Many of us who leverage wireless in an enterprise environment dutifully deploy wireless encryption (WEP or WPA) as well. This is not trivial, as it requires a continual commitment of time and resources in order to maintain the system’s integrity. But is this expenditure really necessary, or is there a more effective solution available that most of us simply overlook?
The need to properly secure wireless
Most of us recognize why wireless connections need to be properly secured. Running a wide open access point is just begging to have your network broken into. Wireless is trivial to sniff and there are a tons of tools available to help you crack it. A good wireless hack knows that proximity affords little protection. I’ve personally been able to get 802.11 working over 5 miles. With the right antennas, others have pushed this as far as 35 miles.
What’s wrong with WEP and WPA?
Most of us understand why WEP is completely broken. If not, Google is your friend. If you don’t understand why WEP is bad its worth the time to do the research. Its a great example of how to do everything wrong.
So the accepted protocol today for wireless security is WPA. At the time of this writing, WPA is faltering but not completely broken. Researches have figured out how to perform key recovery in small packets. Vendors have figured out how to speed up the process of brute forcing keys. The recommended WPA key size today is 48 characters or larger. This is far too big for end users to remember so inevitably the value is written down, in clear text, probably in multiple locations.
There are resource issues here as well. Wireless security is an entire infrastructure system that needs to be managed. Keys and credentials need to be maintained. Even if we take the easy way out and deploy EAP-TTLS we still have a healthy number of components to keep in sync. When things go wrong, troubleshooting can also be a pain as it can sometimes be difficult to determine if the problem is the wireless signal, credentials or even DHCP.
Limiting your data privacy options
When you use WPA, your only data privacy option is AES. AES is a NIST standard that is widely deployed. While it has survived the last eight years without a major vulnerability, timing attacks have been discovered along with a few dents in AES’s armor. Its never a good idea to put all of your eggs in one basket. This is why we backup mission critical data or transmit it over redundant routes. If the worst occurs and AES is found to be broken, you are completely hosed until a new protocol is chosen and incorporated by vendors. The solution will most certainly include replacing all of your access points, as it did when we moved with RC4 under WEP to AES under WPA.
Exec Summary
So we absolutely need to secure wireless connections but the current options available are either slightly better than useless (WEP) or very cumbersome (WPA). Clearly we need additional possibilities that will reduce administration as well as increase the number of choices for data privacy. In my next post I will propose one possibility that is immediately viable for deployment in today’s enterprise environment.
