Security concerns still plague wireless take-up

'Be afraid, be very afraid' is the attitude of many companies when faced with the prospect of using a wireless network.

Because wireless is about broadcasting data that often goes beyond company perimeters, businesses worry that it won't be secure enough. And who can blame them, with a regular stream of surveys highlighting gaping security holes?

Security consultancy Orthus found that two-thirds of European businesses deploy wireless networks, but only 28 per cent have audited their wireless local area networks (Lans) for vulnerabilities.

Just 12 per cent are using antivirus software, 23 per cent use basic password-protecting access, and only 18 per cent have issued security policies covering their wireless Lans.

Earlier this year the Department of Trade and Industry's Information Security Breaches survey revealed that a mere one-fifth of UK firms use the basic encryption protocol wired equivalent privacy and other encryption tools to protect wireless networks.

Bearing these figures in mind, it is understandable that in May MPs were banned from using wireless technologies at Westminster until security can be guaranteed.

Responding to concerns over the security of data, Sir Archy Kirkwood, House of Commons Commissioner, said: "The House of Commons authorities have taken a cautious approach to the introduction of wireless technology within Westminster because of security concerns.

"No services using wireless technologies will be offered until these concerns have been addressed."

Adding to the sense of lawlessness, research by RSA Security shows that London firms leave a quarter of wireless networks on default settings, broadcasting information and making easy pickings for drive-by hackers.

What all these surveys also show is that wireless take-up is unstoppable. In London alone, wireless networks have grown by 770 per cent since 2001, according to RSA.

"IT managers have been caught out by the fact that wireless arrived so quickly and has been implemented so readily by organisations," explained Tim Pickard, RSA Security's strategic marketing director.

"IT directors have misjudged, thinking employees will wait until policies are in place. Because of its low cost, departments have brought it in under the radar."

He believes that IT directors must regain control, but should be reassured by the fact that wireless can be made secure enough for mission-critical applications if it's done within the confines of the IT infrastructure and security policies.

Fortunately, new standards are making it easier to eliminate the human risk. "Protocols such as 802.11a and 802.11g allow network managers to monitor frequencies for rogue access points even if switched off," said Pickard.

There may be a wait until products are certified for 802.11i support, but Pete Smith, IT and telecoms director at satellite telecoms supplier Inmarsat, is upgrading the company's wireless network with an eye to a more secure future as standards develop.

Inmarsat is installing kit from Aruba Wireless Networks throughout its headquarters, where two-thirds of employee laptops are wireless.

"The platform is independent of any manufacturer and it means we can take advantage of any new security features and standards quite easily," said Smith.

Wireless is secure enough for high-end business use at Inmarsat because security is a priority. The network is subjected to health checks twice a year.

Being an early wireless adopter since 1999 means that "the system has paid for itself" through savings on maintaining cable, according to Smith. But many firms have implemented wireless Lans insecurely.

"We have 14 in firms surrounding our building, but most are unprotected," claimed Smith. "Security of a wireless network is not a problem if you maintain it."

All Inmarsat's key engineering systems are on a wired network.

"If there is no need for the flexibility that wireless brings, then don't use it," warned Bart Vansevenant, director of European strategies at security firm Ubizen.

"It is more risky than a wired network and it comes down to managing that risk. But if wireless will be beneficial to the business, it would be a shame not to use it."

Richard Hollis, managing director of Orthus, believes that wireless is a more securable technology than an internet-facing Lan system or a website.

"The advent of Wi-Fi Protected Access standard with encryption at the application level per session, per packet, per user has erased 90 per cent of vulnerabilities," he claimed. "Data can only travel from the client to the access point and can't be intercepted."

Hollis said that publicity exposing the danger of drive-by hackers to unsecured 802.11b networks, which are the most common type, "inadvertently poured petrol on the fire about the insecurity of wireless and broadcasting data".

"The real problem is ignorance, with people taking products out of the box and not enabling the security features," he said. "Now we are getting over that."

Ignorance will not give way to insight any time soon, according to Gartner, which predicts that poor configuration of Wireless Lan access points and client software will be at the root of 70 per cent of attacks against business networks until 2006.

But as standards evolve and security is strengthened, some of the uncertainty surrounding the technology will subside ð a good thing, considering its prevalence.

Wireless standards explained
By Laurika Bretherton

802.11
The IEEE standard for wireless Lans. It uses three different physical layers, 802.11a, 802.11b and 802.11g

802.11a
Operates in the 5GHz band, and supports a maximum data rate of 54Mbps. Maximum range: 50 metres

802.11b
Most wireless Lans deployed today use 802.11b technology, which operates in the 2.4 GHz band and supports a maximum rate of 11Mbps and maximum range of 75 metres. Bluetooth devices, 2.4GHz cordless phones and even microwave ovens are sources of interference for 802.11b networks

802.11e
802.11e provides Quality of Service support for Lan applications, which will be critical for delay-sensitive applications such as voice-over wireless IP.

802.11g
Offers the throughput of 802.11a with the backward compatibility of 802.11b. It will operate in the 2.4GHz band but deliver data rates from 6Mbps to 54Mbps

802.11h
Complies with European regulations for 5GHz wireless Lans. European radio regulations for the 5GHz band require products to have transmission power control and dynamic frequency selection.

802.11i
This standard is intended to improve wireless Lan security. It defines new encryption key protocols including the Temporal Key Integrity Protocol and the Advanced Encryption Standard.

802.15
This IEEE working group addresses the standard for wireless personal area networks (Pans). It has four active task groups.

802.15.1: Delivers the standard for low-speed, low-cost wireless Pans and is based on the Bluetooth specification.
802.15.2 : Developing the recommended practices on how 802.11 wireless Lans and 802.15 wireless Pans can co-exist in the 2.4GHz band. It is mainly working on the interference problem between Bluetooth and 802.11.
802.15.3: Delivering a standard for higher speed wireless Pans from 10Mbps to 55Mbps at distances less than 10 metres.
802.15.4: Is preparing a standard for simple, low-cost, low-speed wireless Pans. Data ranges from 2Kbps to 200Kbps and uses DSSS modulation in the 2.4GHz and 915MHz ranges.

Bluetooth
A wireless technology developed by Ericsson, Intel, Nokia and Toshiba that specifies how mobile phones, computers and PDAs interconnect, with each other, with computers, and with office or home phones. The technology enables data connections between electronic devices in the 2.4GHz range.

Source: IEEE