Wireless local area networks can offer a number of advantages over traditional Lans, but there are basic measures IT departments must take to minimise the dangers, writes Danny Bradbury.
Wireless local area networks offer a variety of benefits, not least of which is the ability for staff to be mobile around the office, taking their network connectivity from meeting to meeting. Listed buildings or temporary sites, in particular, benefit from a cable-free environment. But moving from Category 5 cable to radio opens security loopholes that must be closed to reduce your business risk.
Physical security is a particular issue for WLan users, says Gunter Ollmann, manager of X-Force security assessment at Internet Security Systems. Putting your access points away from windows and outer walls will help to reduce the risk of outside interception.
Alternatively, instead of buying an omnidirectional access point that broadcasts in all directions, you can purchase directional access points to limit the data broadcast area, perhaps putting it in an outside corner to beam inwards. Nevertheless, it is very difficult to stop data leaking outside your walls, and you still have your mobile client nodes to worry about, which is why other protection is needed.
Identify what information is going to be passed over the network to assess the level of risk. Geoff Davies, managing director of security consultancy I-Sec, says a client base of salespeople will be particularly vulnerable to attack, because of the sensitive customer information they pass over the network. The nature of the data will affect the level of security you apply.
If your data is not particularly sensitive, the Wired Equivalent Privacy (WEP) encryption protocol built into most 802.11b WLan access points may be all you need. Nevertheless, you should remember that this can be cracked if an assailant is given enough time - they simply need to collect enough of the right packets via their own WLan card.
Davies estimates a cracking time of anywhere from five to 30 seconds - depending on the amount of traffic that is being passed across your network - for a hacker using one of the WEP cracking tools, such as WEPCrack, which are freely available over the Internet.
One way to cope with WEP's vulnerability is to change the encryption keys that it uses on a regular basis, which would force a would-be hacker to start collecting packets all over again.
Much will depend on the size of your organisation. The problem with WEP is that it is not very scalable. The encryption keys that are used to encode WEP communications are not dynamically updatable, so they have to be updated manually. This is not a problem for a small retailer with a single branch containing a small number of laptops, but for a large company with lots of nodes, the overhead involved in altering the keys will be too great.
An alternative would be to use Cisco access points and Cisco client cards, says Davies. The way WEP is used in these cards is not subject to the same attacks as other cards. However, Davies points out that this additional security only works if you are using Cisco access points and client cards. With more laptops containing their own non-Cisco client hardware inside the box, this Cisco-specific idiosyncrasy may not be worth much to you.
An alternative is to use 802.1x, a relatively new protocol, which beefs up WLan security. 802.1x enables WEP keys to be dynamically updated, and also includes other technologies such as mutual authentication. Unlike vanilla 802.11b, 802.1x prevents clients being spoofed by a rogue wireless access point by forcing access points to authorise themselves with clients. However, not all wireless access points support this protocol, so if you have already installed WLan equipment you may have to upgrade.
802.1x is very useful (although not crucial) in the creation of a virtual private network. VPNs let authenticated users pass data over a vulnerable network by encrypting and decrypting it at the transmission and reception points. This can enhance WLan security because VPNs are able to use more robust techniques than WEP.
If you are using wireless PDA clients (waiters in one restaurant chain in the South East use wireless PDAs to feed orders back to the kitchen, for example) then a VPN may not be appropriate, because encryption and decryption imposes a processing overhead. Another issue with VPNs and firewalls is that they do not provide secure roaming between different access points. If you are in a large building or a campus environment, this will be an issue.
An alternative to the conventional VPN is the wireless gateway. Available from companies such as ReefEdge and BlueSocket, these gateways offer encryption using the IPSec and Point-to-Point Tunnelling Protocol (PPTP) standards, like generic VPNs, but they also offer WLan-centric functions. These include the ability to hold user access rights locally at the subnet level, rather than at a central site. They can also be configured to allow roaming between different access points and gateways, so users can retain their security settings as they wander around campus.
Depending on the type of data you are passing over your wireless network, the need for WLan security may be more critical than you think. The Data Protection Act requires holders of data about third parties to be responsible for its security. Failure to secure sensitive data that later becomes compromised could not only affect your company's image, but could also land you in legal hot water.
Six steps to a secure WLan
Position your access points away from windows, preferably towards the centre of the building
Do not trust Wep - update your keys regularly. If you cannot do it manually, look to another solution, such as 802.1x access points, which can be used along with authentication servers
Secure your clients. Remove file sharing from laptops and make sure their security patches are up to date
Consider a VPN for additional security n Invest in a WLan if you need extra facilities such as local user privilege list, storage and roaming between access points.
Turn off your access point's Service Set Identifier broadcasting to help hide it from the public.
Case Study: O2 trusts in WLans
Mobile phone company O2 was using WLans in non-sensitive areas such as training rooms and foyer displays, but would not connect them to the corporate Lan until it could be sure that it had resolved some of its security issues, in particular the weakness of the Wep encryption protocol. In collaboration with security consultancy HarrierZeuros, it decided to use a VPN concentrator to solve the WLan security problem. Putting the VPN concentrator in between the existing remote-access server and the corporate Lan enabled it to combine user authentication with data encryption.