According to a survey by Forrester Research, 63% of US
companies use in-house
wireless local area networks (WLans) to provide access to
corporate applications and networks.
In Europe too, WLans are becoming a standard part of most
enterprise networks.
Previously restricted to meeting rooms, one-off events and guest
areas, WLans are being used to provide access to the corporate
network throughout the enterprise because of the improved
productivity and flexibility they offer through mobile working.
However, any discussion of WLans cannot avoid
the issue of security. A wireless network requires packets of
data to travel through the air, making them prone to interception.
Such breaches lead to theft of sensitive corporate data and can
also result in a loss of trust in the safety of the corporate
network and are likely to attract unwanted and damaging
attention.
There are a number of wireless security threats: rogue access
points masquerading as part of the network, the use of unauthorised
devices and denial of service attacks.
One reason for WLan security breaches is a lack of awareness
from end-users. Companies can install the latest and most expensive
security systems, but these will be only as strong as
the weakest link - often the end-user.
That said, wireless security should not complicate the way users
work - but they do need to be protected from viruses and
attacks.
According to research from analyst firm Gartner, 90% of WLan
security incidents until 2010 will be the result of misconfigured
systems.
"Common security best practices for all WLans are those that
reduce the potential vulnerabilities of the basic characteristics
of Wi-Fi systems," says John Girard, vice-president distinguished
analyst for Gartner's Info Security and Privacy Research
Centre.
Girard, author of a series of white papers on best practice in
Wi-Fi security, splits these practices into three parts: overall
planning, access points and client systems.
Overall planning requires IT directors to determine the
requirements and policy for Wi-Fi use before any equipment is
purchased.
"The best Wi-Fi architecture from a security point of view uses
centrally controlled, coordinated access points that lack the
programmability to be individually hacked. This approach should be
the starting point," says Girard.
Another issue to consider at the planning stage is the
positioning of wireless access points to minimise the Wi-Fi
coverage area outside of the building - and thus minimise the
ability of a nearby hacker to connect to the network and access
corporate data.
The second practice involves managing wireless access points
once the network is installed. A range of suppliers now build
security capabilities into their WLan systems, with most providing
security through the 802.x range of standards, as well as
encryption, authentication, intrusion protection and "end point
integrity". This refers to functions such as anti-virus,
anti-spyware and personal firewall software.
A report from ABI Research in December 2006 ranked the leading
WLan security suppliers in the following order:
Trapeze Networks,
Aruba Networks,
Nortel,
Cisco,
Bluesocket,
Alcatel-Lucent,
Extreme Networks,
Meru Networks,
Xirrus and
Symbol Technologies.
However, each supplier offers a mix of unique systems and
expertise, so ABI warns that any company purchasing WLan equipment
must perform in-depth research to ensure the most appropriate
system for the location, function and level of security
required.
One of the simplest, but most important, tasks in buying
wireless access point equipment is to change the default
configurations, which are often widely published on the internet.
Buying an access point and turning it on without making any changes
to the default settings offers hackers immediate access to the
corporate network.
At the same time, it is a common myth that wireless access
points have to "broadcast" their presence to make it possible for
users and devices to find them.
The only effect broadcasting has is to advertise the presence of
a network to external threats, says Phil Cracknell, senior analyst
for information security at Deloitte, and UK president of the
Information Systems Security Association (ISSA).
"It is a complete myth that if a business supports a wireless
network it needs to be broadcast otherwise clients will not know it
is there. All it means is that casual users and hackers know it is
there. Broadcast does not need to be on, so all businesses should
turn it off straight away," he says.
If broadcast is turned off, authorised devices need to be
provided with the access point address or service set identifier
(SSID) to connect to the network.
Of course, there is still a security risk, but turning off
broadcasting is likely to deter any casual attempts to access the
network, as it would require more sophisticated and time-consuming
techniques to hack.
"Another method for protecting access is to keep a pre-defined
list of authorised access points and devices - that is network
interface cards - and configure the system to allow access only to
devices on that list. It requires keeping an up-to-date list of
users and laptop cards, but that is not a large price to pay," says
Cracknell.
Man in the middle attacks and unauthorised access points set up
by employees are also common security threats to wireless access
points.
Man in the middle attacks use a strong Wi-Fi signal located
nearby to overwhelm the signal from the corporate wireless access
point and thus "steal" the device connection. Once connected to
this rogue access point, the unaware user is likely to reveal login
or corporate data.
A second threat comes from employees setting up their own access
points - small base stations can be bought from retailers at little
cost - which can become absorbed into the corporate network.
This may occur for malicious reasons, but is more likely to be
the result of an enterprising employee wanting to use their own
Wi-Fi-enabled laptop in the office, or to improve flexibility in a
branch office.
According to David Perry, principal analyst at IT research house
Freeform Dynamics, both threats can easily be solved by using tools
that monitor authorised wireless access points - in a similar
fashion to network access control (NAC).
"In terms of man in the middle attacks there are tools
available, for example from Cisco, that monitor the radio frequency
profile and load balancing of a wireless network, which show what a
corporate wireless hotspot should look like. It helps the IT
director recognise any unauthorised radio signals within the
hotspot.
"There are also widely available tools that recognise an
unauthorised wireless access point and either sound an alarm or
block access to the network," says Perry.
When it comes to Girard's third practice of client systems, one
of the best unilateral defences against attacks is to block or
quarantine Lan attachments of unwanted devices. "Network access
control will help to block unauthorised access points and
unauthorised work stations from inappropriate access," says
Girard.
Of course, when it comes to network access and security,
encryption and authorisation are a vital component in the CIO's
armoury.
Girard recommends that enterprises migrate to
Wi-Fi Protected Access 2 (WPA2) compatible devices, such as
WLan network interface cards, wireless drivers, supplicants, and
access points on all new purchases as soon as possible.
The original wireless security standard, Wired Equivalent
Privacy (Wep) offered different degrees of encryption, such as
64-bit and 128-bit. However, it is now widely acknowledged as
having serious security flaws.
Although someone walking by with a wireless adapter may be
discouraged by the wireless network using an encrypted data stream,
a determined hacker needs only a few hours to read enough wireless
packets to generate the required Wep key to gain access to the
network.
Tools such as Airsnort and Wepcrack also make this job easy for
hackers by passively listening to wireless traffic. Once they
acquire between five and 10 million packets, they can guess the
encryption password immediately.
WPA2, however, dynamically changes keys so that by the time a
hacker has intercepted enough wireless packets to guess the key,
the key has already changed a number of times.
Guest access and employees using their home wireless networks to
access the corporate network bring unique challenges which are best
overcome by the use of virtual Lan (VLan) tunnels to route users to
a point outside the firewall, says Girard.
"Guest users should be directed to the internet, where they can
use virtual private networks (VPNs) to connect back to their
company portals. This option will also work with the company's own
employees who are not registered for direct access to the Lan,"
says Girard.
A smart approach
to WLan security >>
WEP report >>
Wireless kit must be secure 'out of the box', say
experts >>
Wireless security: IT pros warily watching mobile phone
threats >>
Effective wireless security is available, but holes
exist >>
Comment on this article:
computer.weekly@rbi.co.uk