I like to begin conversations about security with the reminder there is no such thing as absolute security. And security is such a complex topic (incorporating, to name a few big areas, encryption, authentication, physical security, anti-viral warfare, disaster planning and recovery, and even the fundamentally political issue of privacy) that solutions also tend to be complex. Complexity, of course, is the enemy of all engineering solutions, and security is no exception.

It seems the more we try to make our networks secure, the smarter the hackers and crackers get. Remember "war-dialing," looking for modems to hack? Now it's war-driving, looking for wireless LANs to break into.

The big difference between wireless networks and their wired counterparts is that wireless intentionally radiates into the air. This led to the simpleminded assumption that wireless security could be limited to over-the-air encryption. And many wireless systems, from CDPD to WAP to the ill-fated wired-equivalent privacy in 802.11, have incorporated some form of encryption.

But this approach is fundamentally flawed: The data appears in the clear at the endpoints of the wireless connection. While one of these is presumably the client (and thus physical security becomes important; lost PDAs can cause damage), the other is just a midpoint in a (presumably wired) network. Thus we've got user data in the clear and that's a bad idea.

The solution-and this is surprising-is to apply in wireless networks the same techniques used for end-to-end security on wired networks. This solves some problems. First, we get uniformity. Solutions like Radius, Kerberos and virtual private networks work on both wired and wireless networks, and mixed media represent little additional challenge. Applications don't have to care what kind of network they're on. Second, there is much development in end-to-end security, and most of it will be directly applicable to wireless. Third, wireless can automatically take advantage of advances in wired security. That's critical given the increasing sophistication of threats against networks.

This is not to say that wireless-specific security isn't a good idea. Indeed, more security is better. Given advances in algorithms and processors, the cost and performance penalties involving security techniques are nearly inconsequential. The same cannot be said of the threats we face.

Craig Mathias is an Analyst with the Farpoint Group (Ashland, Mass.).