March 25, 2002
(Computerworld)
Despite widespread concerns about the security of wireless LAN (WLAN) deployments, some IT managers are forging ahead with Wi-Fi technology to increase worker mobility in a variety of commercial settings and to avoid expensive installations of wires. Months of negative publicity about the weaknesses of Wi-Fi, or 802.11b, have sharpened the security scrutiny on the part of several IT managers who already had deployments of 802.11b-based networks under way, they report.
Instead of ripping out the wireless networks or stopping rollouts altogether, as some federal laboratories and agencies have done [News, Feb. 4], IT managers at several organizations interviewed for this story have begun testing devices equipped with new open-standard security systems or deploying proprietary security software. Others have even enlisted their own IT staffs to try to sniff the wireless networks and find potential entry points.
These organizations range from manufacturers to hospitals to a university to a package shipper to a resort. Although they aren't trading data as sensitive as national security secrets, they all regard their wireless networks as needing high levels of security to keep their operations running smoothly and to protect patient records, credit card numbers or company information.
"Every time there is another wireless security story, everybody here gets a little uneasy" about using 802.11b, says Murshid Khan, director of telecommunications and IT operations at Walt Disney Parks & Resorts in Lake Buena Vista, Fla.
Disney has been running wireless LANs for more than a year and has had as many as 150 wireless access points installed, mostly to enable point-of-sale functions where credit card authorization is needed for sales of food and goods.
WHAT IS IT?
Wi-Fi, or 802.11b
Wi-Fi is the trademarked name given by the Wireless Ethernet Compliance Alliance to wireless networks operating with the IEEE 802.11b standard, which permits throughput up to 11M bit/sec. over a range of about 100 meters.
"There are always worries with any wireless network," he notes, but despite that, Wi-Fi "gives us business advantages and is a convenience for customers, who can go anywhere and use a credit card."
Analyst John Pescatore at Gartner Inc. in Stamford, Conn., says concern over Wi-Fi security within enterprises seems to have peaked late last year, after security experts at several universities reported problems with Wired Equivalent Privacy (WEP) and when companies jumped to heightened alert following the Sept. 11 attacks.
"Last fall, companies set out to think things through again," Pescatore says. But somewhat surprisingly, Wi-Fi is still being deployed to avoid installing more wires in a LAN and to give workers greater mobility and flexibility.
"I haven't seen a slowdown in interest by our clients," Pescatore says.
Wireless on the Move
Several years ago, United Parcel Service Inc. in Atlanta embarked on a massive project to put 200,000 terminals on Bluetooth and Wi-Fi networks. Last year's Wi-Fi security worries have slowed deployment in UPS's corporate offices, where data is considered sensitive, but not for warehouse or sorting operations, says David Salzman, program manager. "The data on our mission-critical WLANs isn't sensitive enough to warrant a major [security] concern, compared to the benefits," he says.
Auto manufacturers have long used wireless networks in various settings, including on the factory floor. The major automakers started installing wireless links in the mid-1990s, using proprietary methods until the 802.11b standard was unveiled.
General Motors Corp. has deployed wireless links around the world. Using wires for the same networks would have left important assembly lines vulnerable to hours of downtime, says Arvind Sabharwal, director of telecommunications and networks. In addition, the wireless networks give workers greater mobility.
Despite the contained nature of plants, whose perimeter fences and locked entry areas might seem to make them immune to sniffing by nearby hackers, GM "doesn't consider the lines a low-security area," partly because the WLANs run in proximity to some office networks, he says.
To address what Sabharwal calls the Achilles' heel of WLANs, GM has resorted to a range of approaches, including turning on WEP for access devices that normally default to Off, and testing newer security methods, including WEP2 and 802.11i, which might not roll out in products widely until early 2003, according to analysts.
GM also segments its networks with firewalls and VPNs and relies heavily on detailed site surveys that look at all radio interference sources, including cordless phones. "Even with security software, you can survey the bleed of [radio] signals outside the facility to make sure it's minimized," Sabharwal says.
GM's biggest strategic weapon may be its involvement with standards bodies and vendors to see that standardized security methods are quickly incorporated into wireless gear—an important consideration for a global manufacturer that uses Wi-Fi equipment from several makers. "Because of our size and clout, we are making sure some of our partners and vendors are adopting standards quicker in the security area," Sabharwal says.
BMW AG in Munich, Germany, also uses 802.11b on the factory floor and has relied heavily on site surveys to prevent access points from bleeding to nearby buildings or parking areas, says Daniel Lange, director of IT strategy.
Lange says that since the first of the year, BMW has discovered no additional security holes in 802.11b, although there have been more articles describing its deficiencies, in addition to a broader discussion of its flaws. Lange says he hopes the Institute of Electrical and Electronic Engineers Inc.'s recently approved standards will be quickly certified and widely deployed.
BMW does a lot to keep security high, including sending an IT inspector into the homes of BMW workers to see how they use home-based wireless LANs for work, a key point of vulnerability, according to analysts. Lange agrees with analysts and vendors that using a VPN on a Wi-Fi network is sufficient to keep a third party from reading wireless communications. But he sees other related security problems.
When Lange was asked at a forum last November if BMW has been hacked over 802.11b, he responded, "Not that we're aware of." But, he quickly added, there's a far greater security vulnerability if "a beautiful young woman entices a young man in IT to divulge a network password."
And Lange says he's just as worried about a saboteur somehow entering a BMW plant and throwing a small $50 radio-jamming device under a cabinet, rendering the wireless access points on the 2.4-GHz network useless. It might take hours of downtime to find such a device, he says.
Hospitals could face large security risks with WLANs, analysts say, because they receive frequent visitors and contain sensitive patient data. North Shore-Long Island Jewish Health System in Great Neck, N.Y., which has 18 hospitals, is about to implement a Wi-Fi system in its Manhasset hospital.
"The publicity about Wi-Fi problems has certainly made us more skeptical about how we do our implementation," says North Shore CIO Patrick Carney. "We haven't stopped, but we're more skeptical."
By summer, the Manhasset hospital hopes to have implemented an order entry system that will allow a doctor to prescribe drugs through a laptop that's wirelessly connected to a server. Hospital officials expect that the benefits of the system, which will check and verify with the doctor the proper use and dosage of medications, will outweigh wireless security concerns.
Carney says his most immediate worry is that a hacker could find out when celebrities are checked in at the hospital for drug rehabilitation or plastic surgery. But whatever gear the hospital chooses, he expects it to involve data encryption. "We're more sensitive because Wi-Fi has been too easy to penetrate," he says.
Tampa General Hospital in Tampa, Fla., has a wireless connection between the hospital and its radiology clinics across Tampa Bay. The link was the least expensive of several alternatives and has been great for physicians, who get quick connections to vital patient data, says Joe Gandiosi, manager of network services. That link is secured with Wireless Link Layer Security and Triple Data Encryption Standard technology from Fortress Technologies Inc. in Oldsmar, Fla.
Lessons Learned in School
Many universities are enthusiastically turning to Wi-Fi, including Buena Vista University (BVU) in Storm Lake, Iowa, where 145 Wi-Fi access points are installed across the 1,400-student campus.
The rollout in mid-2000 was originally secured with 40-bit WEP encryption, but security has been enhanced with WEPplus technology provided by Avaya Inc. in Basking Ridge, N.J., said Ken Clipperton, managing director of information systems.
To lessen the chances of student hackers changing their grades or reducing their tuition bills, BVU has kept its registrar and business offices on the wired Ethernet LAN. BVU will eventually upgrade to more secure protocols such as 802.11a but so far hasn't installed firewalls behind the wireless access points as some analysts recommend.
"We have, in general, the sense of security here," Clipperton says, noting that the wireless network cost less than $400,000, about one-third of the cost of wiring classrooms and other buildings.
Boingo Wireless Inc. in Santa Monica, Calif., boasts that it has 500 "hot-spot" Wi-Fi WLANs ready to serve the public in hotels and airports nationwide. Users can download free Boingo sniffer software that lets them find Wi-Fi networks. The cost is up to $75 per month for unlimited service. An additional $30 provides a personal VPN for users.
Although the company can't be sure if concerns over Wi-Fi security have cut into sales of its service, Boingo decided to provide the personal VPN if a customer's company doesn't have one, because "we knew customers needed a solution to overcome the widely publicized shortcomings of Wi-Fi," says Christian Gunning, director of product management.