SAN FRANCISCO -- RSA 2008 Conference -- Wireless security vendors used last week's conference here to showcase both the problems and solutions in controlling access to wireless voice and data.
AirTight Networks launched SpectraGuard Online, touted as wireless security's first manifestation of the software-as-a-service (SaaS) model that more vendors -- and a few cyber criminals -- are using. (See New Crimeware-as-a-Service Market Thriving.)
In addition, Alcatel-Lucent added partners to its OmniAccess 3500 "ecosystem" for safeguarding laptops wirelessly. And RSA Labs showcased an innovative wireless authentication scheme to keep mobile handsets secure.
Just how bad is the problem of wireless insecurity? Vendor AirDefense made a welcome change-up to the tired tradeshow stunt of identifying local, low-flying vulnerabilities. Instead, AirDefense surveyed the wireless security of more than 1,000 Bay Area entities, and assigned grades for four industry categories.
The highest grade, a "B-" went to the transportation sector; retailers earned a "C+"; finance got a "C-" and government brought up the rear with a "D".
The biggest problem was poorly protected wireless access points (APs); of the 4,606 APs detected, about 22 percent lacked good security, AirDefense said. "In government, an alarming 72 percent of APs and in finance 67 percent of APs were unencrypted or using WEP," which has proven to be easily hacked, according to the vendor.
Is wireless really such a security minefield? Not according to analyst Craig Mathias, founder of the FarPoint Group, who specializes in wireless networking and mobile computing.
"We're at the point now where most concerns about wireless security can be put aside -- they've addressed the big problems with solutions like WPA2," Mathias told Dark Reading. "But if you only consider wireless security, then you're missing the bigger issue of network security and information security -- you can secure a wireless LAN and still have an insecure network."
AirTight pitched its new SpectraGuard Online as either an onsite wireless intrusion prevention system or as a hosted service; either options comes with three modules: vulnerability assessment, regulatory compliance, and vulnerability remediation.
After the customer installs pre-configured wireless sensors, they begin receiving wireless vulnerability reports via email. Customer data is hosted in an SAS70 certified facility designed for security and high availability, according to AirTight. And it said that the pay-as-you-go approach is aimed at security pros and IT buyers concerned about big capital expenditures, buying features they'll never use, and keeping down the total cost of ownership.
SpectraGuard Online costs $50 per sensor per month, plus a small leasing fee for the vulnerability-assessment module. The compliance module is included for free; 24x7 phone and email support are also included. The vendor is also making the service available for a free 30-day trial.
And while the OmniAccess 3500 Nonstop Laptop Guardian (NLG) made by Alcatel-Lucent isn't new, the vendor added four new partners to its collection of vendors or software developers that integrate their third-party apps for improved laptop security and management.
The OmniAccess handles functions like patch management, "remote kill" deletion of encryption keys and certificates; asset and configuration management; and two-factor authentication, among others.
Alcatel-Lucent said Phoenix Technologies will provide encryption, recovery, and authentication services for the OmniAccess 3500; SafeNet's adding its QuickSec VPN software from SafeNet has been integrated into the OmniAccess 3500 for more secure roaming and remote use. In addition, Sierra Wireless will provide CDMA and HSPA modems for the OmniAccess 3500, while Utimaco Safeware AG has integrated its SafeGuard Enterprise data security solution with the OmniAccess 3500 for policy configuration and administration, as well as pre-boot authentication.
Pricing for the Alcatel-Lucent platform runs about $250 per card, $10,000 per server and $10-$15 per user per month for the license, a spokeswoman said.
Finally, RSA Labs demonstrated a prototype that may never see the commercial light of day, but was a fresh take on mobile authentication. Under its Wireless Access-Control Research Project (WARP), the organization developed a standalone token that transmits SecurID passcodes via WiFi, without any new hardware or drivers required on the client side.
The idea is to perform SecurID-type authentication without typing any digits, but also encrypt files and unlock screens. RSA also showed how a WARP token could be used to deliver a hidden "back channel" SMS message confirming details of a mobile banking transaction. "This helps address the problem of man-in-the-middle attacks and trojans that SecurID alone is unable to protect against," the research organization said in its announcement.
In broader terms, WARP seeks to secure ambient computing devices in a flexible way that also makes it easy to use "cloud computing" networks and services more seamlessly, RSA said.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.