For mobile working, connectivity via wireless – whether inside the corporate environment or via publicly available hotspots, Wi-Fi, Wi-Max or cellular data (GRPS, Edge, 3G) – offers the ability for mobility while remaining connected to your resources.
The issue for most corporates is how they provide secure connectivity for mobile workers, and the trade-off of risk, usability, cost, complexity and functionality.
For most mobile use outside the corporate wide area network, the use of IPSec virtual private networks and two-factor authentication is the most common standard, but while fine for static connectivity, say in a hotel room, it is restrictive for quick use “on the go”. The use of wireless inside the corporation is a known security risk and is implemented in a number of ways.
It can be totally untrusted. The users still need to use VPN and two-factor authentication. This does not encourage “occasional” use, neither is it user friendly.
The network can provide authenticated usage. Using the WPA2 standard and Radius or similar technology, users can enter a password or two-factor authentication that permits access and secures the air interface.
Another approach is background authentication. Here, the connection uses Active Directory to perform 802.1x authentication of the hardware and validate the user’s cached credentials. This is the most user friendly but is generally limited to a Microsoft-only configuration.
The flaw in all these possible options is that there are three separate problems:
- Protection of the air-interface against unauthorised usage – in the public space to protect and generate revenue and in the corporate space, to protect against intrusion inside the corporate boundary
- Authorisation of the user to make a connection into the corporate wide area network
- Privacy and confidentiality of data transferred over the connection.
The deployment of wireless within an enterprise exposes the corporate network outside the physical constraints of the building. Thus any misconfiguration or weakness effectively “deperimeterises” the whole organisation.
Current “secure” systems are expensive and costly to manage and only work within a limited enterprise deployment. Conversely, systems that are secure (through employing inherently secure protocols) can use any wireless system (corporate or public) without needing complex location-awareness functionality. With such a secure deperimeterised system, it is possible to implement a much simpler infrastructure; thus achieving significant cost savings.
In this environment, risk of unauthorised use is substantiality reduced, and although the business may choose to provide an open system, it may still wish to implement some degree of connection authorisation to guarantee quality of service for wireless users.
By looking at these three issues both as separate problems and in a deperimeterised manner reduces the complexity and provides an increase in security.
The protocols used by the end devices are inherently secure protocols and then all end-devices are thus capable of being deployed on the raw internet.
If only such protocols are used, it becomes irrelevant whether the end device is connected on a public network, public wireless of whatever type, or a privately managed network, wireless or wired.
Operating in this environment, the question then arises, “Why would a company need a private wireless network?” To which the answer is, “They may not any more.”
The provision of a private network in a deperimeterised world is not driven by the need to provide security. Instead private networks (wired or wireless) are areas of network connectivity where a company can provide control over the traffic, ensuring that adequate bandwidth is available where they require it, and that performance meets the needs of the applications they are using over that network. This is a quality of service issue and has little, if anything, to do with security.
Is there a need for connection control on wireless and wired networks? When implementing a wireless infrastructure in a deperimeterised environment, why not simply run an open network? This may be a viable option for a company that has non-corporate devices on its network every day.
The other option is to implement background connection control based on 802.1x or a similar mechanism. This will allow companies to implement quality of service measures (rate limiting/bandwidth control) based on the device trying to connect. It could also require non-company devices (devices not inside the realm of your 802.1x credentials) to authenticate manually – for example via a redirected web page – similar to a hotel or public hotspot.
The Jericho Forum believes that accelerating the use of inherently secure protocols will allow corporations to provide a simpler, yet more secure and holistic approach to remote and mobile access.
Andrew Yeomans is vice-president for global information security at Dresdner Kleinwort Wasserstein bank and is a contributor to the Jericho Forum’s wireless strategy
THE JERICHO ROADMAP
- Companies should regard wireless security on the air-interface as a stop-gap measure until inherently secure protocols are widely available
- Provision of full roaming mobility systems that allow seamless transition between connection providers.
- 802.1x integration to corporate authentication mechanisms should be the default for all Wi-Fi infrastructure
- Companies should adopt an “any IP address, anytime, anywhere” approach to remote and wireless connectivity
Source: Jericho Forum