Something had been bothering Peter Johnson ever since last November, when the announcement of security flaws in the standards used for wireless LANs boomeranged his wireless project for the U.S. Army back to the drawing board. It wasn\u2019t that the initiative was delayed several months while Johnson bought encryption technology. It was those ads in the Sunday newspaper fliers for cheap wireless LAN hardware on sale at your local electronics store."The average person buys it because they say, \u2019Hey, I can run my computers off of one network\u2019" and one Internet connection, says Johnson, former CIO of the Army\u2019s Program Executive Office of Enterprise Information Systems in Fort Belvoir, Va. "The technology is great. It\u2019s inexpensive. But this technology that\u2019s being sold for a couple hundred dollars doesn\u2019t come with a big red sticker that says, \u2019Warning, this is really insecure.\u2019"Welcome to the dark side of a technology that\u2019s actually cheap and easy to use. Whether or not CIOs like it, wireless local area network (WLAN) devices are being carried two-by-two into home and corporate offices by employees who see ads like those and don\u2019t know that the security of the devices is flawed. By Gartner\u2019s estimates, one in five companies has a wireless LAN that the CIO doesn\u2019t know about, and 60 percent of WLANs don\u2019t have the most basic security functions turned on. Meanwhile, airports and Starbucks coffee shops are pushing wireless access, and a growing number of neighborhood associations and even just neighbors are offering public Internet access?grassroots-style?by installing wireless transmitters. All the user has to do is plug in a cheap network card, log on and start surfing."It\u2019s just so cool," gushes Gartner\u2019s John Pescatore, describing a recent conference where Cisco Systems gave every attendee a wireless network card?and left the security up to individuals. People e-mailed Pescatore questions during a speech rather than raising their hands. Maybe they turned off file-sharing in their operating systems and used a virtual private network to secure their laptops. Maybe they didn\u2019t. But they ate up the technology like jelly rolls at break time."It\u2019s not the IT shops leading the way," says Pescatore, who works from Gartner headquarters in Stamford, Conn. "It\u2019s the users." But (and you saw this coming, right?), it\u2019s the IT shops that ultimately must lead the way to better security.Look, Ma! No Privacy!What are these WLANs that everyone is talking about? Governed by the 802.11 set of standards created by the Institute of Electronic and Electrical Engineers (IEEE) in New York City, WLANs transmit data not by wires but by radio waves, in frequencies that don\u2019t require a license (2.4GHz and 5GHz). Setting up a WLAN is a little like plugging a cordless phone base into the telephone jack in a home office, then placing several cordless phones around your house to share that one jack. In WLAN parlance, the base is called an access point (and costs from $200 to $1,000), and the receiver is a wireless network card (which costs as little as $70). The end result is just plain neat. (Look, Ma! No cords!) But the signal can also be picked up by a neighbor using nothing more than a similar $100 wireless network card.For that reason, security experts have always been leery of WLANs. Anyone with the right hardware can eavesdrop on network traffic or freeload Internet access. More seriously, a hacker could gain network access not just to the Internet connection but also to network resources. (Best Buy, for example, stopped using its 802.11b wireless cash registers this past spring after a hacker claimed to have stolen credit card information from the systems.)The IEEE tried to solve those problems by building security into the 802.11b standard (also known as Wi-Fi), with an optional encryption capability known as wired equivalent privacy (WEP). The first problem was that the majority of WLAN users didn\u2019t bother to even turn on WEP. Then, last February, three researchers from the University of California at Berkeley announced that even when used properly, WEP was insecure because the security algorithm had weaknesses. A hacker who captured as little as 10 to 20 minutes of network traffic could decode the encryption scheme. That done, he could read all the network traffic he had captured and, until the next time the WLAN user changed the WEP key, he could also gain network access.After the announcement, organizations with high security stakes?the Army, for example?banned WLANs without additional security, and everybody expected WLAN sales to collapse, at least until the IEEE hammered out new security protocols. But sales didn\u2019t drop off. In fact, quite the opposite has happened. The Meta Group predicts that by the end of 2002, 75 percent of Global 2000 companies will have trial WLANs.The good news is that there\u2019s no reason for WLAN security flaws to keep most businesses from enjoying the convenience of WLANs. But first, CIOs must know what they\u2019re dealing with.The Hunt for Rogue WLANsJoseph Magee used to be a CIO\u2019s most irksome problem: an MIS guy who brought WLAN equipment into the office just to play with. "Little does [that person] know that that signal sitting right there on his desk can easily be sniffed," says Magee, referring to the process of monitoring the airwaves for WLAN traffic."I was that guy once," admits Magee, a former chief security officer at an online brokerage who is now CSO at Top Layer Networks, a network security company in Westboro, Mass. "I looked at what I plugged into on my screen, and a big financial corporation\u2019s name popped up on my laptop, and I looked across the street and saw their building. It freaked me out." The tools that hackers or curious interlopers use to look for WLAN traffic can help with defense as well. By using tools such as NetStumbler, a Windows utility, or IBM\u2019s Wireless Security Auditor, CIOs can find out whether there are any rogue wireless LANs at the office.They might be surprised, says Meta Group Senior Research Analyst Chris Kozup in Burlingame, Calif. "I\u2019ve had customers who\u2019ve done this, and one CIO found 27 rogue access points. That\u2019s just one example," he says. And that\u2019s just access points, each of which typically has 10 users.Not only can an audit for WLANs help locate rogue installations, it can determine how far the WLAN signal is transmitting. Into the hallways? Out in the parking lot? Down the street? If the signal is stronger than it needs to be, the amplification level often can be turned down, or the device can at least be placed away from a window (which doesn\u2019t block a wireless signal as well as a wall).Beyond that, CIOs have five main options in deciding what to do about these WLANs, depending on the sensitivity of the data and how the wireless devices are used.Make the best of what\u2019s there.Even though the security built into 802.11b devices is flawed, it\u2019s better than nothing. Simply enabling WEP can go a long way to improving security. Companies that are relying on WEP for keeping out snoopers will also need strict policies to make sure the key gets changed daily?at the minimum.A couple of other built-in features can help with authentication too. One is the media access control (MAC) address. This is a unique address written into the firmware of a network card. An administrator can configure the network so that only certain MAC addresses can log on. (The weak link? A hacker can watch the airwaves for a successful log-on, change his own MAC address on his computer or laptop and then gain network access.) The second is the service set identifier (SSID), an alphanumeric ID hard-coded into a wireless device. If the client doesn\u2019t have the same SSID as the server, access is denied. Most users leave the SSID at its default settings, which can be looked up online, so administrators should be sure to change the default.Segment the WLAN from the rest of the network.If the data passing through the wireless LAN isn\u2019t sensitive, it may be enough to separate the traffic from the rest of the network. That can be done with firewalls, treating the wireless access point like any other router. Another related option is a virtual LAN, which partitions the network and allows certain users to access only certain resources. That\u2019s the solution at Paul, Hastings, Janofsky & Walker, an international law firm based in Los Angeles, where in a few new conference rooms visiting clients can use free wireless Internet access. When a visiting user boots up a laptop with a wireless network card, it identifies a WLAN connection and a message appears: "Welcome to Paul Hastings\u2019 virtual network. Please click here for Internet access"?a modified version of the message coffee-slurpers get when they access the for-pay WLANs Starbucks has installed at many locations.Theoretically, anyone nearby could get free Internet access, although CIO Mary Odson says the signal degrades noticeably near the windows, and even inside the building. Encrypt data end-to-end with a VPN.Within the next two years, Odson anticipates that her attorneys will also use WLANs regularly for accessing the network. In fact, she\u2019s so sure of this that as Paul Hastings designs new offices, she\u2019s spending less money on cabling. For transmitting sensitive legal documents and e-mail, she\u2019ll use a combination of virtual private networks and encryption, treating each attorney as a virtual user even if he is in the office.For that scenario, even an improvement on WEP wouldn\u2019t work. WEP encrypts data between a wireless network card to the access point; a VPN encrypts data end-to-end. That kind of setup is already common in corporate America, especially for mobile employees. It isn\u2019t a perfect option, of course. Not only are VPNs expensive and difficult to scale, but they also limit IT\u2019s control over the data transmitted over the network, says Meta Group\u2019s Kozup. But he adds that this is still the option most organizations are choosing for securing their WLANs.Find a proprietary solution.There are other proprietary wireless solutions for CIOs who aren\u2019t content with these options. Major WLAN hardware vendors, including 3Com, Cisco and Enterasys Networks, are adding extra security capabilities into their products. Among them, Cisco\u2019s LEAP (light extensible authentication protocol), which automatically changes the WEP keys in less time than it would take a hacker to decode them, has gotten the most attention. Other companies known as wireless LAN gateway vendors?Bluesocket and Vernier among them?sell centralized servers that perform authentication, encryption, and handle additional management and security details.The Army went the proprietary route. By the time you read this, it should have begun rolling out 11,000 access points that will connect 85,000 mobile Army users during the next four years. The Army\u2019s project is unique, not only because it carries sensitive information about battlefield logistics but also because the access points aren\u2019t permanently installed in an office. Instead, the access points are radios that travel along with troops. Each access point talks to a workgroup bridge that has computers cabled to it. The information on the WLAN is also encrypted using AirFortress devices from Fortress Technologies in Tampa, Fla.Johnson won\u2019t give specifics, but he admits that the solution was expensive, which was especially painful because the WLAN project was already underway before he knew he\u2019d need to purchase extra encryption. "Obviously we would have liked to use the native encryption within the radio" as planned, he says. "But since that is not doable we have had to incur the cost to put the device into the system."Wait and see.The trouble with proprietary solutions is that they are proprietary, and CIOs may find themselves locked into one vendor. Optimists hope that real security can be built back into WLAN devices some day. The IEEE is working on it. Standards currently in draft form would add two more levels of optional encryption: temporal key integrity protocol (or TKIP), a new version of WEP; and advanced encryption system (AES), which committee member Greg Chesson calls a super-scrambler. For WEP to be secure, users need to change the key every 200 packets of data or so, says Chesson, director of protocols at Atheros Communications, a Sunnyvale, Calif.-based company that makes chipsets for wireless LAN devices. In comparison, TKIP would require key changes every 30,000 packets, and with AES, users would need to change the key only every few billion packets.The standards draft could be ratified by the end of 2002, with products starting to appear several months later, but Chesson is cautious of setting a date. "It\u2019s pretty rambunctious. It\u2019s a lot like the U.S. Congress," he says of the IEEE meetings, describing heated discussions, a bog of details and votes based on party (vendor) lines. Meanwhile, for development purposes, Atheros has already let WLAN hardware vendors get their hands on updated chipsets that incorporate parts of the new AES security protocols. Analysts recommend that before making a purchase decision, CIOs should make sure that a vendor will be able to migrate to the standards once they are ratified, as Atheros promises.Even then, though, there\u2019s no guarantee that the new security standards won\u2019t eventually be proven as flawed as the first. That\u2019s why plenty of testing and planning is in order. In Atlanta, the United Parcel Service is rolling out a WLAN project that processes nothing more sensitive than tracking information, and using that project as a test bed for how laptop users might also use WLANs."If you read some articles, it sounds like everything is solid and all there," says John Nallin, vice president of information services at UPS. "However, they\u2019re not always that solid. If that was the case, we wouldn\u2019t be testing it in our facilities, we\u2019d just be plugging it in. When it\u2019s performing at the level we think it should be, we\u2019re going to utilize it because we do see the advantages."