Wireless networks are fun, convenient, portable, and loved by
all. Except security managers, that is, who have been struggling to
secure them since the dawn of wireless local area networks
(WLANs).
 | | | | | If you're looking at a certain
technology point in wireless and ignoring others you are still
leaving holes in the security of your network.
Jean Kaplan,
research analystIDC |
| | | | | |
| |
|
Security was a nearly insurmountable challenge in the beginning,
but today, more companies are implementing WLANs. What has
changed?
Have the IT departments overcome the hurdles, or is there still
an element of risk in beaming sensitive data through the air?
"Security is more of an overall strategy than a technology,"
said Jean Kaplan, research analyst with IDC. "It's about the level
of risk you're willing to tolerate or the level of work you're
willing to put into securing your network. All the pieces exist to
secure your wireless network."
The availability of security technology has improved. At one
time enterprises were on their own to secure their networks, but
today specialist vendors offer products that would allow even small
businesses to run a secure wireless network without paying a high
price for it.
"The technology has certainly evolved over the last few years,"
said Stephen Northcutt, president of the SANS Technology Institute,
a graduate school that focuses on information security. "When
wireless networking first came out, your encryption choice was
[Wireless Application Protocol] and nothing else. These days the
number of encryption and authentication choices has increased
dramatically."
But even though adequate security technology may exist and a
talented admin may indeed be able to secure a WLAN, the
availability of encryption technology doesn't mean that companies
are using it. And one very real threat remains that even the most
talented network administrator cannot control: employees. Look
around you at your local coffee shop, says Northcutt, and you'll
see plenty of people working with business data through a wide-open
access point. Are all of them using crypto tunnels or virtual
private networks? Probably not, Northcutt said.
Indeed, even though the corporate WLAN is secured, perhaps the
biggest security challenge is the awareness and education of the
staff.
"The old truth remains: most of the security threats to an
organization come from the inside," Kaplan said. "Whether wired or
wireless, the biggest challenge is still making sure that
employees' environments are secure."
Northcutt warns of the potentially serious problem that can
occur when employees set up rogue access points on their own,
picking up the hardware at the local Kmart. When this is detected,
he advises, management should crack down hard and the employee
should be formally disciplined.
Of course, any corporation facing regular issues with employees
setting up unauthorized WLANs with out-of-pocket money might
consider that a need exists for the technology – and it might be
advantageous to create official company access points.
"I believe most enterprises are going to do this right,"
Northcutt said. "They're going to actively look for rogue access
points and put in professional grade gear."
Also keep in mind that wireless is much more than a
plain-vanilla 802.11 specification, Northcutt warns. Bluetooth
continues to spread and its range continues to increase. It used to
be that something had a maximum range of 20 feet; nowadays you have
90 feet. And it matters.
"If you're looking at a certain technology point in wireless and
ignoring others you are still leaving holes in the security of your
network," Kaplan said.
Krissi Danielsson is a technical author and freelance writer
for numerous publications, including DeveloperShed, Computerbits
and Newsforge.