The popularity of hotspots is presenting IT directors
with the problem of protecting remote users as well as the
corporate network.
The growth in wireless hotspots has freed up users to access the
internet from almost anywhere. But as more companies experience the
convenience of wireless internet, there is a growing concern
regarding the security of such hotspots.
Technology suppliers have tried to address security issues with
a range of technologies and protocols to secure the wireless
network, and some have been more effective than others. This has
put the onus on IT managers to find out just what level of security
they need to protect their wireless users.
IT managers are also obliged to ensure that any hotspots their
employees are using are genuine and secure, and that the connection
to the corporate network is not being monitored.
Security experts have shown that it is very easy to set up a
rogue hotspot using just a laptop and wireless router, and studies
have found the security of many wireless networks, particularly
home office networks, to be weak.
By their very design, wireless local area networks offer roaming
users open access, and similar to cordless phones, they use radio
waves to transport data. But unless security is enabled, these
signals can be readily intercepted by nearby receivers. In
addition, many wireless access points, small office/home office
gateways, and wireless network interface cards use their default
settings – particularly ones used in the home.
The risks to business of unsecured wireless networks are serious
according to analysts. Richard Brain, technical director at
security testing firm ProCheckup, said, “Using unsecured Wi-Fi
equipment is no different from letting complete strangers connect
to your network without realising a security breach. You may as
well add network access points to the outside of the building.”
He said, “The main risks include misuse of corporate internet
access and potential theft of confidential company data.”
“There is a very large percentage of businesses that do not have
secure wireless Lans in the office,” said Gartner research
vice-president Ian Keene. And those that do use a secure wireless
Lan with a good security policy often leave their home office
networks wide open, he added.
“An employee has a work laptop and a broadband line at home –
they share the laptop with the kids, and the end result is they
have a wireless Lan. This is very common in homes with broadband
connections. Companies need to have a policy on wireless Lans at
home, even pre-configuring a wireless access point for home use.
The problem is being swept under the carpet at the moment,” said
Keene.
There is a range of technologies and protocols that businesses
can use to mitigate the risk of attacks on their wireless
infrastructure, and many of these are being built into Wi-Fi
equipment.
One of the first security standards established to protect
wireless networks was the Institute of Electrical and Electronics
Engineers-ratified (IEEE) Wired Equivalent Privacy (Wep). This was
designed as a native security mechanism for 802.11 wireless
Lans.
Wep is still used today, particularly for securing home networks,
but is no longer sufficient for enterprise-class networking.
By 2001, several independent studies had found weaknesses in
Wep, showing that, even with Wep enabled, an intruder equipped with
the proper tools and a moderate amount of technical knowledge could
gain unauthorised access to the wireless network via the wireless
Lan.
Brain said, “All 802.11b networks are fairly easy to infiltrate,
even access points secured by the Wep security standard can be
broken. If Wep is used frequently, change the Wep key and change
the default SSID network name.” A service set identifier (SSID) is
a sequence of characters that uniquely names a wireless Lan.
Because of the weakness of Wep, enterprises and wireless Lan
equipment manufacturers have found it necessary to supplement it
with other security technologies.
The first of these is Wi-Fi Protected Access (WPA), a strong,
standards-based Wi-Fi security specification introduced in 2003 by
the Wi-Fi Alliance.
WPA is secured by using Temporal Key Integrity Protocol (TKIP)
to encrypt data. TKIP produces a 128-bit “temporal key” and
encrypts every data packet sent over the air with its own unique
encryption key.
As a result, TKIP increases the complexity and difficulty of
decoding the keys for hackers. The system does not allow intruders
enough time to collect sufficient data to decipher the key, said
the Wi-Fi Alliance.
In 2004, the Wi-Fi Alliance updated WPA with WPA2, which
organisations can download for free as a firmware upgrade, if their
supplier's equipment allows. WPA2 is based on IEEE 802.11i, a more
secure wireless protocol. It uses the Advanced Encryption Standard
(AES), which replaces the devalued Wep encryption.
AES was suitably secure to be adopted as an official government
standard by the US Department of Commerce, and uses variable key
sizes of 128-, 192- or 256-bits, making it far more difficult to
decipher than Wep, said the Wi-Fi Alliance.
“Higher-end wireless access points by companies like Cisco
support more advanced protocols like WPA or WPA2, though these may
require special software to be installed on the client PC. It just
means that the encryption on these is very hard to break,” said
Brain.
Organisations can attain a higher level of security with servers
that run IEEE 802.1X authentication services. These offer a
different approach to wireless security, and like virtual private
networks, 802.1X was originally designed for wired networks.
It uses the Extensible Authentication Protocol (EAP) and Remote
Authentication Dial In User Service (Radius) servers to
authenticate clients and distribute encryption keys.
The Radius server consolidates user password authentication to a
central location, making it easy to manage them. Also known as
port-based network access control, 802.1X has received widespread
industry support since 2001.
IT directors cannot ignore wireless security given the growth in
popularity of wireless Lans. Not only must they deploy wireless
security measures like Wep, WPA, AES and Radius servers to protect
the corporate wireless network, they should also ensure that the
wireless networks of tele workers are locked down.
Case study: the belt and braces approach
US military aircraft manufacturer Lockheed Martin Aeronautics
has built a wireless Lan that covers more than 100 buildings at
facilities in Texas, Georgia and California. The company produces
aircraft including the F-16 and the new F-35 Joint Strike Fighter,
and the IT department has security high on its list.
Lockheed Martin uses several levels of security technologies and
policies to make sure hackers do not intercept its systems, which
they often attempt.
The Wi-Fi network uses strong authentication, and users are
required to plug a hardware security device into the computer and
input a password. The company uses preconfigured laptops with
dedicated firewalls. They also have encrypted hard drives and
PC-to-PC connections are disabled. Software is used to disable the
wireless port when a laptop is plugged into a wired network, and
the company also uses VPN software on its wireless computers and
does not rely on the encryption built into wireless devices.
Lockheed Martin has an intrusion detection system that can sniff
out radio waves, with sensors placed where no wireless network is
supposed to exist. The firm also uses software from AirMagnet on
handheld computers to discover the origin of unauthorised wireless
network activity.
There is a checklist of procedures that Lockheed Martin's
network managers follow when they respond to alerts from the
intrusion detection system. Network managers also adhere to written
policies, allowing them to confiscate wireless equipment that is
brought into the company without notice, or used improperly.
How to secure your wireless users
IT directors have to balance convenience with security, but when
using hotspots, a secure VPN is the minimum security you should
use, according to Gartner.
However, a belt and braces approach is best, said Gartner
research vice-president Ian Keene. “You can use encryption in the
office using 802.11i. Also make sure you have up-to-date Wi-Fi
equipment.
“You also need to understand which access points and users are
active in the office – this ties into having a policy to manage
that.”
Keene added that offices should use software, which can be
downloaded onto a PDA, to monitor the radio waves to check which
access points are active in the office.
“You need some sort of a system to see where the network
bottlenecks are and where the access points are operating. Ensure
that the access points are approved and raise an alarm if there is
an unauthorised device. Any business, large or small, should not
allow employees to bring an access point from home and plug it in
unsecured.”
Richard Brain, technical director at network security testing
firm ProCheckup, said, “From experience, we have found that many
routers and access points have the admin account left with the
default settings. Listings of usernames and passwords for different
devices can easily be found on the internet and this means that
malicious Wi-Fi users could modify the hardware configuration and
change the password, rendering the hardware useless in some
instances."
He also advised companies to secure their Wi-Fi networks by
using a VPN client on the laptop, connecting to an intermediary VPN
server treating Wi-Fi in the same way as an unsecure internet
connection. “You wouldn't connect your network directly to the
internet so why do it with Wi-Fi?" said Brain.
“Get your company tested for unapproved Wi-Fi access points, and
consider removing Wi-Fi and Bluetooth cards from laptops if your
company has a policy of no wireless access. Theoretically, due to
the penetration of Wi-Fi, a future worm or virus could be created
utilising Wi-Fi or Bluetooth as a vector. There is already a
Bluetooth worm for the Nokia 60," said Brain.
Securing devices
Forrester Research senior analyst Thomas Raschke, said that it
is now essential for IT managers to secure the growing number of
mobile devices being used in businesses.
“Devices often ship without adequate security configurations,
and are vulnerable to attack through Bluetooth, SMS and other
channels. Wireless networks are not set up to prevent or limit the
spread of attacks.
“As a result, wireless networks will likely go through similar
growing pains, with worms and denial-of-service creating widespread
disruption,” said Raschke.
He recommended organisations:
- Establish a clear, consistent, and enforceable mobile security
policy
- Implement tools like Sybase Afaria, Intellisync, Altiris,
Landesk, and Novell to secure and manage mobile devices
- Educate users about mobile security best practices
- Select mobile management and security tools based on user
requirements and the overall security risks that mobile devices
pose.
“On-device encryption is only necessary if confidential or
proprietary data is stored on the device," said Raschke.
Read:
Security special report: The changing threat
Read:
Security special report: The internal threat
Read:
Security special report: Who sees your data?
Read:
Security special report: Compliance quandary
Read:
Security special report: Fingertip security