Recently, I was helping a customer with a wireless rollout when the person in charge of security pulled a set of requirements out of his back pocket. The goal of this wireless network was to support guest users - people who had come into the building for a meeting or short project. The security requirements started with "disable Service Set Identifier advertisement" and "use 128-bit WEP." I rolled my eyes.

"What's the point of this?" I asked. "These are best practices," the security person replied, gesturing toward the thick stack of white papers, articles and Web postings he had downloaded off the Internet. After all, if 50 security people are writing the same thing, you begin to believe it's the right thing to do.

Unless, of course, it's not. And that's the problem with this type of advice. We have way too many people writing as wireless security experts and way too few actually thinking about wireless security. We also have way too few keeping up with the changes in the technology and how we use it. This problem isn't unique to wireless security - it extends to every aspect of how we do security and design networks.

What happens is that early thinking on how to build security becomes codified as law, largely by people who gather most of their knowledge by doing Google searches and writing white papers based on what other people already have said. SSID hiding is a great example. This was an interesting idea before the AirJack folks demonstrated how stupid it was - back in 2002. Nevertheless, people continue to pick up this same bit of lame advice and offer it as a primary requirement for secure wireless.

Yeah, SSID hiding does provide security - job security for your help desk staff, which will be continually explaining to people how to spell your SSID and enter Wired Equivalent Privacy (WEP ) keys. Let's not even get started on WEP. As Network World demonstrated last year, even brand-new wireless access points cannot be trusted to be free of defects. The solution is to abandon WEP and use a security technology that doesn't have the problems WEP does - 802.11i, also called WPA2.

We have become a community of parrots, repeating the same rules and arguments for doing things that have become "conventional wisdom." As Cisco's Mark Basinski puts it, "The problem with conventional wisdom is that it's neither conventional nor wisdom." Mark is spot-on. We do things by rote, without thinking about whether that's still the best way to design and implement security.

Whitepapers

• Advancing the Economics of Networking
• Enterprise Data Center Network Reference Architecture
• Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch Offices
• File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper

View more SECURITY whitepapers

Webcasts

• PoE Plus: Impact on the PoE Market
• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports