Local networks have been, from the beginning, a controversial topic. The organizations that have implemented these types of networks have shown their concern about their levels of security. Ever since the discovery of vulnerabilities among first-generation wireless networks (Borisov, Goldberg, & Wagner, 2001), analysts and security companies have tried to understand and mitigate those risks. Some of those efforts have contributed towards the study of wireless security. Other efforts have failed, presented a different group of vulnerabilities, or require expensive proprietary software and hardware. Finally, other efforts try to mitigate the problem piling up a complex group of security technologies, like virtual private networks. Despite the benefits they bring, a great number of concerns related to security have limited the massive adoption of wireless networks, particularly in sectors that are highly aware of the existing security risks such as the financial and government sectors. Even though there are a significant number of risks inherent to the mass transmission of data to any individual within the boundaries of a wireless network, a good amount of these are installed without any security measure at all. However, the majority of businesses that have implemented some sort of wireless security measures have done so in the most rudimentary way, bringing a false sense of security to users. When the first IEEE 802.11 wireless standards were in the phase of development, security was not as important as it is today. The level of complexity of network threats was much lower and the adoption of wireless technologies was still in an introductory phase. It was under these circumstances that the first standard for wireless network security, known as wired equivalent privacy (WEP), was originated. WEP underestimated the necessary means to turn air security into an element equivalent to the security provided by a cable. In contrast, the security methods of modern wireless networks are designed to work in hostile environments where there is a lack of well-defined physical network perimeters.
Every network environment is susceptible to risks, and wireless networks are not the exception. According to a survey by the Federal Bureau of Investigation of the United States, the only category of threats that shows a significant increase in number of attacks and/or possibility of misuse in the last few years is “wireless network abuse.” The broadcasting nature of these networks has turned them into perfect targets for nonauthorized users.
According to Arbaugh (2001), these problems are exacerbated by the myriad of free security-threatening tools widely available for download on the Internet and because of the inherent vulnerabilities of wireless networks themselves. One of the most exploited vulnerabilities is the WEP protocol (Fluhrer, Mantin, & Shamir, 2002; Peikari & Forgie, 2002), which is such a severe problem that many companies have decided to abandon the wireless business.
On the other hand, a good amount of the deployment strategies of wireless networks lack a cohesive and effective integration with the authentication services infrastructure of the organization in which they are implemented (Arbaugh & Shankar, 2002). This common mistake is easy to mitigate, and its correction is evident almost immediately by closing the gap between the number of authorized and unauthorized users. This is evident because authorized users are checked against a database with secure access methods inside the wired network.
In other cases, security problems go beyond the merely technological element (National Institute of Standards and Technology, 2007). Commonly, the lack of planning of the wireless network is a decisive coverage and placement factor. Other elements, such as security policies, access procedures, internal policies governing the use of and access to resources and guidelines governing confidentiality and protection of information serve as a complementary regulatory framework that provides support to the technological infrastructure, establishing limitations related to the way in which information is and/or should be used.
Key Terms in this Chapter
WPA: Acronym for Wi-Fi protected access. An encryption algorithm created by the Wi-Fi Alliance. Like WEP, it uses an RC4 encryption key, but WPA’s key is longer: a 128-bit key alongside a 48-bit initialization vector. WPA also comes in two variations: enterprise and personal. The difference relies on the fact that enterprise is a method that relies in an 802.1x server to provide authentication services, while personal relies on a preshared key scheme.
WEP: Acronym for wired equivalent privacy. An encryption algorithm intended to secure the first generation of wireless networks. It uses a 40-bit key alongside a 24-bit initialization vector, originating an RC4 key. It proved to be useless in 2001, when it was cracked, and the cracking tools were made available on the Internet.
VPN: Acronym for virtual private network. Secure communication channels established from one network to another or inside one network. VPNs provide dedicated communications channels that offer higher levels of security and encryption. They can be established using a VPN server (software) or through a VPN concentrator (hardware). They assure that communications are somewhat free from eavesdropping.
LDAP: Acronym for lightweight directory access protocol. A protocol used to send queries to user databases organized through directory services. Wireless networks use this protocol to communicate with servers housing user databases in a secure way, thus providing a consistent method of user authentication on wireless networks whose access is restricted.
802.11: Set of standards, established by the IEEE (Institute of Electrical and Electronics Engineers, a worldwide standardization body), that govern the functioning and design of wireless networks communicating in the 5GHz and 2.4 GHz unlicensed bands. It has evolved into many other specifications, but 802.11 still dictates the basic standards for what should be considered as a wireless network.
SOHO: Acronym for small office home office. Types of network equipment intended for home use or offices with small amounts of employees. Generally, they offer most of the features and functionalities found in enterprise-class hardware, but are limited in certain aspects, and their price is much cheaper and competitive.
WPA2: Acronym for Wi-Fi orotected access 2. It is also known as 802.11i. It is basically the same as the WPA standard, improved with a new algorithm to distribute encryption keys.
Access Point: A network device that serves as a central point of connection for devices with wireless networking capabilities. Similar to a network hub, it performs similar functions, being the difference that a wired hub uses a medium access control based in collision detection and an access point uses a collision avoidance method.