New Wi-Fi security would do little for public 'hot spots'

Computerworld - The new security features that wireless LAN vendors plan to build into products under the Wireless Protected Access (WPA) program will do little to protect enterprise or individual users in the booming Wi-Fi public-access "hot spot" market.
That market got another boost yesterday as Redmond, Wash.-based T-Mobile announced plans to provide such service in clubs and lounges operated by American Airlines Inc., Delta Air Lines Inc. and United Air Lines Inc.
John Pescatore, an analyst at Gartner Inc. in Stamford, Conn., said public-access providers such as T-Mobile and Boingo Wireless in Santa Clara, Calif., typically don't turn on any form of security, because to do so would inhibit their business by reducing the convenience of the high-speed (11M bit/sec.) Internet access these operators sell.
Pescatore advises that mobile enterprise workers use a virtual private network (VPN) connection if they intend to use a public-access WLAN service to tap into a corporate database or e-mail server. He also suggests that anyone using a public-access Wi-Fi service install a personal firewall to prevent snooping by other users on the same public network.
Peter Beardmore, senior marketing director at Colubris Networks Inc., which sells a "hot spot in a box" WLAN setup through Boingo, said public-access WLAN users without a firewall run the risk of another airport or coffee shop user poking around in their files using the "Network Neighborhood" tools found in the Windows operating systems.
Beardmore said Colubris, based in Laval, Quebec, helps Boingo prevent this kind of casual sniffing by "forcing all traffic upstream" to a Colubris server either incorporated into the access point or separate from it. This technique, Beardmore said, prevents what he called "paper-to-peer" sniffing of one client on a public-access WLAN network by another.
But Bearmore agreed with Pescatore that enterprise users should also protect their data through the use of a VPN.
Eventually, he said, public-access providers could build the authentication part of WPA into their servers for monthly customers, providing companies such as Boingo with a way to authenticate the identity of regular -- though not casual -- customers.