Secure without wires
Wireless networking can indeed be safe and secure for the enterprise, says Mark Smith
Customers claim that wireless security is a priority but lots of enterprises are implementing wireless networks without loading up all the security provided. It is no wonder they think wireless is easy to install but difficult to secure and manage.
On a wireless network, each access point accommodates different users at different security levels. It is the ultimate identity-based networking and is harder to manipulate.
A wireless network expects you to prove who you are, providing a password, digital certificate or biometric such as a thumb print. The system will check with the AAA server to confirm you are who you claim to be before granting access.
Many of you will be saying: ‘Ah, but what about identity theft? What about device theft? What about the recent news of Russian firm ElcomSoft’s use of NVidia graphics cards to accelerate wireless password recovery times by up to 10,000 per cent? Surely that means it is just not enough to keep the network secure?’
Encryption is just one element of network security. But when ElcomSoft mentions breaking WPA or WPA2 it really means recovering the password of the WPA-PSK, which is done via a ‘brute force’ attack. That’s not new.
You would have to compare that against an eight-letter (the minimum for PSK) password that can have 208,827,064,576 variations. It would take more than 345 days to find out that your password is not ‘aaaaaaaa’.
Make it a nine-letter password and you’re looking at almost 25 years. And WPA-PSK passwords can have up to 64 characters.
Once you’ve authenticated the user, how do you authenticate the network to the user – making sure the network is genuine?
A wireless system will present its credentials to your device and confirm that the network onto which you’re logging is actually valid.
The next wireless weapon is authorisation. A wireless network keeps resources locked down so when you’re roaming on a network every time you move into a new area through a new access point it will check to confirm that you are actually allowed access.
Access points also record every action and this information is sent to the server in real-time to minimise security violations, such as a guest gaining access to something they shouldn’t, and provide an audit trail for security compliance.
Wired networks are all about the physical apart from the security of actual devices – situations where laptops are left on trains spring to mind. This relies mostly on presenting the appropriate credentials – with no requirement to prove identity beyond saying your name.
Pinning your hopes of security on the guard at your front desk is a risk. People can get past security guards, but with a wireless network you are stopped as soon as you don’t have the appropriate credentials.
Most solutions offer little or no control over who is using guest access — or when, where, and how it is being used. Not all devices support 802.11i security, so access to corporate networking resources must be limited.
The key is deciding what security to set up, rather than depending on a box to fix any problems. Designing and planning an appropriate network with appropriate levels of security is paramount.
Trapeze Networks co-authored the 802.11i standard, adding fast roaming capabilities to wireless networking while maintaining security. No enterprise WLAN should be configured to use a pre-shared key (WPA or WPA2 PSK). And we recommend focusing on the identity of the user rather than only on a password.
Our recommended best practice for an enterprise wireless network includes the use of WPA2 Enterprise - which uses 802.1x for authentication, AES for encryption and an AAA server which supports RADIUS.
With management software, you will have around-the-clock visibility of what is happening on the network in real time.
Stick to industry standards and ensure your network can show an audit trail. Wireless is robust. Wireless LANs, with security properly enabled, are more secure than the wired network. There. I’ve said it.
Mark Smith is regional director for the UK and Ireland at Trapeze Networks