Comment: Woe betide wireless wannabes
Organisations wanting to take advantage of the flexibility and convenience of cable-free networks face a number of complex security and support issues, warns Roger Howorth
If any one thing can re-ignite the IT industry, it will be wireless LANs. Having spent a few weeks building various sorts of wireless network in IT Week Labs, it seems the whole mess of technologies and support issues are guaranteed to keep plenty of vendors and support staff busy for years to come.
Our tests focused on security and privacy features. Wireless Encryption Protocol (WEP) is the obvious first step, but we were reluctant to rely on the simple 40bit and 128bit versions of WEP encryption because we found a Linux system administration tool that can break such protection within about 20 minutes. To crack the code all you need is a Linux laptop fitted with a WLAN card. I'm not aware of a similar Windows program, but I guess this type of functionality will become commonplace in commercial sniffer tools once the majority of WLANs use encryption.
So if encryption alone cannot guarantee security, how else will we secure WLANs?
We also tried running all the wireless traffic through a virtual private network (VPN) based on the Point-to-Point Tunneling Protocol (PPTP). This protocol too has well-known flaws, and passwords can be sniffed and cracked as quickly as WEP-protected WLANs.
Other forms of VPN are the solution recommended by most experts, but these need digital certificates, which in turn probably require certificate and directory servers. All of which causes additional cost and complexity in a system that is already relatively expensive and cumbersome.
There is also the prospect of using a tweaked version of WEP that changes the encryption key every 10 minutes or so. The idea is to prevent hackers from gathering more than 2GB of WEP traffic, because once they have this much encrypted data it doesn't take long to work out the encryption key. The problem is that though the tweaked capability is supported in Windows XP, it's missing from earlier versions.
As for other devices, I have yet to find a PDA that merits LAN access, but I did try connecting an Apple PowerBook and a laptop running Linux to the WLANs. We also tried supporting a Windows laptop user who moved between two completely separate WLANs, which made things far more than doubly complicated. Anyhow, by some coincidence we had no trouble using 40bit WEP on both Linux and Mac OS X laptops, but we could not get the 128bit variation functioning on either. For the record, we didn't exhaust the possibilities for this under Linux; and Apple said 128bit WEP should work and suggested we try a different vendor's base station.
We also found tools to support the PPTP tunnel with Linux; and Apple recently added this capability to its AirPort 802.11b software. Given our problems with Linux and 128bit WEP, it seems we have scaled to a new peak of IT irony: it is easier to configure a Linux laptop to crack 128bit WEP keys than it is to get it to use them.
The need for better security and usability should keep the wireless trade busy for a while.
Have your say: contact IT Week