There's no doubting the hipness of wireless hot spots. Thanks to Wi-Fi technology, tech-savvy people can jack into the Net at Starbucks coffeehouses or on Lufthansa Airlines or at upscale hotels across the nation. In corporate America, Wi-Fi has the potential to become the de facto standard for connecting mobile users to networks, despite serious security worries. New security standards on the horizon might solve some of those problems, making this hip technology far more practical.

Wi-Fi, which stands for Wireless Fidelity, is a consumer-friendly name to describe a gory set of wireless-networking standards. In the engineering world, Wi-Fi refers to a set of IEEE standards, the most common of which is 802.11b, which describes a wireless networking system with speeds up to 11 Mbps. Since the 802.11b standard was ratified in 1999, Wi-Fi use has exploded in both the consumer and business sectors.

Its pervasiveness has also spawned a widespread security risk. The standard security shipped with all Wi-Fi hardware, a system called Wired Equivalent Privacy (WEP), is somewhat of a joke in the security community. Wi-Fi's lack of security wouldn't be such a big issue if not for the way Wi-Fi LANs operate. Wi-Fi access points, the boxes that sit between wireless users and a wired LAN, broadcast their existence to the world, making them easy to locate. With a range of 100 to 500 feet, access points often give workers network access in several adjacent rooms of an office. Unfortunately, that offer sometimes extends to the parking lot and street out front as well.

Tips for Securing Your Wi-Fi LAN

Move your access points to locations that aren't accessible from outside your building, typically closer to the center of your building

Never use the open (no security) mode, which is the default (out-of-the-box) setting of most access points

Develop a user security policy to match your security architecture. Users can defeat even the most well-planned security system

Don't use WEP, Wi-Fi's standard security mechanism. Use WPA or your VPN instead

If your access point can be administered via wireless links, turn that capability off. Administer your access point via wired connections only. Also, never use the default administrative password provided by your vendor

If your access point allows it, turn off the broadcast of the ESSID (Extended Service Set Identifier) and choose a hard-to-guess ESSID. This will make it harder for hackers to connect to your access point

Data: InformationWeek

The combination of an essentially useless security protocol implemented on promiscuous access points creates a huge potential security hole in any business' infrastructure, including home offices. While entrances to conventional wired LANs can be surgically blocked by deploying firewalls and taking other measures at specific locations, wireless LANs, based on Wi-Fi, offer access to anyone who can get physically close enough to the access point.

Wi-Fi Internet connectivity promises strong business value and convenience, so it's worth figuring out how to make it work safely. There are security options available, and upcoming standards could make them far more palatable.

In the past few years, more than a few network hardware vendors have come up with proprietary solutions for the lack of security in the 802.11b standard. They include proprietary security systems in Wi-Fi PC cards, access points, and PCI adapters. But these require that a customer use only that vendor's networking hardware. While single-vendor sourcing is common in companies, proprietary security mechanisms can be difficult to integrate into enterprisewide security systems that may include VPNs and single-sign-on authentication systems.

So how have enterprises been implementing Wi-Fi security? A common approach is to bypass WEP and use the corporate VPN to provide a secure connection over Wi-Fi links. VPNs manage data confidentiality by encrypting network traffic, but they don't always have authentication systems or access controls that work well in wireless environments, especially when the access point may be publicly accessible (like that Starbucks hot spot). If a VPN isn't set up with strong mutual authentication on both ends, users may be open to a "man in the middle" attack in which a villain on the wireless LAN, monitoring traffic to the access point, intercepts your attempts to connect to the corporate VPN and manages to masquerade as your VPN server, perhaps just long enough to steal logon credentials.