Roadblocks for War Drivers:

Stop Wi-Fi from Making Private Networks Public. An IEEE 802.11 access point can open your network to attackers, intruders, and even casual passersby.

Internet idealists hope for a future of ubiquitous free wireless networks. Instead of relying on slow and expensive cellular service, laptop users would simply connect to the nearest Wireless LAN (WLAN) and borrow its Internet connection. In the central business districts of most major cities, this is already a reality. The free wireless networks are there now, built to serve corporate and government offices, but open to all.


Few are left open out of generosity: Even when an enterprise doesn't mind sharing its bandwidth with the outside world, it rarely wants to share its confidential data too.


Despite frequent warnings about the poor security in the IEEE 802.11b (Wi-Fi) standard, more private networks are broadcasting to the public than ever. The maps of open access points compiled by war drivers-people who travel around a city and pick up signals from thousands of networks a day, armed only with a Wi-Fi card and an antenna made from a Pringles can-have gone from isolated dots to large conglomerations that can blot out entire downtown areas.


If you run a network, there's a good chance that one of these open access points will let outsiders on to it-even if you think your Wi-Fi access points are secure, or that you don't have a WLAN at all.


"In almost all cases, we find open access points," says Jon Gossels, president of System Experts ( www.systemexperts.com ), an independent consultancy that performs security audits for many of the world's largest companies, with particular focus on Wall Street banks. "People will say they know about the access points on the network, but we find others."


Most network managers know by now that 802.11 networks are insecure. The problem is that many access points aren't set up by network managers. "Wi-Fi is deployed guerilla-style, from the bottom up," says Phil Belanger, founding chairman of the Wireless Ethernet Compatibility Alliance (WECA, www.wifi.org) the interoperability-testing group that includes every Wi-Fi vendor. "The last person to buy it is in the IT department."


Last, but not too late. Despite what vendors say, there's no plug-and-play solution to Wi-Fi security, and the IEEE isn't expected to fix the standard until 2004. But IT departments don't have to wait that long. There are ways to shut down these rogue access points, replacing them with a secure 802.11 network that will set users free, while keeping data safely confined.


CHALK AND TALK


First, understand what makes wireless networks so insecure. The problems go beyond Wired Equivalent Privacy (WEP), the flawed encryption protocol mandated in all 802.11 standards. The publicity surrounding WEP's weaknesses may even do more harm than good, because it discourages people from using Wi-Fi security features.


"Most wireless security problems are business or management issues, not technology issues," says Gossels. While Wi-Fi access points do include some limited security features, most people don't know about them. "Vendors are trying to make their solutions easy to use right out of the box, so all the security is switched off."


Gossels doesn't think this will change, and other white hats agree. "If the user gets asked for a password, the vendor will get more support calls. It's just like Microsoft wanting Windows users to be able to share files," says Jonas Hellgren, director of vulnerability management at Guardent ( www.guardent.com ), a security service provider. He specializes in penetration testing, and asserts that rogue access points actually predate wireless networks. "It's the same problem we saw with modems ten years ago."


The modem problem occurred in the 1980s, when network managers first began to install modem banks for remote access. Many users didn't bother to change the default administrator password, leading attackers to invent war dialing: calling random numbers and trying common passwords if a computer answered.


Access points also have default passwords-and more. Most can restrict access to certain MAC addresses, but this feature is rarely enabled. Many include a DHCP server as well, turned on by default and helpfully supplying every intruder with an IP address. All include WEP, usually switched off. Worst of all, access points broadcast the Service Set Identifier (SSID), which names the network. When attackers see that this is set to its default, they know that other settings probably haven't been changed either.


"We recommend that people use WEP, but recognize it for what it is," says Gossels. "It's going to thwart the casual intruder." So will using Wi-Fi's other built-in security features, such as enabling MAC address filtering, switching off SSID broadcast and DHCP, and, of course, changing default passwords and SSIDs.


These measures will go a long way toward keeping a network secure, but they're not good enough for sensitive data. MAC addresses can be spoofed, WEP can be broken, and SSIDs can be sniffed. Graffiti artists have even taken to marking buildings with special symbols that include the SSIDs of nearby WLANs. (See this issue's cover.) The same "war chalking" symbols are also used by some people who intentionally leave their networks open.


WEP DREAMS


There is one way to lock down a WLAN completely: Treat it as if it were on the Internet, placing it behind a firewall and encrypting all private traffic using a VPN. Many network managers have shied away from this because VPNs can be awkward and are better known for remote access. However, vendors such as Check Point ( www.checkpoint.com ) are now building in better Wi-Fi support (see "The VPN Appliance Deluge"), and companies such as Bluesocket ( www.bluesocket.com) , NetMotion Wireless ( www.netmotionwireless.com ), and Net-Screen Technologies ( www.netscreen.com ) even make specialized wireless VPNs.


But while VPNs may be improving, they're not for everyone. They still require some administration work, and a lot of mobile devices simply can't run their clients. While most VPN vendors have a client for Windows CE (Pocket PC) and a few have one for Palm OS, none support the less glamorous credit card readers and barcode scanners that make up the majority of WLAN terminals.


"We recommend a VPN," says Guardent's Hellgren, "but you can implement things without a VPN that make your wireless network more secure."


The IEEE is developing several non-VPN approaches to wireless security. Its long-term plan is to abandon WEP entirely in favor of a new standard called 802.11i, which will be based on the powerful Rjindael (AES) algorithm. This is at least a year away and will require new hardware, so the group is also proposing an intermediate standard called the Temporal Key Integrity Protocol (TKIP), which will reuse the encryption chips already built into Wi-Fi cards.