Hospitals back off Cisco LEAP security for WLANs

Bob Brewin   Today’s Top Stories    or  Other Mobile and Wireless Stories  

Advance your BlackBerry(R) solution management know-how this July Enhancing Business Mobility with Convertible PCs Seven Steps to Secure and Seamless Field Mobility Managing Mobility: An IT Perspective Demonstrating the Business Value of Mobile Device Management in the Enterprise Sign up to receive Security Resource Alerts

October 17, 2003 (Computerworld) -- For some health care IT managers, Cisco Systems Inc.'s wireless LAN authentication protocol's vulnerability to attacks aimed at discovering passwords is reinforcing the importance of developing multilayered approaches to securing their networks.
Several users this week said they have already adopted or plan to install a mix of WLAN authentication and encryption protocols to ensure that their companies comply with the data privacy requirements of the federal Health Insurance Portability and Accountability Act.
Chris Lenaghen, a network engineer at St. Alphonsus Regional Medical Center in Boise, Idaho, said he views Cisco's Lightweight Extensible Authentication Protocol (LEAP) as "a temporary solution" until the hospital can install an updated version of Novell Inc.'s Extend Director software.
The Novell software supports the Lightweight Directory Access Protocol (LDAP), which Lenaghen said should make it harder for malicious hackers to run so-called dictionary attacks against the hospital's WLAN. St. Alphonsus will speed up its move from LEAP to LDAP because of the Cisco technology's vulnerability, Lenaghen said.
Cisco disclosed in early August that LEAP could be compromised by dictionary attacks. At a conference earlier this month, Joshua Wright, a systems engineer at Johnson & Wales University in Providence, R.I., demonstrated such an attack using a tool he developed (see story). In an interview this week, Wright said he plans to make the attack tool publicly available in February (see story).
Gene Gretzer, a senior analyst and project leader for access technologies at St. Luke's Episcopal Health System in Houston, said the health care provider uses LEAP to help secure 100 wireless access-point devices made by Cisco. But St. Luke's also controls WLAN access through a database of Media Access Control (MAC) addresses and use of the Advanced Encryption Standard.
Miami Children's Hospital in Coral Gables, Fla., has taken a layered approach to WLAN security as well, said Alex Naveira, its chief information security officer. In addition to LEAP, the hospital is using MAC address authentication and 128-bit Secure Sockets Layer encryption.
Ron Seide, product line manager at Cisco's wireless business unit, agreed that many organizations need stronger authentication capabilities than LEAP provides.
He said Cisco recommends that such users install the Protected Extensible Authentication Protocol (PEAP), which relies on digital certificates to control network access. PEAP was co-developed by Cisco, Microsoft Corp. and RSA Security Inc.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"News around the web is that Apple is planning to reduce its iPhone shipments to Rogers, Canada's lone GSM/EDGE/HSDPA provider...." Read more... Read more Mobile & Wireless posts or See all Blogs

Google gives away home-cooked Web application security scanner HP eyes move of support facilities out of Colorado Springs Microsoft trumpets security additions in upcoming IE8 More top stories...

How much is too much? Upgrade your notebook without going over the line French ruling on counterfeit goods could have far-reaching effects for eBay Apple cuts price of high-end SSD MacBook Air by $500

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

The Untethered Worker (Source: Computerworld) Today's roaming employees expect to be able to work in a conference room, airport, customer site or coffee shop. This report - covering wireless LANs, mobile applications and cellular networks - tells you how to get the job done, avoid chaos and maintain security! Download this executive briefing  Virtualization Everywhere Download this white paper, free, compliments of Citrix. (Source: Citrix) Adoption of virtualization is concentrated among large enterprises, while adoption by mid-sized companies has been much slower. For these companies, the cost and complexity of server virtualization solutions has been a barrier. In this paper, we'll discuss how Citrix XenServer" provides simple, economical server virtualization for any size company. Download now! Download this white paper  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Google gives away home-cooked Web application security scanner
• HP eyes move of support facilities out of Colorado Springs
• Microsoft trumpets security additions in upcoming IE8
• More top stories 

Computerworld Executive Briefing: Automating Network Management IThis briefing looks at the basics of network management, which tend to get lost in the dizzying array of products and processes. It also examines new tools that are on the way to help IT executives deal with management in the new era of automation. Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP.