Fast, Cheap and Out of Control

The Bush administration just can't seem to please anyone these days. Not only as of this writing was the White House planning to engage in a war with Iraq that appeared to be unpopular with the majority of poll-taking Americans, but back in September, someone in the administration leaked to the press a draft of the president's “Secure Cyberspace” report. The document was intensely critical of the unchecked growth and usage of wireless LANs, and it banned Wi-Fi technology from government offices.

Even in our newly security-conscious society, the news riled many in the Wi-Fi community, and the administration eventually released a formal version of the report that was softer, advising the wireless LAN industry to address its security shortcomings and instructing federal government employees to use extra caution when using wireless LANs.

On a positive note, the Bush administration's newfound interest in Wi-Fi is proof of the technology's rapid growth from a geek novelty to mainstream staple. But the document also highlights what many see as the chief factor keeping the technology from even greater widespread deployment. The Wired Equivalent Privacy (WEP) protocol, the security measure inherent in 802.11 Wi-Fi, is the weak link of an otherwise well-conceived standard: Many people in the industry say its encryption can easily be cracked, leaving the access points, user devices and software that employ the WEP protocol vulnerable to hackers.

In addition, the Wi-Fi user community is also fraught with unawareness and apathy about the safety of Wi-Fi transmissions and the tools that can be used to increase security. Moreover, Wi-Fi services and equipment for the most part currently lack any sort of management or control tools that might help hot spot administrators improve the security of their sites.

And there stands the Berlin Wall of Wi-Fi: Lazy security may have been fine for casual home users looking to save a few bucks on high-speed Internet and user community idealists who think broadband should be free. However, Wi-Fi vendors and service providers can forget about reaching the lucrative land of business enterprises beyond this wall unless security becomes a top priority.

Bill Seifert, a general partner with Prism Ventures and chairman of Colubris Networks, a company manufacturing secure wireless LAN access points/routers, put it most succinctly: “Security is the first and foremost issue for the enterprise adoption of Wi-Fi.”

The mountainous and sparse landscape of western Utah hardly seems the obvious place to demonstrate the problems facing Wi-Fi security — how many hot spots could there be? Yet even out here, someone is trying to figure it out.

With a freshly downloaded copy of the popular Netstumbler Wi-Fi antenna sniffer software and a receiver antenna crudely but effectively constructed from an empty bean can, an engineer from Rappore Technologies is trying to see how many Wi-Fi hot spots he can ferret out on his 20-mile drive home from the security software company's office in Orem. The answer: More than 100.

And if there are that many in a 20-mile stretch of western Utah, how many are in your own backyard?

“You'd think there's not a lot going on in Utah, but there were more than 100 hot spots, and a lot of them weren't protected,” said Gordon Mella, director of product marketing at Rappore. “They didn't have their [WEP] security turned on.”

Many Wi-Fi users wouldn't be shocked to hear that. After all, it's common practice in the tight-knit Wi-Fi community for hot spot owners to let complete strangers use their antenna signals for free. It's also not uncommon for traveling Wi-Fi users to keep track of friendly hot spots by going on war drives — road trips undertaken with the sole intention of sniffing out Wi-Fi signals to get free piggyback rides to the Internet.

But an industry that started humbly enough with grassroots ideals about free broadband usage is getting a bit crowded, and not all antenna owners want their hot spots used by just any old hitchhiker on the broadband highway.

Likewise, not all of the rapidly increasing number of Wi-Fi users — the throngs with 802.11b card modems or laptops with internal Wi-Fi semiconductors — want to transmit data over an insecure signal that a hacker could easily crack.

For example, many of the dozens of hot spots outside Orem could be intended for community use — they could be located anywhere from coffee shops and gas stations to individual homes. However, some of them also are likely to be deployed in small businesses, remote offices of very large companies and schools, or in the homes of people who might not like the idea of someone stealing a piece of their precious bandwidth.

Many of the traveling Wi-Fi users accessing these hot spots are simply e-mailers on the go, or college students checking their Match.com profiles while they sip lattes. But others could be office workers just looking for a quicker way to access the Internet for professional purposes, or a college professor sending a batch of student grades from the classroom to another computer in his department office across campus.

The immediate problem with this type of booming but chaotic environment is that the majority of hot spot owners and users often fail to take even the simplest security precautions.

“Technology is always ahead of sociology,” said Mella, explaining why the Wi-Fi-aware don't seem to be so security-aware. “People don't install the WEP security, or they forget about it, or they don't think it works.”

Sandeep Singhal, co-founder and chief technical officer of enterprise management software firm Reefedge, added, “It's very easy for a hacker to find your wireless LAN, because it leaks its signal.”

However, Paul Goransson, president of Wi-fi technology developer MeetingHouse Data, said, “The ease of cracking WEP encryption has been overblown, and we can't lose sight of the fact that users of this technology just aren't aware enough to activate the WEP [driver].”

Abner Germanow, principal analyst at Internet security consultancy Secure Marketing, said that behavior is endemic to how users traditionally have felt about networking security. “It's always been that users would ask about product security, and a vendor would say ‘Sure, it's secure,’ and the user wouldn't ask any more questions. But for any networking technology to be truly secure, further measures to protect hardware and software are also necessary.”

Rappore's Shield software is an example of the latter — an automatic, location-aware solution that gives Wi-Fi transmissions various grades of encrypted security protection.

But Mella said that he and others in the Wi-Fi hardware and software communities recognize that the security battle will be one fought at many levels. As Wi-Fi deployments grow into collections of interconnected hot spots, which potentially could happen in larger enterprise deployments, security becomes as important as at the user level.

In fact, there is something of a mild debate in the Wi-Fi industry about where security is more important and where encryption should be based — at the access point/edge router or at the user device. “The short answer is that there should be both,” Singhal said. “Someone can always put a rogue access point near a secure one or an invalid user could hack into an insecure access point.”

Seifert said bundling VPN capabilities into an access point/router means that security doesn't rely completely on the one person who manages the corporate firewall. “Security is an issue for everyone to worry about.”

Besides the authority of his station at Colubris, Seifert has a historical perspective on the enterprise LAN market that is hard to match. He's worked with LAN-based distributed computing technology for about 30 years, and during the 1980s he co-founded Interlan and Wellfleet Communications, two companies that have more to do with the birth and success of enterprise data networking than even Cisco Systems (see sidebar on page 32).

At the time Seifert began working with distributed computing, a portable PC was a pig with wings: It couldn't be done. No one thought about the effect a remotely located computer — let alone one capable of wireless data transmission — could have on local area networks. The idea of the LAN itself was merely a dream shared by a few enterprising minds.

Back in the 1970s, working in Los Alamos, N.M., on a nascent distributed computing project for a large laser fusion facility, Seifert certainly never had a thought that LANs would one day go wireless. In its infancy, wireless was a spotty, expensive technology with no enterprise potential. People were just happy to have desktop PCs that didn't take up their entire office.

“My time at Wellfleet ended in '91, and Wi-Fi was still a dream then for the enterprise,” Seifert said. “Now companies are building Wi-Fi chips into the latest generation of laptop computers.”

Seifert believes the next great technological evolution in the enterprise LAN will be a wireless one — as long as the industry begins to take the security issue seriously. For now, proprietary security solutions and encryption methods are supplementing the thin veil of security provided by the WEP protocol. But having to sort through the advantages, disadvantages and complexities of various proprietary methods ultimately leads to interoperability problems, user confusion and market paralysis.

The inadequacy of the WEP protocol and the need to integrate more advanced security solutions into the 802.11 Wi-Fi standard has sent technologists back to the drawing board. Last month, as Boston felt the stiff embrace of a brittle autumn morning, some of the top minds in Wi-Fi gathered at the Next Generation Networks conference for a panel discussion on the progress toward new Wi-Fi security protocols.

The panel on “WLAN Security: Will it ever be fixed?” included MeetingHouse Data's Goransson as well as Russ Housley, the senior consulting architect for RSA Labs (the technology arm of RSA Security), and Dave Juitt, chief technology officer of authentication software developer BlueSocket and a 20-year network security expert.

Housley, the chairman of the IEEE 802.11 security working group, said the short-term security solutions for the Wi-Fi market are centered around a still-developing standard called 802.1X. “It's the standard for Wi-Fi port authentication, and it uses extensible authentication protocol (EAP) packets to encrypt transmitted data at the header,” Housley said.

Though 802.1X has not yet received full approval, companies such as MeetingHouse Data and RSA are already using it in product offerings. Still, Housley said some in the industry have been critical of 802.1X with EAP because it can be confusing to implement — a primary weakness of WEP.

Long-term, Housley said the best security solutions are tunnel authentication and encryption methods automatically embedded in data transmission that use the data header to verify the transmission source and contents — similar to how IP Sec and IPv6 work as security measures in the wireline data world. He said these tunneling protocols will be cultivated over the next year and will increase in adoption until they effectively retire WEP. Some access points already use IPSec encryption and VPN tunneling.

Importantly, Juitt added that although wired and wireless data security are “different animals,” the new Wi-Fi security standards must be developed for interoperability in a larger, more interconnected data universe — a nod toward Wi-Fi's accomplished pervasiveness, as well as an acknowledgement that Wi-Fi is about go places it hasn't been before.

“Initially, Wi-Fi probably will not replace traditional LANs,” Seifert admitted. “Nobody likes to throw stuff away. The cable Ethernet wired network does not seem to be on the wane.” Yet there are enterprise LANs for which wireless technology will prove the better and cheaper route to broadband access than the wireline options available.

Also, as the nature of the corporate enterprise changes, enterprises and the service providers who want their business will need to use an array of wired and unwired technologies to extend the fullest of communications capabilities to workers within headquarters, at remote offices or traveling in airports, railroad stations and highway rest stops. This complex architecture seems almost certain to include Wi-Fi, whether as a predecessor — or complete alternative — to 3G.

“The reality is that the enterprise IT environment keeps changing — new users, new applications, different technologies, different devices, different rules,” Reefedge's Singhal said.

The reality is also that many enterprises already use or interact with Wi-Fi hot spots on a daily basis, whether they know about it in the executive suite or not.

“Even if you secure your enterprise network, someone can plug in a rogue access point — lots of employees already do that with no understanding of the security issue it creates,” Singhal said.

And corporate employees who work from home or from the road could be using insecure Wi-Fi transmissions without enterprise managers knowing, Rappore's Mella said. “Enterprise policies are getting challenged by the rogue user who wants to stay in touch in the best possible way. The IT perimeter is disappearing, and that makes the enterprise network harder to manage.”

Seifert called management of Wi-Fi usage the lingering issue that, along with security, must be solved for Wi-Fi to succeed in the enterprise. “Management is always the thing that lags, ever since LANs were created,” he said. “Enterprises need to know how to manage and configure users.”

Indeed, when Ethernet first was used in enterprise networks, it also had security shortcomings, but the Category 5 cabling that extended Ethernet to enterprise users gave network managers the necessary physical control to configure or remove users. Later, virtual private network solutions gave these network managers an even finer degree of control over user authentication, and network and usage monitoring.

“If you lose physical control, you lose control of who is using your network,” Singhal said. Also, unlike VPNs, Wi-Fi doesn't provide varying rights of usage often required in enterprise networks used by senior corporate officers and entry-level workers alike.

That's why, for enterprises with especially critical data, Singhal advocates wireless VPNs or other VPN technologies (virtual LANs, wired VPNs or firewalls) rather than Wi-Fi. However, Juitt said all of these options have weaknesses that a secure, managed Wi-Fi enterprise could beat.

“VPNs are not mobile,” Juitt said. “Firewalls stop fraudulent access, but they don't tell you anything about the denied access requests.”

Rather, Wi-Fi proponents favor the integration of Wi-Fi with existing and new network and service management layer technologies to make Wi-Fi mature enough for enterprise use.

Seifert said Colubris is interested in partnering with companies like Micromuse and Hewlett-Packard that have widely deployed network and service management products.

“Vendors of management tools need to understand the market is waiting for them,” he said. Seifert admitted, however, that Colubris has been too busy trying to drive revenue to actively pursue these partnerships.

The news of the management void blocking the adoption of Wi-Fi in the enterprise should be inspiring to some carriers, which maintain strict reliability requirements for their own public networks. Perhaps there is room for service providers to have some impact bringing Wi-Fi into the enterprise and contributing their own management expertise to help enterprise network managers control that environment.

However, service providers have done little with Wi-Fi so far, and have not made much of an impression in the enterprise business. “Service providers and enterprises will develop in distinct, independent ways,” Seifert said. “Enterprises certainly must deal with what happens once you get out of the building, but whether carriers will integrate a wireless LAN with 3G remains to be seen.”

He said he would like to see Colubris eventually work with service providers as they become actively involved in Wi-Fi. Still, the old enterprise hand also didn't miss a chance to chide the service provider community.

“They need to overcome the learning curve, and they haven't even learned how to spell TCP/IP yet,” Seifert said. “I don't know if they ever will.”

The man with the plan for the wireless LAN

When Bill Seifert was named chairman of wireless LAN router company Colubris last June, he may have been a newcomer to wireless, but not to the LAN technology industry. The 56-year-old spent the last four years as a general partner at Prism Venture Partners in Westwood, Mass., but prior to that he was best known as one of the guys who gave Cisco Systems a run for its money during the great “router wars” of the 1980s.

Cisco's position as the king of the LAN wasn't always so certain, and on the way to dominance the firm faced intense competition from two companies co-founded by Seifert, Interlan and Wellfleet Communications.

Seifert's rise as a LAN entrepreneur began from a basic need. “When I was working in Los Alamos [N.M.] on a laser fusion facility, I was convinced we needed a LAN, and I started bugging our biggest vendor, DEC, about it. So they gave me a job and I got to Massachusetts,” Seifert recalled. That's how he came to meet Paul Severino, a former DEC employee and entrepreneur.

“I met Paul in this bar in Marlborough [Mass.] and we started talking about some of the same things. We used a $650,000 loan to start Interlan. After we sold that company, we hooked up for Wellfleet.”

Several years later, after merging Wellfleet with Synoptics to form Bay Networks, Seifert went on to start Agile Networks, a company focused on interconnecting LANs and WANs that was acquired by Lucent Technologies in 1997.

He then got involved with a troubled start-up called Digital Lightwave, which he and others were able turn around into a $120 stock. “I have a letter framed on my desk from a receptionist there who was able to buy her first house with cash from the stock she owned,” Seifert said. “That's when I figured out I had something to teach young companies.”

About two years ago, Seifert met Pierre Trudeau, founder of Laval, Quebec-based Colubris, at the Networld+Interop trade show in Atlanta. “I liked Pierre's story and the security emphasis of it, seeing that it was the key for Wi-Fi having any kind of scale. I also saw it as something that would give Cisco a run for their money — and I'm always interested in doing that.”

At first, Seifert was just an investor and board member for Colubris, but he led a board move to change the company's leadership last summer (Trudeau is still at Colubris as chief technology officer), and try to stoke revenues.

“We need to get revenue and mindshare, and it was a move to help kick up revenue,” Seifert said. “My connections in the telecom industry can help.”