Networks without wires:
Easy, cheap Wi-Fi is here, but security requires continual vigilance

By Maria Trombly | Securities Industry News | May 6, 2002

Although the basic components of wireless local networking (LAN) have been around for more than two years, security concerns and other issues have curbed its use on Wall Street. That is until recently, when advances in security and a focus on business continuity plans have converged to make wireless LANs more appealing to securities firms.

Merrill Lynch, for example, has found that additional security provided by its vendor, San Jose, Calif.-based Cisco Systems, meets its needs. As a result, the company is firmly committed to using wireless LANs in the workplace. "We are huge fans," said John McKinley, head of global technology and services at Merrill Lynch.

When workers were forced to relocate after Sept. 11, Merrill quickly set up wireless access stations at temporary locations-enabling employees to log into the corporate network without having to do significant re-wiring. "It provided a huge amount of flexibility," McKinley said.

Besides equipment, any disaster plan must take into account the fact that employees likely will have to be moved around, said Alex Froede, a manager of wireless security initiatives at Plano, Texas-based Electronic Data Systems Corp.

"We're assisting a lot of clients since 9/11 with putting together continuity packages and disaster recovery plans and wireless plays a big part in that," Froede said. "Wireless LANs are quick to set up and quick to deploy. Just take them out of the box and set them up."

Shipments of wireless LAN hardware are growing fast, said Gemma Paulo, an analyst at In-Stat/MDR (formerly Cahners In-Stat), though revenue for networking companies isn't keeping pace.

That means prices are falling rapidly, Paulo said. "The Wi-Fi products have proven that they can work pretty well, and there are a variety of vendors offering solutions," she added. Other wireless networking vendors include 3Com and Enterasys as well as PC vendors, such as Compaq and Dell.

But not all wireless products have adequate security-some of the smaller vendors, or those oriented primarily at the consumer market, may not adequately serve Wall Street needs. That's because the basic Wi-Fi standard-IEEE 802.11b-comes with Wireless Equivalent Privacy (WEP), which isn't very secure.

Hackers can walk around with receivers and get access to networks. These security issues steer Wall Street firms toward the largest vendors, which have "their own proprietary security overlays," said In-Stat's Paulo, while industry standards are being developed.

For example, Cisco Systems has anticipated the direction that IEEE will probably take and implemented Lightweight Extensible Authentication Protocol (LEAP) on its equipment. Once the standard is finalized, Cisco will give a free upgrade to its clients to bring equipment into alignment, said Chris Bolinger, a product manager at Cisco's wireless networking business unit in San Jose.

Meanwhile, IEEE (see Glossary) is working at upgrading WEP. An interim protocol was recently released, said Dennis Eaton, chairman of the Wireless Ethernet Compatibility Alliance. This protocol, Temporal Key Integrity Protocol (TKIP), is designed to be compatible with existing devices and offers better encryption than its predecessor WEP. The next step is that WEP and its TKIP upgrade will be replaced with a totally new standard, the Advanced Encryption Standard (AES).

AES is based on the public key principle and is considered virtually unbreakable given today's equipment. Cisco's LEAP, like TKIP, does not use the public key mechanism. "We'll probably start seeing AES come on the market in the form of products late this year or early next year," said Eaton.

The two standards are not compatible, he said, but wireless devices will be configured so that they will use the best standard available to both sides of the wireless transmission. The next generation standard will require equipment upgrades but will be even more secure, as well as backwardly compatible.

Other upgrades to the basic Wi-Fi standard are also coming, not related to security issues. For example, 802.11a, also known as Wi-Fi5, will be five times faster and will operate on a different band-though some devices are expected to be able to operate on both sets of frequencies. The first Wi-Fi5 products are already being sold, and more are due later this year.

The way that Wi-Fi works is that a small radio transmitter is connected to the physical network-to an ethernet port, for example, or a home cable modem. Then a wireless card is installed in laptops and PDAs. Some newer computers come with wireless cards built in. Using the wireless connection is exactly the same as plugging into that ethernet port or cable modem, and has the same data rate as wired ethernet LANs.

Anywhere from five to 10 users can share one wireless access point, with the number depending on the kind of work they do. Video downloads, for example, take up a lot of bandwidth. Simple e-mail, however, takes less bandwidth and more people can use the same access point. To prevent passersby from eavesdropping on data traffic the same way that people can listen in to others' cell phone conversations, the traffic can be encrypted.

For added security, wireless networks can be configured so that they are outside the corporate firewall. Wireless users would be treated the same as dial-up users-they have to log into a company's virtual private network (VPN). This is more difficult to configure, however, and Cisco said many of its customers are satisfied to simply use LEAP.

A typical corporate set up-with security, wireless cards and access points, and monitoring software-runs about $500 per user per year. But off-the-shelf consumer versions can run less than $200 total-and this poses a major threat to corporate IT departments.

If a particular office isn't wireless enabled and the employees would like it to be so that they can move around easily, any one of them can walk down to the local mall and pick up a card and base station and plug it in.

The latest devices configure themselves and are very quick and easy to install. They also don't have the same protections built in as their enterprise brethren.

What can securities firms do to ensure that their employees aren't opening up their networks to the whole world?

"First of all, what we recommend is that corporations perform penetration testing every six months or every year," said Froede. "Part of that is you test for wireless-you go out to all the offices and see if you can pick up a signal."

Another option is to look at IP addresses-the unique sets of numbers that identify machines on the Internet. "You can have one of your network administrators check which IP addresses are used throughout your network. If they see an IP address associated with a piece of equipment they can't identify, there's a possibility that that could be a wireless access point," he said.

In some cases, it may also be possible to tell if more than one machine is using a single network access point. "We are engineering things on Cisco products to make it easier for companies to identify these rogue access points," said Cisco's Bolinger.

It's still more of an art than a science, he said, but better tools will be available in six to 12 months.