Knock Three Times ...

How can the airwaves--particularly the ISM (Industrial, Scientific and Medical) 2.4-GHz shared-usage frequencies--be private property? They can't. But the equipment that supports the WLAN is private, and that's what people are trespassing on. When WEP is enabled on a WLAN access point, the PC, PDA, inventory scanner, WLAN phone or other wireless device must have the same key as the AP to gain admittance to the WLAN. The owner of a device that doesn't have the key must break the key if he or she is determined to get in. I've heard researchers claim that the vast majority of people will not enter property with a No Trespassing sign posted at the gate. Based on informal discussions with readers and security seminar attendees, I'd have to agree--even those who want to see for themselves how easy it is to attack a WEP key say they'd do so only with the WLAN owner's permission.

In this limited use of WEP, you're not trying to keep your WLAN safe from attackers--you have firewalls, VPNs, IDSs and static IP addresses to do that. You're just posting the No Trespassing sign. This means you don't need a different WEP key for every workstation and you don't need to change each WEP key every 10,000 data frames. Not that you should just set it and forget it; you should change your WEP key as often as you'd weed the area around a No Trespassing sign in your yard.

And because all WLAN devices support up to four concurrent WEP keys but use only one of them for encryption, you can implement a simple three-step key rollover process. Step 1, stage the new key in all the access points; Step 2, add the key to the wireless devices and designate it the encryption key; Step 3, after all the wireless devices have been updated, set the new key as the encryption key in the access points. This will help keep the weeds around your No Trespassing sign at bay.

If a user complains that he or she can't access the WLAN, check the WEP key number he or she is using to determine whether it's current. Just be sure your WLAN's SSID (Service Set Identifier) is pronounceable: Red, Maple Tree and Eagle are names that leap to mind.

Security Stopgap

WEP is not a critical part of your WLAN security, but it will continue to play an important role until IEEE 802.11i ships. That may not happen until late 2003, though the WiFi Alliance is implementing an early draft of 802.11i now as an interim security measure. This is not the role WEP's developers envisioned it would play, but WEP is too easily defeated to provide anywhere near the level of security provided by true security tools. For all WEP's attackability, its absence leads the uninformed to believe WLANs are unprotected even when the real WLAN security measures are firmly in place behind the scenes.

So WEP, with all its weaknesses, is the de facto Keep Out sign. Post it now. Just be sure to back it up with some bona fide security measures.