Even though wireless LANs are a billion-dollar business and growing fast, reports such as the one coming out from the National Institute of Standards and Technology (NIST) continue to dog the technology.

Source say, the US. Department of Defense also is said to be considering restrictions on wireless LAN usage for classified and nonclassified environments, government.

"We don't use them yet because we've heard the bugs aren't out of them and we don't want to be the guinea pigs," says Alan Comins, CFO at retailer Carpetland in Los Angeles.

"Our IT consultant told us not to use them," he adds.

What NIST is advising

Among NIST's recommendalions is that wireless LAN access points be located only where no unauthorized individuals can access them.

With freeware such as AirSnort, hackers have been known to access wireless LAN access points from up to 1,000 feet away.

NIST also suggests that agencies put firewalls between wireless and wire-based LANs. Another 50 or so recommendations will be included in the report, called "Wireless Network Security."

The NIST report arrives at a time when the IEEE is attempting to standardize on port authentication in 802.11 wireless LANs.

The proposed 802.1X standard addresses several authentication types, including passwords, certificates, media access control (MAC) addresses and the widely used Remote Authentication Dial-In User Service protocol. But 802. lXs progress hasn't been smooth, with a University of Maryland professor cracking the technology earlier this year and companies such as Cisco and Funk Software battling over how to bolster it.

But it's critical to move ahead on 802.IX because the 802.11b specification, as the NIST report points out, lacks any "true authentication" of users. Only a user's wireless LAN-enabled device is authenticated via what's called the Service Set Identification (SSID).

The NIST report suggests that wireless LANs should include VPN clients and gateways for privacy and authentication. Wired Equivalent Privacy (WEP), the 802.11 standard for encryption, has been shown to be too easily broken using freeware such as WEPCrack.

Report cites helpful vendors

NIST singled out vendors such as Bluesocket and Vernier Networks as being among those that deliver products that can address wireless LAN security and privacy concerns.

Searching out wireless LAN vulnerabilities is becoming a business. One start-up, AirDefense, has catalogued what it says are 100 types of denial-ofservice attacks jamming the airwaves with noise to shut down wireless LAN access points, 27 attacks to take over wireless LAN stations, 490 different probes to scan wireless LANs for weaknesses and 190 ways to spoof media access control (MAC) addresses and SSIDs to assume the identity of another user.

"The MAC address is unique, so only one should be trying to come into the wireless LAN at a time," says Fred Tanvella, chief security officer at AirDefense, which developed a wireless LAN intrusion- detection sensor.

"So if someone is using a Cisco card and another a Lucent card, and they're trying to fake it, we can tell,"he says.

Government contractor Science Applications International Corp. (SAIC) is experimenting with a "honeypot" to detect and trap hackers trying to break into wireless LANs from a distance (sometimes referred to as "wardriving"). The goal is to gather information about how hackers get in.

While SAIC officials declined to discuss the project in depth, it is known to be based on Cisco wireless LAN access points deployed in the Washington, D.C., area.

Wireless gotchas

Here are the top 10 problems with 802.11b wireless LANs, according to the National Institute of Standards and Technology:

1. Security features in vendor products are frequently not enabled and are poor in many cases.

2. Initialization vectors are short (24 bit).This causes the generated keystream to repeat, which allows for easy encryption of data for a moderately sophisticated adversary.

3. Forty-bit cryptographic keys are inadequate, allowing a bruteforce attack.

4. Cryptographic keys are shared, making them easily compromised.

5. Cryptographic keys cannot be updated automatically and frequently.

6. The RC4 keystream is inappropriately used in the Wired Equivalent Privacy protocol, leaving it open to an attack to recover the key.

7. Packet integrity is poor, making message modification possible.

8. No user authentication occurs; only the device is authenticated.

9. Only Service Set Identification occurs -this identity-based method is highly vulnerable in a wireless system.

10. Device authentication is based on simple, one-way challenge response, subject to the "man-in-the-middle" attack.

Copyright Network World Inc. Aug 19, 2002