& cplSiteName &

A Security Blanket?

Nearpoints
Nearpoints
Nearpoints
8/28/2006

11:15 AM -- I think we can put “security” to bed as a showstopper in WLAN deployments. You know the basics: Turn on WiFi security, but don’t use WEP. Rather, use WPA at a minimum or WPA2 if you have it. But, much more importantly, use some form of upper-layer security (VPNs) and authentication (like 802.1X). Using airlink security alone means that data appears in the clear outside of the WLAN itself. Sure, the WiFi hackers will be frustrated and largely move on, but the professional information thieves, who should be your real concern, will simply look elsewhere in your network. They’re not the ones out in the parking lot anyway.

One other big problem is that WiFi-based security is still fairly static. Changing keys is a pain in most cases, which means that once someone has access, they usually have it forever. This is why upper-layer tools are so important. If you use them, you can almost ignore WiFi security altogether, although I certainly wouldn’t -- they add some value regardless.

You’ve probably already heard that the Wi-Fi Alliance recently announced its “WiFi Protected Setup”, designed to simplify the process of configuring security. Some vendors, like Buffalo Technology (USA) Inc. and Devicescape Software Inc. are offering variants of this technique now, but it’s worth cautioning here that this process is suitable only for residential and very-small-business installations and doesn’t consider the upper-layer requirements -- which is where we really need a form of simple configuration.

— Craig Mathias is Principal Analyst at the Farpoint Group , an advisory firm specializing in wireless communications and mobile computing. Special to Unstrung

(12)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
lrmobile_rusty
lrmobile_rusty
12/5/2012 | 3:43:09 AM
re: A Security Blanket?
It sounds like what you are suggesting that all workstations that connect to any LAN using a wired or wireless connection need a VPN. I mean, if Wi-Fi is not secure even with WPA/WPA2, then surely wired connections need a VPN at all times as well.

Also, I assume you are only referring to WPA/WPA2 Personal when you are talking about changing keys. When you use WPA/WPA2 Enterprise the keys are generated during your 802.1X authentication.

I kind of see WPA/WPA2 Personal key rotation as a moot point because if you have an enterprise network you should be using WPA/WPA2 Enterprise to allow for management of user authentication settings on a large network.
meshsecurity
meshsecurity
12/5/2012 | 3:43:04 AM
re: A Security Blanket?
Well, so I am dealing with some security issues today...so, please bear with my latest tirade.

Here is the wrong way to implement IPS or any other type of integrated security in a wifi product.

http://www.cisco.com/en/US/pro...

Yes, I am not a Cisco fan.


mesh
meshsecurity
meshsecurity
12/5/2012 | 3:43:04 AM
re: A Security Blanket?
Complete content inspection is what is necessary in data network security today. So, you have WPA2 enabled ---no one hacks your wireless network(done). Next, you enable VPN throughout wirelesss/wired connections(done). So, I embed a virus in an email sent by an infect user that authenticates over your wireless with WPA2, initiates/establishes a trusted VPN connection into your network, but within the email is a virus?

Answer: Complete content inspection and reassembly....and don't come back with point security solutions b/c there a million hacks around that architecture. Today, you trust no connection. You can do a lot with a UTM architecture today.



mesh
lrmobile_rusty
lrmobile_rusty
12/5/2012 | 3:43:01 AM
re: A Security Blanket?
I am with you when it comes to content inspection. I just don't see the need for a VPN if you are already secured with WPA/WP2 and the user is accessing only the LAN.

I can see using a VPN for layer 3 roaming and in certain other scenarios, but in general I think people are stuck in the past when they think that you need a VPN to secure Wi-Fi. WPA and WPA2 will secure the access link if you install the network correctly.
wifi_ab
wifi_ab
12/5/2012 | 3:42:57 AM
re: A Security Blanket?
If you are using a centralized encryption architechture (ala Aruba), a VPN overlay is redundant. Encrypt everything (wireless and wired), bring it back to data center and apply UTM. This is the way to go.
meshsecurity
meshsecurity
12/5/2012 | 3:42:56 AM
re: A Security Blanket?
Please explain to me the encryption protocols that you would propose in this Aruba architecture? How is this accomplished again?

wifi_ab
wifi_ab
12/5/2012 | 3:42:56 AM
re: A Security Blanket?
Works by terminating the 802.11i/WPA2 encryption (AES) direclty on the controller in the data center instead of the AP and tunneling the encrypted packets over the wired network
meshsecurity
meshsecurity
12/5/2012 | 3:42:55 AM
re: A Security Blanket?
wifi_ab,

I am familiar with their architecture. You are stating that these packets are tunneled over a tunnel wired network. GRE with some form of proprietary encryption for the tunnel right?

mesh
farpoint
farpoint
12/5/2012 | 3:42:49 AM
re: A Security Blanket?
The problem with .11 security is that it deals only with the airlink. Therefore it obviously has no effect or benefit outside the WLAN, where other very real vulnerabilities exist. That's why I recommend the use of VPNs.

Sure, it's possible to work around almost any security measure - that's why our ojective needs to be to make the network sufficiently secure so that casual hackers give up, and professional information thieves must devote more money than they could make to cracking a given net.

Thx. Craig.
farpoint
farpoint
12/5/2012 | 3:42:49 AM
re: A Security Blanket?
You're correct. I was only refering to WPA/2 Personal. I find this is used even in enterprises where they should indeed be using .1X, which is why I mention the problem.

As for VPNs - why, yes, indeed, i do believe we should use them all the time...

Thx. Craig.
Page 1 / 2   >   >>
More Blogs from Nearpoints
And change its name, too
A great truth, again
And you thought it wouldn't fit
Featured Video
Upcoming Live Events
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events