Fear and loathing in the Wi-Fi – Tanner – security problems lead to ban on wireless networks – Brief Article
John C. Tanner
Last year’s revelations that 802.11b wireless LAN technology had a serious security problem — or, more specifically, that the Wired Equivalent Privacy (WEP) encryption specified for 802.11b and the RC-4 algorithm on which it is based had a security problem — has apparently spooked a number of US high-tech institutions.
In late January, for example, USA Today reported that the Lawrence Livermore National Laboratory (LLNL) in California, which conducts nuclear weapons research and other projects for the US government, announced a ban on Wi-Fi networks on its property, and that its sister institute at Los Alamos was considering a similar measure, because of security concerns.
LLNL says the ban is “temporary” and applies mainly to ad hoc WLANs set up in its “Open and Property Protection areas”. The directive states: “Any program / directorate with an existing wireless LAN in these areas must disconnect it from all LLNL institutional networks (if applicable) and obtain an approved exception to this policy before resuming operation of the LAN.”
The directive goes on to say that the only way to get a waiver on the policy is to set up a standalone WLAN that doesn’t interconnect with LLNL’s network and doesn’t handle any sensitive or classified material of any kind.
The LLNL directive is a logical extension of a decade-old ban of any RF comms equipment in its classified areas (including cellphones), and is really only to be expected from an institution that, well before 9/11 — and, before that, Republican obsessions over alleged Chinese espionage — placed a priority on tight security.
Nowadays, however, many US organizations have security higher up on their priority lists. The US Department of Transportation is investigating the use of WLANs at airports for curbside check-in because of airline concerns that crackers could break into networks and alter flight and passenger details. Last year, the M.D. Anderson Cancer Center in Houston cancelled a Wi-Fi pilot over fears that patient data might be intercepted.
All legitimate concerns, but probably a bit overblown since WEP’s security shortcomings alone don’t make Wi-Fi a 100% vulnerable network that anyone can hack.
WEP only covers physical access between the terminal and the access point, WLAN operators can add stuff like IPsec and secure IPv6 at the transport layer, and run a VPN app on top of that — stuff that corporate users and places like LLNL should be doing anyway. That level of security may not even be necessary for things like coffee shops offering free connections or community-oriented access points. Concerned users can install firewalls to keep all but the more experienced and determined hackers out of their laptops.
Either way, these techniques should keep Wi-Fi secure enough until the new TKIP (temporary key IP) protocol is available for existing equipment later this year and the 128-bit AES encryption algorithm is incorporated into commercial 802.11b products in 2003 — after which running other security measures is advisable anyway.
In any event, Wi-Fi security fears among some US institutions seem to be the exception to the rule.
Concourse Communications and iPass are currently working to deploy WLANs in several US airports (yes, airports). These won’t be limited to VIP lounges or specific cyber-cafe areas — they will cover just about any place a passenger can sit down and wait for a plane.
In the same week that LLNL issued its WLAN directive, Japan Telecom announced that it would add four new test locations along the Japan Rail Yamanote line for its 802.11b wireless LAN service.
Also that week, South Korea got two commercial WLAN offerings. KT Corp upgraded its Nespot Wi-Fi service to full commercial status, allowing subscribers of its Megapass broadband service to access WLAN hotspots currently available in 42 locations nationwide for an extra 35,000 won a month. Rival telco Hanaro Telecom also launched its commercial wireless LAN service, HanaFos AnyWay, with 100 service hotspots that week.
New niche market
Evidently, service providers see a business case for offering wireless megabit connectivity to laptop users, badly designed crypto or not. How they fare remains to be seen, but it should get even more interesting when next-gen Wi-Fi5 — running on the 5 GHz band and promising data speeds of 54 Mbps — hits retail shops one or two years from now.
In the meantime, organizations that are really worried about security can rest assured that they are a niche market waiting to happen. Later this year, Harris Corporation will commercially release SecNet11, a “Secure Wireless Local Area Network (SWLAN)” product for government and military applications that’s compatible with Cisco’s Aironet 350 WLAN gear. And it’s endorsed by the National Security Agency. Feel safer already, don’t you?
COPYRIGHT 2002 Advanstar Communications, Inc.
COPYRIGHT 2004 Gale Group