In the second of his fortnightly series on communications, Antony
Savvas examines the security issues raised by wireless networking
and explains the ground rules for a successful
implementation.
Drive-by hacking may sound somewhat contrived. Users may feel the
IT industry is over-hyping the genuine risks of running wireless
networks. But as a responsible IT manager you would be well advised
to assess the true extent of this wireless security threat.
The Pentagon recently banned the use of wireless LANs within the
building because it couldn't ensure the security of this type of
network. Now if the Pentagon cannot guarantee wireless security,
what hope is there for business users? How can companies broach the
subject of maintaining the highest level of security on their
wireless LAN rollouts?
You may have read about recent publicity stunts involving security
consultants driving through the City of London, tapping into
corporate networks using equipment no more sophisticated than a
Pringle box (once you've eaten the crisps) and some free Internet
software.
This drive-by hacking is often made easier by users not configuring
even the most basic of security measures when they unpack and
install their new wireless access point devices. In a recent survey
IT managers said they were concerned that their staff lacked the
relevant skills to install wireless networks in a secure fashion.
Training issues clearly have to be addressed.
But wireless is an emerging technology. Users who deployed the
early wireless LANs were at the bleeding edge. The first wireless
LAN products only supported 40-bit encryption. This level of
security was barely enough.
Many
 | | "If the Pentagon cannot guarantee
wireless security, what hope is there for business users?" | | | | | |
| | Antony Savvas | | |
|
|
security experts now recommend a minimum of 128-bit encryption.
They also advise users to improve security of wireless LANs by
configuring them as virtual private networks (VPNs), which can
provide a secure tunnel for sending information between the less
secure wireless environment and a business' internal corporate
network.
The price of protection
Such measures do not come
cheap. Clearly there is a need for a risk assessment exercise. If
companies do not vigorously manage their wireless networks, they
risk not only exposing their commercially valuable data to
intruders, but also the bandwidth on their network could be stolen
by an outsider.
Think about it: you set up a wireless network for your own
business' use, but anyone can tap into this network since it is
wireless. Every unauthorised user on that network is taking away
valuable bandwidth from your legitimate users.
The Confederation of British Industry earlier this month expressed
its concern about the appearance of markings on corporate buildings
showing where the easy-to-hack networks were. Members of the public
could theoretically tap into these corporate networks to gain free
broadband access, a bit like someone linking their electricity
supply to a street lamp to get free energy.
Beyond these potentially serious wireless concerns, anyone
considering wireless needs to appreciate that the whole industry is
in a state of flux. Much of the focus on wireless LANs so far has
been based on systems using the 802.11b protocol where data can be
accessed at up to 11Mbps across rooms via fixed accessed points.
This is now being superseded by 802.11a, which supports data rates
up to 55Mbps.
Getting from b to a
So everyone should start buying
802.11a equipment now, right? Not quite. In the UK, the use of
802.11a is controlled by the Radio Communications Agency whose job
includes making sure wireless applications don't interfere with the
country's critical infrastructure like defence and emergency
response teams. To date, the agency has yet to agree a standard for
802.11a. This means that wireless 802.11a products on sale in the
UK at the moment could be technically illegal.
Clearly there is plenty of change ahead. Companies that plan to
roll out anything beyond the simplest of wireless networks would be
wise to consider a service contract with a specialist consultancy.
This is arguably the surest way to minimise the risk in deploying
wireless LAN technology.
Using such a provider would, at the very least, ensure the wireless
rollout is implemented correctly. You should get some degree of
comfort from the knowledge that the third-party consultant you use
would have a track record configuring wireless LANs securely. And
as the 802.11 standard evolves, a third-party relieves the burden
on you to keep up with the changes.
What's your view?
Are security issues putting you off
wireless
technology?>
Let us know with an e-mail.>>>>
CW360.com reserves the right to edit and publish answers on
the Web site. Please state if your answer is not for
publication
Antony Savvas is an independent observer and commentator on the
telecoms and IT industries.