Have No Fear! Wireless is Secure!

Today's blog entry is based off of an article posted by The Star Online which states that (when comparing the risks associated between wired and wireless networks) "the risks are the same as those posed to wired networks  the typical computer virus infection and odd worm-intrusion incident". Last I checked, worms and viruses, although significant risks in and of themselves, are far from the only risks facing wireless and wired networks.. What about the hacker next door who sets up a wireless sniffer to try to crack the encryption key used on your wireless network? Or the one who is just casually looking for completely open wireless networks to attach onto?

The article also states: "Whats even more interesting is that some of these organisations did not face any security threats and have found that the security of their networks either improved or remained unchanged when they moved to wireless" This has nothing to do with the deployment of wireless. There are three main encryption technologies used on wireless networks today: WEP (Wired Equivalency Protocol), WPA (Wi-Fi Protected Access), and WPA2 (version 2 of WPA) which actually consists of two versions: WPA2-Personal and WPA2-Enterprise. Nowhere in any of these acronyms is the word "security" used. Why? Because they do not provide "security". They provide encryption (which can be cracked) and some level of access control, but not "security". In this instance, as part of the deployment of wireless to the organization's internal network resources they may have employed some additional safeguards such as requiring authentication to a VPN after successful wireless connection, but this is an architectural change and is not related to the security of the wireless network.

The article also mentions that consumer-grade wireless networking equipment is less secure than enterprise grade equipment. Not true. Generally consumer and enterprise grade wireless access points support all of the current encryption protocols mentioned above. Unfortunately, not all of the equipment that is connecting to these access points (predominantly laptops) support these new protocols. This is especially true in organizations that deploy older, bargain basement type laptops whose internal wireless adapters may not even support encryption beyond basic WEP. Nevertheless, this is not a factor of the security of the access point. This is a factor of the capabilities of the machines connecting to the network. The security itself of the wireless access point is not lacking because it is a D-Link you bought for $75 from a local retailer versus a Cisco access point that may have cost several hundred.

Why am I being so hard on this article? Mainly because I keep hearing people trying to make the connection between wireless networks and security. In this case they are trying to make the connection between wireless deployment and _increased_ security! As I mentioned earlier, there are certainly some best practices that you can deploy as an organization if you are looking to go wireless, but again these are not security functions of the wireless network or the wireless network equipment itself, rather functions of your own architecture and safeguards put into place such that you limit what a potential criminal has access to even if they do manage to successfully get onto your wireless network.

Wireless is a wonderful technology and I am a big proponent of it (I use it all day between work and home), but wireless does not equal security. Please don't confuse the two!