The big problem with the security defined within the IEEE 802.11 standard and the Wi-Fi specification is that it deals with only a tiny piece of the network value chain -- what's known as the airlink, the connection between wireless users and the wireless infrastructure of access points. Of course, the 802.11 standard by definition only handles the wireless portion of the network. But the rest of the network deserves equal consideration with respect to security. We call this approach end-to-end security and recommend this strategy for securing all critical information on enterprise networks. All too often, suppliers are called in to solve what's perceived as a wireless security problem. As it turns out, the solution is really one of implementing an appropriate network security solution.
The primary rule of the end-to-end approach is that no sensitive data (as defined in the enterprise's security policy) should ever appear in the clear except to an authorized user. We'll return to exactly what "authorized" means in a moment, but for now the core requirement is encryption, and not just on the wireless part of the network. Sensitive data must be encrypted wherever it is stored (on servers and on mobile computing and communications devices, from notebooks to smart phones) and on any network carrying it, wired or wireless.
The choice of technology
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
for securing stored data is up to enterprise IT management. When that
data is moving on the network, however, the strategy of choice is to use a virtual
private network (VPN). VPNs can be proprietary or based on standards like IPsec or SSL. Again,
the specific choice of VPN is up to IT managers, but note that VPNs very effectively supplement the
security implemented in WPA and WPA2. VPNs have long been used in remote access and electronic
commerce applications, and are well supported on most operating systems and mobile devices
today.
But let's return to the other big security requirement, authentication. 802.11 is very weak in this area, but upper-layer techniques are available to address this concern as well. The most common solution is to use the 802.1X (no relation, by the way, to 802.11) protocol to implement an authentication technique suitable for the IT requirements of a specific enterprise. 802.1X is based on the Extensible Authentication Protocol (EAP), which allows the use of many different forms of authentication via passwords, digital certificates and more. The use of two-factor authentication, based on something you have plus something you know, is highly recommended. The "something you have" can be a hardware token or even biometric information like a fingerprint or retinal scan. 802.1X can be integrated into WPA and WPA2, addressing concerns that WLAN authentication is otherwise much too weak.
It's also important to consider two other elements of a complete security solution. The first of these is intrusion detection and prevention systems (IDS/IPS), which can be used to discover and remediate such conditions as rogue (unauthorized) access points and a wide variety of other wired and wireless security challenges. Among the key vendors here are AirDefense and AirTight Networks. The other is wireless LAN assurance (WLA) tools, third-party software and hardware sensors used to monitor security and a wide variety of other wireless parameters. The two big names in this space are AirMagnet and Wildpackets.
VARs and integrators have a broad array of network (both wired and wireless) security products to choose from. Regardless of the specific products selected, it's important to educate customers on the need for effective end-to-end security. This is the best way to protect not just a wireless network, but sensitive data on the entire enterprise infrastructure.
About the author
Craig J. Mathias is a Principal with Farpoint Group, an advisory firm specializing in wireless
networking and mobile computing. Founded in 1991, Farpoint Group works with technology developers,
manufacturers, carriers and operators, enterprises and the financial community. Craig is an
internationally-known industry and technology analyst, and serves on the advisory boards of four
industry conferences. He is the author of numerous articles on mobile and wireless topics, and a
columnist for Computerworld, SearchMobileComputing.com, and Unstrung.com. As an expert on
SearchNetworkingChannel.com, Craig answers your wireless
LAN and mobile networking questions. He holds an Sc.B. degree in Applied Mathematics/Computer
Science from Brown University.
This was first published in January 2007