Wireless local area networks can offer a number of advantages
over traditional Lans, but there are basic measures IT departments
must take to minimise the dangers, writes Danny Bradbury.
Wireless local area networks offer a variety of benefits, not least
of which is the ability for staff to be mobile around the office,
taking their network connectivity from meeting to meeting. Listed
buildings or temporary sites, in particular, benefit from a
cable-free environment. But moving from Category 5 cable to radio
opens security loopholes that must be closed to reduce your
business risk.
Physical security is a particular issue for WLan users, says Gunter
Ollmann, manager of X-Force security assessment at Internet
Security Systems. Putting your access points away from windows and
outer walls will help to reduce the risk of outside
interception.
Alternatively, instead of buying an omnidirectional access point
that broadcasts in all directions, you can purchase directional
access points to limit the data broadcast area, perhaps putting it
in an outside corner to beam inwards. Nevertheless, it is very
difficult to stop data leaking outside your walls, and you still
have your mobile client nodes to worry about, which is why other
protection is needed.
Identify what information is going to be passed over the network to
assess the level of risk. Geoff Davies, managing director of
security consultancy I-Sec, says a client base of salespeople will
be particularly vulnerable to attack, because of the sensitive
customer information they pass over the network. The nature of the
data will affect the level of security you apply.
WEP
If your data is not particularly sensitive, the Wired Equivalent
Privacy (WEP) encryption protocol built into most 802.11b WLan
access points may be all you need. Nevertheless, you should
remember that this can be cracked if an assailant is given enough
time - they simply need to collect enough of the right packets via
their own WLan card.
Davies estimates a cracking time of anywhere from five to 30
seconds - depending on the amount of traffic that is being passed
across your network - for a hacker using one of the WEP cracking
tools, such as WEPCrack, which are freely available over the
Internet.
One way to cope with WEP's vulnerability is to change the
encryption keys that it uses on a regular basis, which would force
a would-be hacker to start collecting packets all over again.
Much will depend on the size of your organisation. The problem with
WEP is that it is not very scalable. The encryption keys that are
used to encode WEP communications are not dynamically updatable, so
they have to be updated manually. This is not a problem for a small
retailer with a single branch containing a small number of laptops,
but for a large company with lots of nodes, the overhead involved
in altering the keys will be too great.
An alternative would be to use Cisco access points and Cisco client
cards, says Davies. The way WEP is used in these cards is not
subject to the same attacks as other cards. However, Davies points
out that this additional security only works if you are using Cisco
access points and client cards. With more laptops containing their
own non-Cisco client hardware inside the box, this Cisco-specific
idiosyncrasy may not be worth much to you.
802.1x
An alternative is to use 802.1x, a relatively new protocol, which
beefs up WLan security. 802.1x enables WEP keys to be dynamically
updated, and also includes other technologies such as mutual
authentication. Unlike vanilla 802.11b, 802.1x prevents clients
being spoofed by a rogue wireless access point by forcing access
points to authorise themselves with clients. However, not all
wireless access points support this protocol, so if you have
already installed WLan equipment you may have to upgrade.
VPNs
802.1x is very useful (although not crucial) in the creation of a
virtual private network. VPNs let authenticated users pass data
over a vulnerable network by encrypting and decrypting it at the
transmission and reception points. This can enhance WLan security
because VPNs are able to use more robust techniques than WEP.
If you are using wireless PDA clients (waiters in one restaurant
chain in the South East use wireless PDAs to feed orders back to
the kitchen, for example) then a VPN may not be appropriate,
because encryption and decryption imposes a processing overhead.
Another issue with VPNs and firewalls is that they do not provide
secure roaming between different access points. If you are in a
large building or a campus environment, this will be an
issue.
An alternative to the conventional VPN is the wireless gateway.
Available from companies such as ReefEdge and BlueSocket, these
gateways offer encryption using the IPSec and Point-to-Point
Tunnelling Protocol (PPTP) standards, like generic VPNs, but they
also offer WLan-centric functions. These include the ability to
hold user access rights locally at the subnet level, rather than at
a central site. They can also be configured to allow roaming
between different access points and gateways, so users can retain
their security settings as they wander around campus.
Depending on the type of data you are passing over your wireless
network, the need for WLan security may be more critical than you
think. The Data Protection Act requires holders of data about third
parties to be responsible for its security. Failure to secure
sensitive data that later becomes compromised could not only affect
your company's image, but could also land you in legal hot
water.
Six steps to a secure WLan
- Position your access points away from windows, preferably
towards the centre of the building
- Do not trust Wep - update your keys regularly. If you cannot do
it manually, look to another solution, such as 802.1x access
points, which can be used along with authentication servers
- Secure your clients. Remove file sharing from laptops and make
sure their security patches are up to date
- Consider a VPN for additional security n Invest in a WLan if
you need extra facilities such as local user privilege list,
storage and roaming between access points.
- Turn off your access point's Service Set Identifier
broadcasting to help hide it from the public.
Case Study: O2 trusts in WLans
Mobile phone company O2 was using WLans in non-sensitive areas
such as training rooms and foyer displays, but would not connect
them to the corporate Lan until it could be sure that it had
resolved some of its security issues, in particular the weakness of
the Wep encryption protocol. In collaboration with security
consultancy HarrierZeuros, it decided to use a VPN concentrator to
solve the WLan security problem. Putting the VPN concentrator in
between the existing remote-access server and the corporate Lan
enabled it to combine user authentication with data encryption.