Do you use an 802.11-based wireless LAN? If so, are you aware of several security problems in the Wired Equivalent Privacy (WEP) protocol (used in 802.11-based wireless LANs) that can compromise your network? WEP is part of the IEEE 802.11 standard and uses the RC4 encryption algorithm with a 40-bit key to encrypt network traffic. During the past several months, we've published two stories about vendor support for WEP and two stories about several WEP protocol security risks. Recently, researchers have discovered two more security problems that let attackers easily crack WEP's RC4 encryption keys.
Three researchers (Scott Fluhrer, Istak Mantin, and Adi Shamir) published "Weakness in the Key Scheduling Algorithm of RC4," a paper which the three men say proves that "RC4 is completely insecure in a common mode of operation which is used in the widely deployed \[WEP\] protocol." The document outlines two vulnerabilities. The first vulnerability stems from the fact that a small number of secret encryption key bits determine a large number of subsequent key permutation bits. An intruder can use the second weakness to determine the secret part of a key by analyzing particular aspects of encryption key streams.
Although the paper is very technical—people without a significant understanding of cryptography and mathematics might find the paper difficult to comprehend—it reminds us not to depend on only one security method. If you rely on WEP to protect sensitive wireless-network traffic, you're a sitting duck. Until the IEEE adopts revamped encryption specifications for the 802.11 standard (which it's in the process of doing), we can't depend on the standard to offer any significant information security.
Exploits exist already for some of the WEP vulnerabilities—don't think that cracking your wireless LAN takes a rocket scientist. For example, over the weekend, Anton Rager posted Perl scripts to the BugTraq mailing list that help demonstrate and validate the claims the three researchers make in the paper. The code base functionality is limited but clearly proves that penetrating WEP-based network security doesn't take much effort.
Although protecting your WEP-enabled network against intrusion isn't difficult, it does take some effort. One of the most effective security measures you can take is to implement a VPN between all systems that communicate over the wireless network. This setup means that if you have WEP enabled on your wireless LAN and an intruder subsequently cracks WEP on your LAN, then any underlying VPN protocols will still probably protect your network. It's also a good idea use a media access control (MAC) address to restrict access to your wireless network hubs. This configuration ensures that only authorized network cards can communicate on your wireless network.
If you need another reason to better protect your wireless LANs, remember that wireless LANs operate based on radio technology, and radio signals often stray well beyond their intended boundaries. For example, take a laptop computer with an 802.11-based wireless network card, configure the machine to run a DHCP client, and take the laptop with you as you drive around heavily populated business districts or walk around inside large office buildings. You might be surprised to find a few wireless LANs are wide open to the public. If you don't guard against unknown wireless connections, someone will use your wireless network without your knowledge—and who knows what kind of trouble that can lead to?
Before I sign off this week, I want to remind you to patch all your systems—especially laptops—to protect them from the Code Red worms. Be sure to review our article related to Microsoft security bulletin MS01-033. I mention this warning again because many companies have overlooked patching their laptops. Some laptops have Internet Information Services (IIS) 5.0 running on top of Windows 2000 Professional, and as you know, IIS 5.0 is vulnerable to Code Red. When these unpatched laptops connect to the Internet using a connection outside the company's protected internal LAN, they become vulnerable to Code Red infection. A Code Red-infected system can spread the worm back into a company's internal LAN when a user reconnects the system to the LAN. So be sure to patch your Win2K-based laptop systems.