The past 2 years have brought enormous growth in the usage of networks based on Wi-Fi, the 802.11b wireless standard. However, 802.11b is inherently insecure, making it unsuitable for enterprise deployment unless you take certain steps. Here's what you need to know about wireless networking and security.
Wired Equivalent Privacy (WEP) is an algorithm for protecting wireless communications against eavesdropping and preventing unauthorized access to wireless networks. WEP uses encryption to establish a shared key between a wireless access point (WAP) and a wireless station (e.g., a wireless networking adapter in a laptop or PDA). The shared key ensures that transmitted data isn't modified before it reaches the wireless station.
Modern wireless solutions are compatible with WEP. However, many home wireless networks aren't compatible with WEP or don't turn it on by default. Furthermore, WEP isn't a complete security solution. Key creation between the WAP and wireless stations isn't standardized, so different products often use different methods to create keys. As a result, WEP is open to several forms of attack that use relatively well-known techniques. Worse still, attacks on WEP don't require much technical sophistication: Attackers can use standard consumer-grade Wi-Fi hardware to monitor traffic.
To provide business-grade Wi-Fi security, an IEEE Task Group has proposed the 802.1x architecture, which works with 802.11b to provide access control, authentication, and key-management services. Modern operating environments support 802.1x out of the box and by default, refuse to work with pre-802.1x networks.
802.1x uses the Extensible Authentication Protocol (EAP), which ties network authentication to the underlying wired infrastructure in an approach known as EAP over LAN (EAPOL). For the best security, EAPOL requires three hardware components: the WAP, the wireless station, and a Remote Authentication Dial-In User Service (RADIUS) server.
Authentication is a multistep process. The wireless station connects to a WAP, which requests the wireless station's ID. The station sends the ID in encrypted form, and the WAP forwards it to the authentication server, which returns an accept packet to the WAP. The WAP then opens a port on the wireless station and allows traffic to proceed. To increase security, 802.1x blocks traffic such as DHCP, FTP, HTTP, POP3, and SMTP.
The 802.1x specification doesn't include key distribution and management functionality. For this reason, 802.1x, like WEP, isn't the only wireless security system that enterprises need. To truly secure a wireless network, you need to implement data frame encryption that surpasses WEP's 40-bit length and a more robust key management system than most wireless vendors provide.
Secure wireless networks aren't an impossibility, but implementing one requires you to limit your potential attack surface and to do what you can to ensure that data traveling between sensitive areas and the outside world is encrypted. Unfortunately, no standalone, off-the-shelf wireless solutions can satisfy these requirements, at least not yet.
One of the best ways to secure your internal network is to physically separate it from the wireless network, implement 802.1x, then establish VPN tunnels between the two on a limited basis. Also, consider upgrading to XP SP1 or some other 802.1x-compatible client on the desktop before allowing any inhouse wireless access.