802.11 Security: Fact and Fiction

On the ISP-Wireless discussion list in February, MR

queried,

“I
was trying to pitch wireless service to someone recently, and he showed
me a Wall Street Journal article that said wireless isn’t secure. What
do you think?”

A number of respondents contended that the fears are overblown:

[RR recalled] “We recently had a bank

question us about our security. We explained that neither wireless or

wired connections are secure unless you use secure servers. If anyone

is really concerned about their data, then they need to encrypt from both

points, not just one segment in the middle.”

[MKS agreed] “It’s not much harder to

get traffic via wired networks than wireless. If the data is that sensitive,

they need to encrypt it before it leaves the PC or LAN. We don’t use any

encryption here. If someone wants things encrypted, they need to do it

themselves. Educate your customer about the risks.”

PF suggested that the situation’s a

little more complex than that:

“The one thing you’re missing is that even with encryption, the 802.11

headers and beacons are not encrypted. Until the radios encode the entire

802.11 frame, you are vulnerable to people getting beacons and intercepting

traffic. So encrypt all you want; just make sure that you’re actually

talking to who you think you are, because current 802.11 specs can’t do

it for you.”

JM countered that holes in wireless

aren’t quite that easy to find:

“Ultimately, hacking into a wireless network is no different than hacking

into any other network. There are several things that a would-be hacker

would need to know to get into a ‘secure’ wireless network: ESSID, valid

IP address, valid MAC address, and a rule set up on our traffic shaper

allowing traffic to actually pass per your specific MAC address and IP.

Security lies more in the admin and the network than it does in the technology.”

[MS agreed] “I plan on binding IPs to

MAC addresses in the router to prevent anyone from getting on the Internet

without authorization. At a certain point, though, you can only do so

much. Sure, the wireless system can be broken into, but so can the Internet

itself. Whoever said the Internet was secure?”

BM observed a particularly depressing

security concern:

“I have an associate in my office who sets up wireless LAN systems indoors.

He says the biggest security hole is that many admins never change the

security parameters on their equipment, choosing to use factory defaults”

[RC agreed] “I have walked directly

through many firewalls using default passwords and settings.”

CM provided a summary:

“Yes, it is possible to break into any network given enough time and

money. For wireless, just listen, store, and decrypt to gain information,

and spoof for access. For wired networks, find a wiring closet and some

alligator clips.

The level of security needed also must be based on the type of service

being offered: public Internet access, contrary to public belief, does

not need to be secure, since the other 10-15 hops on the public Internet

are also unencrypted and readily sniffed.

Is current wireless technology sufficient to stop the casual listener?

Most certainly, since the barrier to entry is the cost of equipment. Is

it secure enough to stop a determined break-in? No more than any wired

solution, and since the gear is usually on the roof and locked up, you

have a leg up on the DSL guys: their termination jacks are all outside,

unlocked, and calling out to be opened.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web