Wireless dilemma: Security isn't cool
By Leo Pluswick
Special to ZDNet

COMMENTARY--Wireless communication has dramatically changed the way people work and interact. Unfortunately, the wireless era also continues to be plagued by insufficient security, and both corporations and users are being put at risk.

To be sure, cell phones, personal digital assistants and wireless laptops have helped usher in an era of mobile computing that's marked by increased productivity and fast return on investment.

At the same time, however, customers are demanding better security services and are adamant that any associated costs be transparent. They also want to continue to use their previous investments in legacy wireless hardware. But gathering indications suggest that the scramble to get to market with feature-laden technologies may be coming at the expense of better security.

Wireless suppliers have offered up a couple of approaches that fall under the rubric of robust security networks (RSN). Proponents argue that this will resolve the remaining access problems and confidentiality vulnerabilities older 802.11 products have. Customers are demanding better security services and are adamant that any associated costs be transparent.

Opponents counter that truly effective security is not a feature and that RSN will only delay the acceptance of something more secure.

The first solution, based on an emerging Institute of Electrical and Electronics Engineers 802.11i security-enhancing option, is found in the Wi-Fi Alliance's Wi-Fi Protected Access (WPA) products. A second solution, which won't be available until 2004, when the 802.11i specification is ready for publication, is believed to be more secure.

The WPA solution does an adequate job of answering the basic security needs of wireless local area network (WLAN) users. It also is already available and--unlike the latter option--offers backward compatibility with existing legacy WLAN hardware.

That's an important consideration for customers who still want service out of existing equipment and who are in no mood to ante up for new infrastructure.

In this instance, security takes a back seat to the bottom line. Buyers may be willing to take security risks in order to avoid making more expensive investments, especially at a time when they may be cash-constrained. Suppliers know that and are responding to demand, eager for a quick infusion of revenue at a time when it is most welcome.

So if you do adopt the WPA solution as a de facto WLAN security option, keep in mind the following:

• Users and companies may become more complacent and therefore delay the acceptance of the more fully baked and more secure RSN option.

• The solution may not be used as required, so the level of security protection possible may not be obtained.

• It may encourage the use of non-RSN, legacy products in a WLAN, thereby reducing the security of the WLAN to that delivered by the non-RSN products.

How many IT departments believe that all the users on their corporate networks are disciplined enough to always use security features or use them properly?
• The WPA products assume a high level of technical savvy on behalf of the user and may therefore instill a false sense of security in an unsuspecting user who is not using the option properly.

Unfortunately, users may be tempted to choose the less secure option, because it offers the easy route. The WPA products are available, backwards-compatible and offer improved security. But how many IT departments believe that all the users on their corporate networks are disciplined enough to always use security features or use them properly?

In the short term, recently trained users will be disciplined enough to get the desired security. But after some time, they are bound to get lazy and revert to bad habits. The upshot: Security goes out the window.

WLAN companies may believe that they have answered the call for more secure networks, and people assume that they are receiving better security. But is that the reality on the ground? The question still lingers. It will be interesting to see whether time to market and new features once again undermine the quest for better security.

biography
Leo Pluswick is the program manager for the development and execution of ICSA Labs' product certification programs for cryptography, Internet Protocol security and wireless LAN security. He has 39 years of experience as an electronic engineer, planner and manager in industry, the U.S. Army and the National Security Agency.


ZDN