The market for wireless networks is growing fast. But one thing hasn't changed: security is still a major concern for many IT directors.

According to Datamonitor, it is the number one worry in relation to this technology and, although the situation has improved markedly over the past couple of years, security issues continue to act as a barrier to adoption.

Nevertheless, the analyst believes that the market is still building rapidly. Last year, some 861,700 wireless access point devices were shipped worldwide, and this figure is expected to increase to 1.3 million by 2006, equating to a compound annual growth rate of 16 per cent.

If other equipment such as wireless Lan cards and switches are included, growth is more like 19 per cent, with the market valued at $724m (£408m) in 2003 and rising to $1.3bn (£0.73bn) in three years.

The technology is maturing and adoption is starting to quicken, particularly in vertical sectors such as retail, manufacturing, utilities and healthcare, but the inhibitor is still security - and not without reason.

Security failings
Yet despite the horror stories that have been documented over the past few years, a study commissioned by security vendor RSA and undertaken by Phil Cracknell, chief technology officer at security consultancy netSurity, indicated that a worrying 25 per cent of wireless access points in the City of London did not meet best practice security standards.

If the Department of Trade and Industry's Information Breaches Security Survey 2004 is to be believed, the situation is even more disturbing elsewhere. The DTI found that the number of UK companies of all sizes using wireless networks soared from two per cent in 2002 to more than one-third this year, but more than half had failed to introduce any security controls at all.

"One of the problems seems to be that a lot of these networks are not actually official," explained Cracknell.

"They're cheap to purchase and easy to install, and I'm certain that a lot of access points are not actually sanctioned and approved by IT.

"Instead, they're being bought by lines of business on expenses or local budgets, and then introduced into organisations by the back door."

As a result, rogue access points are unlikely to have been configured properly, and will be left in default mode. In most instances, this means they are wide open to security threats.

Another common problem is that organisations have a habit of buying boosters to increase the range of standard equipment, so that it covers a whole building rather than just a floor.

But the signal can end up leaking onto the street if access points are positioned close to exterior walls or top floors, the transmission power is not turned down, or a directional antennae is not used to control where the signal is emanating from. This leaves the network open again.

"People are ignoring this issue because they feel it's the least of their problems," said Cracknell. "They accept that by its nature, a wireless network will bleed onto the street even though it means they're broadcasting their signal publicly and anyone can access the network."

The situation is made even worse if the wireless network is based on the Dynamic Host Configuration Protocol (DHCP). This is prevalent among wired networks and is intended to make administration easier by dynamically assigning IP addresses to devices when they want network access.

"DHCP is disastrous in the wireless world because it offers random PCs access to your network. The fact that it's impossible to prosecute someone for hacking if you welcome them in is made worse with this because you're actually dragging them in," warned Cracknell.

Failure to undertake due diligence here may even result in liability for illegal activity undertaken by hackers on the network, which can end in litigation.

Use all your security tools
So what can IT directors do to protect their organisations? Lewis Honour, business development manager for security and wireless technology at network consultancy Omnetica, insisted that the first thing is to use all the tools, technology and security standards at their disposal.

For example, while the Wired Equivalent Privacy encryption protocol, which was defined in the 802.11b standard, has largely been discredited as being easy to crack with sniffing tools such as AirSnort, it is now possible to replace it with the next-generation Wi-Fi Protected Access (WPA) encryption and authentication protocol.

WPA is a subset of the IEEE's full 802.11i security standard, which is expected to be ratified by the third quarter of this year.

"WPA is good enough for most companies. Very few need to go the extra mile, and those that do probably wouldn't go with wireless anyway," said Leif-Olof Wallin, a Meta Group analyst.

WPA is easy to install into more modern access points as a software upgrade, but it may be necessary to swap out older access points as they are unlikely to provide enough processing power, according to Wallin.

Other useful software includes audit tools such as Netstumbler, which are used by IT staff and hackers alike to survey the environment and check that there are no vulnerable rogue access points.

But Honour said that, while such technology is certainly useful, the most effective approach for an IT director is to treat wireless networks in the same way as an insecure internet connection. This means planning for total mobile support rather than just focusing on one technology or another.

"If a company talks about introducing a wireless Lan, they have to be aware that the floodgates will open," he warned.

"It's not just a matter of letting someone walk around with a device in the office. It's about providing visitors with access to the internet and allowing staff to communicate remotely using a GPRS or 3G device or a wireless hotspot from a coffee shop."

Wireless security has to be dealt with holistically rather than simply in a wireless network sense, with a minimum requirement being clear and well-communicated enterprise security policies and procedures and virtual private network technology for secure remote communications.

Firewalls, either at the network gateway or on individuals' laptops, are also crucial, as is intrusion detection, antivirus software and other security technologies.

While this may sound like overkill to the average overworked IT director, as Cracknell said: "We're only a short time away from a major incident and then people will really have to sit up and take notice."

To see a PDF of the illustrations associated with this report please click here

KEY WIRELESS LAN STANDARDS

802.11a

• Operates at 5GHz frequency band
• Range of up to 50m
• Bandwidth of up to 54Mbpss
• Most expensive option
• Accounted for six per cent of enterprise access point unit shipments worldwide in 2003, will account for four per cent in 2006
• No public access available
• Not compatible with 802.11b or g

802.11b

• Operates at 2.4GHz frequency band
• Range of between 50m and 100m
• Bandwidth of up to 11Mbps
• Least expensive option
• Accounted for 81 per cent of enterprise access point unit shipments worldwide in 2003, will account for 52 per cent in 2006
• Dominant technology for hotspots
• Not compatible with 802.11a and not forwards-compatible with 802.11g

802.11g

• Operates at 2.4GHz frequency band
• Range of between 50m and 100m
• Bandwidth of up to 54Mbps
• More expensive than 802.11b, but cheaper than 802.11a technology
• Accounted for 10 per cent of enterprise access point unit shipments worldwide in 2003, will account for 24 per cent in 2006
• Backwards-compatible with 802.11b hotspots
• Not compatible with 802.11a, but backwards-compatible with 802.11b

The remaining three per cent of enterprise access point unit shipments in 2003 were accounted for by other technologies such as Bluetooth, which is not intended for use with wireless Lan applications, but to connect PDAs, mobile phones and PCs during short intervals.

Source: Datamonitor

WIRELESS ADVICE

• It is imperative to take a holistic approach to securing wireless and mobile technology. Simply concentrating on wireless Lans is not enough
• Clear and well-communicated enterprise security policies and procedures are crucial so that everyone in the organisation is aware of their roles, responsibilities and accountability
• Use the same technology that you would generally use to secure a vulnerable internet connection: VPNs, firewalls, antivirus software and the like
• Check for rogue access points using tools such as Netstumbler
• Ensure that access points are not positioned close to exterior walls, and if they are, turn the transmit power down or use a directional antennae to prevent signal bleeding onto the street
• Remove the Dynamic Host Configuration Protocol from your wireless network to avoid providing passers-by with access, whether they want it or not
• Replace the Wired Equivalent Privacy encryption protocol with the new, next-generation WPA encryption and authentication protocol