Many organizations are implementing wireless LANs to allow mobile communications between departments or remote buildings and, increasingly, to complement traditional wired networks. Although productivity and convenience drive the business case for wireless networks, security remains a serious consideration. This is especially true in the financial world, where customers' and partners' money is at risk.
In this tip, we'll take a brief look at where wireless security started and explain important enhancements that should be applied when deploying wireless technology.
There is no question that wireless technology provides speed and mobility needed for financial services, but poor security undermines confidence in conducting business over the airwaves. Wired or wireless, users transmit everything from sensitive corporate financial data, customer information and employee's personal information. Just ask TJX how poor wireless security allowed their networks to be breached, costing them an estimated $150 million dollars. The cost of a data breach for financial services organizations was $239 per compromised record, which is more than 21% higher than the average, according to a recent
Financial organizations that utilize wireless technology lose credibility if customers aren't confident that their personal information is safe as it traverses the network. The bottom line is that 802.11's wired equivalent privacy (WEP) technology is simply not robust enough.
WEP was originally intended to offer a certain degree of security comparable to a wired network. It introduced principles for authentication between network clients and access points along with packet encryption. WEP's authentication relies on shared keys, meaning both the client and the access point need the same key in order to communicate. Using the identical key is very insecure and makes the entire WEP architecture prone to attacks throughout the authentication exchange and could undermine the integrity of the whole process. Further, the WEP encryption process implements the use of an RC4 stream cipher algorithm (40- or 104-bit encryption key), which has well-known weaknesses, and attackers will simply use hacking tools such as AirSnort to discover weak keys, which can then be cracked, exposing your data.
That being said, you can deploy WLANs securely. With thorough planning and effective use of technology, wireless networks can be as secure as wired networks. The IEEE group has responded to wireless security concerns by creating the 802.11i standard, also known as Wi-Fi Protected Access 2 (WPA2), which explicitly addresses WEP's security holes by enhancing the encryption algorithm, access control, authentication and integrity protection.
The 802.11i standard provides enhanced wireless security by using the following security components:
- The use of the 128-bit Advanced Encryption Standard (AES).
- Exchanging of information regarding network security.
- Automatic cryptographic key management and secure delivery.
- Authenticating devices and users through the use of the IEEE 802.1X standard for port- based access control and the Extensible Authentication Protocol.
While the 802.11i standard was being developed by IEEE, a subset called Wi-Fi Protected Access (WPA), was produced. WPA:
- Uses 128-bit keys in the encryption process but is compatible with existing wireless equipment.
- Uses an extra secure message authentication code, message integrity code, which inhibits replay attacks. The Temporal Key Integrity Protocol is used to dynamically provide a new encryption key for each packet sent.
- Is designed for use with an IEEE 802.1X authentication server so that different keys will be disseminated to each user. WPA will still be able to be used in a less secure mode, preshared keys, where each user is provided the identical key.
It can easily be argued that wireless networks are more vulnerable to security breaches than other technologies. Major breaches, like the one at TJX, where weak WLAN security caused the unauthorized disclosure of millions of credit cards, can lead to exorbitant recovery costs, violations of regulatory compliance, and severe damage to the confidence of consumers who have to trust financial institutions with their personal information. Each organization must ensure that if they decide to embrace wireless technologies for business advantages, they will follow best practices by implementing the 802.11i standard. Although there is no way to entirely eliminate the risk of a security breach into any organization's network, a lot of people see 802.11i as the supreme antidote to addressing WLAN security concerns.
About the authors:
Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Sales Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via firstname.lastname@example.org.
Tom Cadle, CISSP, CEH, MCT, MCSE, is the information systems security officer for a multibillion dollar, international company. He has been involved with information technology and security for over 16 years. He can be reached at email@example.com.
This was first published in January 2008