One of the most frequently asked questions put to wireless local-area network (WLAN) vendors is, "what about security?" It is indeed wise for network administrators to be concerned about security, on any type of network. Disgruntled former employees, hackers, viruses, Internet-based attacks, and industrial espionage are an unfortunate fact of life in any form of networking today.

What we will discuss in this white paper are the threats to the security of any network, how they specifically relate to wireless LANs, and those elements unique to wireless LAN technology available to combat these potential threats.

It is odd to those who specialize in wireless LANs that a significant degree of concern regarding security is often evident among users and managers of wired LANs. This concern, however, does not usually extend to the wire; the security of information on the wire is, perhaps incorrectly, assumed as a given. But as soon as data packets begin traveling through the air, a high degree of anxiety sets in. After all, it is reasoned, the wired LAN is inside the company's building, and the data stays on the wire, only available to authorized users with physical connections to that wire.

In fact, any network, including a wired LAN, is subject to substantial security risks and issues. These include:

	Threats to the physical security of a network
	Unauthorized access and eavesdropping
	Attacks from within the network's (authorized) user community

As will be seen below, a wireless LAN has all of the properties of a wired LAN (except, of course, the wire itself!), and thus security measures taken to ensure the integrity and security of data in the wired-LAN environment are also applicable to wireless LANs as well. The only real difference between a wired LAN and a wireless LAN is at the physical layer ­ all other network services (and vulnerabilities) remain. Wireless LANs in fact include an additional set of unique security elements which are not available in the wired world, leading to the proposition that wireless LANs are actually more secure than their wired counterparts - an opinion shared by many industry analysts and experts.

Given the obvious reliance of wired LANs on a wired physical plant, anyone gaining access to that wire can damage the network or compromise the integrity and security of information on it. Without the proper security measures in place, even registered users of the network may be able to access information that would otherwise be restricted. Disgruntled current and ex-employees have been known to read, distribute, and even alter valuable company data files.

LAN traffic can be intercepted and decoded with commonly available software tools once one has physical access to the LAN cabling. Network administrators, regardless of whether or not they have wireless segments on their LANs, need to have the appropriate security products for their environments, the proper security levels set for their users, and an on-going process to audit the effectiveness of security policies and procedures. Physical access to network wires needs to be protected. Unfortunately, the vast amount of wire inherent in most LANs provides many points for unauthorized access.

Another area of concern for security-conscious network administrators is the growing use of the Internet. Often, if users from inside can get out to the Internet, then users from outside can get into a network if proper precautions haven't been taken. And this applies not only to the Internet, but also to any remote-LAN-access capabilities that might be installed. Remote access products that allow traveling sales and marketing people to dial in for their email, remote offices connected via dial-up lines, intranets, and "extranets" that connect vendors and customers to a network can all leave the network vulnerable to hackers, viruses, and other intruders. Firewall products offering packet filtering, proxy servers, and user-to-session filtering add additional protection, but hackers seem to get smarter all the time. Many products are available to help network administrators secure their networks from the above threats. User authentication and authorization is provided by most network operating systems, and can be enhanced by adding third-party products.

Perhaps the most difficult threat to detect is someone just looking at (and likely copying) raw data on the LAN. Wired networks are particularly vulnerable to eavesdropping. Most Ethernet adapters on the market today offer a "promiscuous mode" that, with off-the-shelf software, enables them to capture every packet on the network. What network administer doesn't have some kind of "packet sniffer" or LAN-traffic analyzer for trouble-shooting the network? Inexpensive and readily available programs let anyone with physical access to the network to read, capture, and display any type of packet data on the net. And even wired LANs have an unintended wireless component. Many types of LAN cabling, particularly unshielded twisted pair, radiates significant energy. This leads to the possibility that anyone with a strong motivation, the right radio equipment, and a good antenna can sit in the parking lot outside a building and actually intercept wired Ethernet data packets - without detection.

Data encryption is the only line of defense against this kind of threat. Unfortunately, a sense of complacency among network managers has resulted in the limited use of in-building encryption, often with unforeseen (and unknown) results.

As can be seen from the above discussion, data security considerations impact the entire network architecture, and also apply equally to wireless LANs. But the very different physical layer of wireless LANs actually increases overall network security, as follows:

Most wireless LANs use spread-spectrum radio transmission techniques. Spread spectrum technology was first introduced about 50 years ago by the military with the objective of improving both message integrity and security. Spread-spectrum systems are designed to be resistant to noise, interference, jamming, and unauthorized detection.

Spread spectrum transmitters send their signals out over a broad range of frequencies at very low power, in contrast to narrowband radios that concentrate all of their power into a single frequency. There are several ways to implement spread spectrum transmission, the two most common being direct sequence (DS) and frequency hopping (FH).

Please reference the Introduction to Wireless LANs document

Both techniques present unintended receivers with a difficult problem. In the case of DS, an eavesdropper must know the chipping (spreading) code. Someone trying to intercept an FH transmission must know the hopping pattern, In both cases, the specific frequency band (or portion thereof, in the case of DS) and modulation techniques in use must also be known. Radio systems also use a form of data scrambling for purely technical reasons, which is to assist in managing the timing and decoding of radio signals. An unintended receiver would also need to know this scrambling pattern.

Infrared-based wireless LANs are often used in high-security applications because infrared signals do not penetrate solid objects, like walls. Thus a project team could be literally cut off from the outside world and still have the benefits of a LAN. Some products use narrowband radio, which does not use spread-spectrum transmission. While this technique certainly works, it is not as inherently secure as spread-spectrum, and encryption is therefore a must when this technology is used. But all of these techniques allow the use of encryption, and indeed, many wireless LAN products include encryption features as a standard or optional component. The IEEE 802.11 standard, for example, includes a security technique known as "wired equivalent privacy" (WEP), which is based on the use of 64-bit keys and the popular RC4 encryption algorithm. Users without knowledge of the current key (password) will find themselves excluded from network traffic. Encryption, as noted above, is always advisable on any network, and is certainly easier to implement in wireless LANs than in their wired counterparts.

Most wireless LAN products have the ability, as an authentication management function, to specifically authorize or exclude individual wireless stations. Thus an individual wireless user can be included in a network, or, at any time, locked out. Users may also need to know a wide variety of information, including radio domains, channels (specific frequencies or hopping patterns), subchannels, security IDs, and passwords. Other configuration information relating to in-building roaming might also need to be known. Thus network administrators can make unauthorized network access very, very difficult even for hackers who possess the specific wireless equipment being used at a given site.

And, surprisingly, eliminating significant amounts of wire from a given installation dramatically reduces the number of places for wire tapers to gain access to the wired physical plant. While wireless LANs usually involve the use of a wired backbone network for access-point interconnection, the amount of wire is quite small, and extra steps can be taken to safeguard its physical integrity without inordinate cost. Moreover, since the access points used in wireless LANs function as bridges, individual wireless users are isolated from perhaps the majority of LAN traffic, again limiting user access to raw network packets.

The diligent management of security is essential to the operation of local-area networks, regardless of whether they have wireless segments or not. It's important to point out here that absolute security is an abstract, theoretical concept - it does not exist anywhere. All LANs are vulnerable to insider curiosity, outsider attack, and eavesdropping. No one wants to risk having the LAN data exposed to the casual observer or open to malicious mischief. Regardless of whether the network is wired or wireless, steps can and should always be taken to preserve network security and integrity. It should be clear from the discussion above that wireless LANs can take advantage of all of the security measures available on wired LANs, and then add additional security features not available in the wired world. The result? That surprising conclusion that wireless LANs can be, in fact, more secure than their wired counterparts.