Web Informant #409, 5 May 2005: One button wireless security

 

http://strom.com/awards/409.html

 

Most wireless networks these days operate without any encryption whatsoever. And while security professionals (and the FBI) try to make the point that this is a foolish practice, very few of us take the time to do otherwise.

 

I can't tell you the wireless networks that are running in the clear at people's homes who should know better: IT executives, corporate titans of industry, and computing professionals who are familiar with PKI and hacking tools. Why do so many people forgo encryption? There isn't any one good reason. Setting up encryption over your wireless network often requires a Computer Science degree, plenty of patience, reading at least two manuals, or just dumb luck.

 

It could be that since setting up a wireless router has become so easy, and the routers themselves now retail at less than $100, that we have all become complacent. Maybe when you get unencrypted communications working you stop and are so thankful that you router is working at all.

 

The holy grail of wireless encryption right now is setting up Wi-Fi Protected Access encryption. This is the most secure method that is currently commercially available, and is getting wider support from the vendors and in more shipping products. However, getting WPA working isn't easy, as I mentioned before. And so several vendors, especially those who sell chipsets into the lower-end home router lines, have stepped up to the challenge of making encryption more effortless.

 

The theory is to have a single button on the router that you can press to initiate the setup process. This, like the one-button backup on external hard drives, is easier said than implemented. This is because, like backups, you need to orchestrate the dance of the router and each client in a careful conversation; otherwise the encryption won't be work. While it is great to have a button to press, you have to make sure that your software macros can not only control these series of events to establish secure communications, but also handle all sorts of error conditions or exceptions as it goes through the process of changing the SSID of the router to something other than the vendor's name or your address (neither of which are good ideas, BTW), and transferring the keys back and forth between client and router.

 

Of course, each vendor's scheme is proprietary and not compatible with others, but so what else is new in the world of networking? So far, we have schemes from:

 

 

 

 

As mentioned on our Tom's Networking site, HP and Linksys have adopted Broadcom's scheme, and the first routers from Linksys are now available as upgrades to the WRT54G models.

 

Now, normally having three different schemes isn't big news in the networking world, as I just said. But the interesting twist this week is that Atheros is trying to make a difference by posting their scheme as open source on sourceforge's Web site. Given that there is some early market momentum in the Broadcom camp, it isn't entirely altruistic. But still, anything that will move encryption out of the PKI faithful and into the general user population is worthwhile. And while admirable, it will take some clever software engineering to pull off a completely flawless one-button routine. Whether any of this stuff will stand the test of time is another matter, but at least I give them points for trying to make it all easier.

 

In the meantime, if you are running a wireless router and haven't bothered to turn on encryption, you shouldn't wait for these one-button products to come out. Take the time to protect your network and set it up.

 

 

David Strom

Editor-in-Chief

Tom's Guides Publishing

31225 LaBaya Dr #107

Westlake Village, CA 91362

+1 (818) 991-0282 x204

david@strom.com

 

Web Informant is (r) registered trademark with the U.S. Patent and Trademark Office.

ISSN #1524-6353 registered with U.S. Library of Congress

If you'd like to subscribe (issues are sent via email), please send an email to:

mailto:Informant-request@avolio.com?body=subscribe

Entire contents copyright 2005 by David Strom, Inc.