In implementing a secure WLAN, you'll need to ante up to acquire security hardware and software and accept the burden of increased complexity. One size definitely does not fit all. First, you need to understand the key elements of a comprehensive WLAN security system. Next, you must assess your organization's level of risk aversion and the price you are willing to pay to achieve security. Finally, you have to understand the alternative systems available.

The Business Case for WLANs

Organizations have long recognized that providing mobile access to information using WLANs can improve the bottom line. In one of the most systematic studies of WLAN benefits, NOP World Technology, a British research outfit owned by United Business Media, concluded that companies implementing WLAN technology can increase the amount of time an enterprise network is available by 70 minutes per day for the average user, boosting his or her productivity by as much as 22 percent. This study did a good job of identifying the types of organizations that benefit most from WLAN deployment and the types of applications for which the technology is best suited. If the employees in your organization spend all day, every day, glued to the computers in their cubicles and don't have much need for mobility, you won't see many benefits from a WLAN, save perhaps for reduced wiring costs. At the other extreme, if mobile access to information can transform your business processes, you can look forward to some significant ROI (return on investment).

Most of us work in organizations that fall somewhere in-between. And in many cases, WLANs are just a convenience. Sure, it would be nice to be able to access e-mail and the Web from conference rooms, cafeterias and other quasi-public spaces, but can you justify such an investment if one of the costs is diminished security? Some organizations feel security trade-offs may be worthwhile. In fact, in a TNS Intersearch study commissioned by Microsoft, only 42 percent of sites that had installed WLANs had implemented authentication systems. Some of these sites undoubtedly implement their internal WLANs "outside the firewall," providing limited access to internal systems. When users need more sensitive information, you can provide them with VPN connections, just as you do for dial-up, DSL and cable-modem users. That's all well and good, but you still may be vulnerable to war-driving or other external attacks, in which users outside your organization gain access to your Internet connection or to insecure internal systems where they can mount further attacks.

		Go beyond the headlines of this issue's cover story on wireless networks. Brad Shimmin chats with author Dave Molta about how to evaluate wireless network security. (requires RealPlayer)

The equation gets more complex when your goal is to provide truly mobile wireless access to secure information systems. For many organizations, that's where the long-term ROI can be found. It's not that tough to imagine the benefits of anytime, anywhere information access to people equipped with wireless-enabled mobile devices like PDAs. Just having Web and e-mail access can be a huge boon to mobile professionals and their employers.

IEEE 802.11 Security Basics

One measure of a standard's success is the degree to which it encourages competition and makes technology more cost-effective for users. By this measure, 802.11b/WiFi has been an unbelievable triumph. Wireless NICs that cost $500 a few years ago are now available for less than $100 and are five times as fast to boot. That's progress even Gordon Moore couldn't predict.

However, another measure of success is the degree to which a standard anticipates and addresses future implementation issues. TCP/IP, for example, crafted more than 30 years ago, has withstood the test of time. By that yardstick, IEEE 802.11's ongoing changes at both the physical and the data-link layers, together with minimal security capabilities, make it easy for us to second-guess the designers. Of course, it took nearly seven years to develop the initial 802.11 standard. Making it secure from day one would have taken longer.

The bottom line is that the 802.11 standard failed to deliver any workable security provisions that would pass muster with enterprise administrators. In the early days, people thought of 802.11's ESSID (extended service set identifier), a string that was defined for each access point, as a wireless password. But implementers soon discovered that the access points routinely broadcast these "wireless passwords" over the LAN. Even when broadcasting was disabled, the strings could be extracted in clear text, from the management frames passed by wireless clients and access points. Today, ESSIDs often are detected automatically by WLAN clients, letting users connect to wireless networks transparently, provided no other security points exist.

Since the standard doesn't provide an authentication framework, sites sometimes implement MAC (Media Access Control) address restrictions to control access to the network. However, this approach is an administrative burden and is vulnerable to address spoofing, and it ties access to the device (which can be stolen) rather than to the user.

Finally, there's wired equivalent privacy--or WEP. Yes, it provides privacy equivalent to the privacy you had on your wired LAN, as long as that LAN had no privacy whatsoever. Noted security experts Scott Fluhrer, Itsik Mantin and Adi Shamir pulled WEP's pants down in 2001, and lots of faces turned red (see "WEP Has No Clothes"). But even if they hadn't exposed the weaknesses in the underlying encryption system, WEP's static shared-key architecture has little appeal for enterprise IT professionals. Clearly, there's a need for privacy based on dynamic session keys that are distributed after a robust authentication.