Who's reading your e-mail? Hackers? Competitors? If you're among the companies that have set up an 802.11b-or Wi-Fi-Wireless LAN (WLAN), you may have more people downloading files from your network than you have on your payroll. Some may even be planning to sabotage you.
Crackers (expert hackers) have begun "war driving"-that is, cruising neighborhoods using sniffer programs on Wi-Fi-equipped portables to find WLAN nodes. They're also developing software to exploit 802.11b's weak 40-bit Wired Equivalent Privacy (WEP) encryption and other vulnerabilities.
"Right now, they're doing some experimental looking and touching to see what they can access," says Elias Ladopoulos, chief strategy officer at Digital Frameworks Inc. in Forest Hills, New York. "The next step is to develop applications that will take advantage of these vulnerabilities."
At the very least, hackers might read your e-mail, download files and hitchhike on your fast Internet connection. At worst, they might steal secrets, plant viruses, deface Web pages or enlist your network's resources in distributed denial of service (DDOS) attacks.
But you're not defenseless. There are products and practices to safeguard your wireless net from intrusion.
Not the Same Ol' Security
For starters, WLANs need different kinds of software and mechanisms than those protecting your wired network, Web connections or portables. Unfortunately, most Wi-Fi security conventions are neither robust nor well-implemented.
of businesspeople surveyed could be classified as pirating software and content off the Internet.
SOURCE: The Software & Information Industry Association & KPMG
Not only is the 40-bit WEP algorithm easily cracked, but it's rarely used anyway, notes John Pescatore, Gartner Inc.'s research director for Net security. A 128-bit, military-quality AES encryption algorithm should be in place by year-end, but weak encryption keys and initialization vectors will still leave networks vulnerable. Says Pescatore, "WEP is broken, and it's really not going to be fixed."
Actually, WEP was never intended to be more than baseline security for noncritical networks, says David Cohen, former chair of the Wireless Ethernet Compatibility Alliance. Standards bodies expect product providers to add tougher security themselves, says Cohen.
That's just what high-end vendors like 3Com, Agere Systems, Cisco and Proxim do-although in slightly different ways. For example, each user on a 3Com or Cisco WLAN is assigned a unique 128-bit encryption key that changes every session to deny hackers the time they need to figure out network traffic patterns. Proxim's Harmony 802.11b Wi-Fi products let administrators configure keys to change several times per session.
Unfortunately, none of the companies' security schemes works in networks with equipment from a variety of vendors. Besides, says Ladopoulos, some of their methods can slow down performance by as much as 50 percent.