For mobile working, connectivity via wireless – whether inside
the corporate environment or via publicly available hotspots,
Wi-Fi, Wi-Max or cellular data (GRPS, Edge, 3G) – offers the
ability for mobility while remaining connected to your
resources.
The issue for most corporates is how they provide secure
connectivity for mobile workers, and the trade-off of risk,
usability, cost, complexity and functionality.
For most mobile use outside the corporate wide area network, the
use of IPSec virtual private networks and two-factor authentication
is the most common standard, but while fine for static
connectivity, say in a hotel room, it is restrictive for quick use
“on the go”. The use of wireless inside the corporation is a known
security risk and is implemented in a number of ways.
It can be totally untrusted. The users still need to use VPN and
two-factor authentication. This does not encourage “occasional”
use, neither is it user friendly.
The network can provide authenticated usage. Using the WPA2
standard and Radius or similar technology, users can enter a
password or two-factor authentication that permits access and
secures the air interface.
Another approach is background authentication. Here, the
connection uses Active Directory to perform 802.1x authentication
of the hardware and validate the user’s cached credentials. This is
the most user friendly but is generally limited to a Microsoft-only
configuration.
The flaw in all these possible options is that there are three
separate problems:
- Protection of the air-interface against unauthorised usage – in
the public space to protect and generate revenue and in the
corporate space, to protect against intrusion inside the corporate
boundary
- Authorisation of the user to make a connection into the
corporate wide area network
- Privacy and confidentiality of data transferred over the
connection.
The deployment of wireless within an enterprise exposes the
corporate network outside the physical constraints of the building.
Thus any misconfiguration or weakness effectively “deperimeterises”
the whole organisation.
Current “secure” systems are expensive and costly to manage and
only work within a limited enterprise deployment. Conversely,
systems that are secure (through employing inherently secure
protocols) can use any wireless system (corporate or public)
without needing complex location-awareness functionality. With such
a secure deperimeterised system, it is possible to implement a much
simpler infrastructure; thus achieving significant cost
savings.
In this environment, risk of unauthorised use is substantiality
reduced, and although the business may choose to provide an open
system, it may still wish to implement some degree of connection
authorisation to guarantee quality of service for wireless
users.
By looking at these three issues both as separate problems and
in a deperimeterised manner reduces the complexity and provides an
increase in security.
The protocols used by the end devices are inherently secure
protocols and then all end-devices are thus capable of being
deployed on the raw internet.
If only such protocols are used, it becomes irrelevant whether
the end device is connected on a public network, public wireless of
whatever type, or a privately managed network, wireless or
wired.
Operating in this environment, the question then arises, “Why
would a company need a private wireless network?” To which the
answer is, “They may not any more.”
The provision of a private network in a deperimeterised world is
not driven by the need to provide security. Instead private
networks (wired or wireless) are areas of network connectivity
where a company can provide control over the traffic, ensuring that
adequate bandwidth is available where they require it, and that
performance meets the needs of the applications they are using over
that network. This is a quality of service issue and has little, if
anything, to do with security.
Is there a need for connection control on wireless and wired
networks? When implementing a wireless infrastructure in a
deperimeterised environment, why not simply run an open network?
This may be a viable option for a company that has non-corporate
devices on its network every day.
The other option is to implement background connection control
based on 802.1x or a similar mechanism. This will allow companies
to implement quality of service measures (rate limiting/bandwidth
control) based on the device trying to connect. It could also
require non-company devices (devices not inside the realm of your
802.1x credentials) to authenticate manually – for example via a
redirected web page – similar to a hotel or public hotspot.
The Jericho Forum believes that accelerating the use of
inherently secure protocols will allow corporations to provide a
simpler, yet more secure and holistic approach to remote and mobile
access.
Andrew Yeomans is vice-president for global information
security at Dresdner Kleinwort Wasserstein bank and is a
contributor to the Jericho Forum’s wireless strategy
THE JERICHO ROADMAP
- Companies should regard wireless security on the air-interface
as a stop-gap measure until inherently secure protocols are widely
available
- Provision of full roaming mobility systems that allow seamless
transition between connection providers.
- 802.1x integration to corporate authentication mechanisms
should be the default for all Wi-Fi infrastructure
- Companies should adopt an “any IP address, anytime, anywhere”
approach to remote and wireless connectivity
Source: Jericho Forum