed computing. Security depends on the application.
CONSIDER VPNS
The legacy hospital information system doesn’t support AES, so the hospital uses virtual private network (VPN) technology to provide an added layer of security for that system. If you’re using TKIP encryption – and possibly even if you’re using AES – it may be wise to implement VPN over your wireless network, Wolfe suggests. Commonly used on remote connections with little or no security of their own, VPN is certainly a good idea for employees connecting from home networks unlikely to have the latest in wireless security.
Kingston General relied on VPN to secure almost all wireless network traffic in the days when TKIP was the only encryption option. Now KGH is moving to 802.11i with AES encryption, he says. Feeling quite secure with AES, “we have not been putting any other security on top of that.” However, Schaefer says, the migration can take time because client devices must have wireless cards that support the newer standard, and applications must support it.
WHY WPA2 IS NOT AIRTIGHT
As well, a growing number of applications provide their own built-in security, which makes Schaefer less concerned about the security provisions of the network itself. The second reason WPA2 doesn’t solve all the security problems is that it doesn’t try to do so.
WPA2 is primarily about encrypting data. Wolfe notes that it’s still susceptible to “man in the middle” attacks, in which an intruder secretly relays messages between two legitimate nodes on the network, fooling each into thinking the intruder is the other legitimate device, and uses the ruse to eavesdrop on their communications.
WPA2 encrypts the contents of data packets but not their management frames, Kozup explains. “There are a number of attacks that can be made against the management frame,” including the man-in-the-middle attack.
Kozup says Cisco introduced management frame protection two years ago in its own products, and that technology is now the basis of a draft IEEE standard called 802.11w, due to be ratified this September.
WPA2 also doesn’t do intrusion prevention. “The vast majority of network administrators don’t even have wireless intrusion detection systems,” Wright says. That’s partly because of the cost of such technology, he explains. It’s also partly because many people think all wireless security issues were solved with the arrival of WPA2, Wright says.
BEWARE OF ROGUE ACCESS POINTS
Finally, proper security on official wireless connections still doesn’t guard against the long-standing problem of rogue access points. Seeking the convenience of wireless where their employer hasn’t provided it, employees plug wireless access points into network jacks, usually without taking security precautions.
And while rogue access points are usually the product of employee thoughtlessness, they can be planted deliberately by outsiders. Wright says he has seen such devices concealed in cubicle walls or inside network wall jacks. Any organization with a network should monitor its premises for rogue access points, Kozup warns.
Wireless security has undoubtedly improved since the WEP days. It’s at least as important that awareness is improving. Kevin Lahey, mobility specialist with Cisco in Toronto, says WPA2 adoption is increasing, with the health care and education sectors leading and recent growth in the financial sector. Wright hopes that as more networks become wireless, more attention will be paid to securing them.
