Authentication systems, which use logon and password identification combined with encryption; and intrusion prevention
systems (IPSs), which monitor airwaves and identify and stop intrusions from unauthorized devices, such as "rogue" wireless access points (WAPs).
WLAN security has become increasingly critical for small and midsized businesses (SMBs) as much as large enterprises, according to John Pescatore, a vice president at Stamford, Conn.-based Gartner Inc. "If someone finds out you've got an unprotected WAP, they'll use it," he warns. Casual passersby may simply want a free connection to the Internet; but an unguarded WLAN can also be used for more malicious purposes, such as sending spam, launching a denial-of-service attack or downloading sensitive files.
Lastly, SMBs may need to implement WLAN security in order to comply with government regulations such as the Health Insurance Portability and Accountability Act.
Until recently, the primary WLAN security mechanism was Wired Equivalent Privacy (WEP). WEP is an encryption protocol designed to protect data in transit. However, the standard provides minimal protection -- researchers found that transmissions can be intercepted and modified to give intruders access to a "secured" WLAN. "A teenager can break in," Pescatore said.
While most wireless LANs still support WEP, newer and more effective security standards have entered the market in recent years:
- 802.1X defines a secure, encrypted authentication procedure in which a wireless device, such as a laptop, provides credentials (typically a user ID and password) to the WAP, which then passes them on to a Radius database server for authentication.
- WLAN security systems typically use 802.1X in combination with Wi-Fi Protected Access 2 (WPA2), which distributes encryption keys to create a secure connection between mobile devices and WAPs.
- Intrusion prevention systems attack WLAN security from a different angle. Sensors installed around the building perimeter continually monitor and classify traffic. If an unauthorized access point or denial-of-service attack is detected, the IPS sends packets to automatically disconnect the rogue device from the network and to prevent user devices from accessing it.
A growing number of vendors offer 802.1X authentication platforms and IPSs that target SMBs:
Infoblox Inc.'s Infoblox 1000 appliance, configured with the RadiusOne server module, is priced at $9,995. It comes with a Web graphical user interface and wizards to ease installation and configuration.
Funk Software Inc., which is now part of Juniper Networks Inc., offers its Steel Belted Radius (SBR) Enterprise server software for about $5,000. It provides Radius-based authentication for virtual private networks (VPNs) and 802.1X wireless and wired networks.
Aruba Networks' low-end 200 Mobility Controller provides Radius authentication for up to six Aruba WAPs and 100 simultaneous users. It starts at $1,750.
McAfee Inc. and BoxedWireless provide hosted wireless LAN encryption and authentication services. McAfee's Wireless Security for Small Business hosted service costs $49.99 per year per user for one to four users and $44.99 per user per year for five users and up. BoxedWireless' service starts at $15.50 per month for up to 10 users.
Tips and gotchas
Not all rogue WAPs are operated by rogues. Businesses sharing a building may inadvertently intrude on each others' WLANs. An IPS should be able to tell the difference and disable the neighboring AP's access to your WLAN, but not theirs.
When deploying 802.1X authentication, make sure all laptops and other wireless client devices are equipped with 802.1X "supplicant" software.
SMBs may find it easier to cost justify a Radius server if it isn't just for WLANs. Aruba's Mobility Controller and Funk Software's SBR provide authentication for both wired and wireless LANs and VPN connections as well.
Make sure your WLAN security system supports your wireless cards.
Expert viewpoint: John Pescatore, vice president, Gartner
"We tell our clients, 'If your policy is no wireless LANs, then definitely get intrusion prevention, because if you don't give a WLAN to your employees, they'll sneak it in. Every laptop comes with a wireless card now, and people can pick up a wireless access point at CompUSA for $40.
"If an SMB is already using a virtual LAN, it's smart to segregate WLAN access points on different VLAN segments, for security purposes. A medium-sized business should look at Aruba Networks or Cisco subsidiary Airespace, which implement VLANs on a wireless network through a central switch. WLAN systems with no central switch can set up primitive VLAN segmentation, like everybody can access everything except financial systems.
"Watch out for what we call 'accidental association,' when your employees tap into a nearby company's wireless network. You could be liable. Or someone in the other company could use the link to download something to your PCs, like a virus."
Elisabeth Horwitt is a contributing writer based in Waban, Mass. Write to her at firstname.lastname@example.org.
This was first published in March 2006