Securing your networks against the risk of rogue wireless access is no longer optional

Whether or not your organisation has a wireless network, rogue access points could make company systems and data vulnerable to...

Whether or not your organisation has a wireless network, rogue access points could make company systems and data vulnerable to attack from hackers

Wireless technology is becoming ever more popular, both in the business world and with consumers. The ease with which wireless access points can be installed and the risk of unauthorised access they present means users need to apply security skills to safeguard their wireless networks.

The City of London saw a 253% increase in the number of wireless networks deployed in the 12 months from February 2002 to February 2003, according to a survey by RSA Security.

Tim Pickard, vice-president of marketing EMEA at RSA Security, said this equated to a 300% rise in the number of access points across the City. RSA's most recent survey, in Frankfurt in May 2004, showed that despite security concerns, wireless networks are proliferating.

Karl Feilder, president and chief executive of Red-M, a provider of wireless intrusion and detection products, said that between 80% and 90% of laptops that ship with the Centrino chip have wireless capability.

The gadgets are out there

Add to that the fact that most senior managers, middle managers and sales people have their own mobile devices such as personal digital assistants with wireless capabilities, and it is easy to see that wireless is being widely used - if not in approved business systems, then on a personal basis.

Many users connect their own wireless devices to company systems, and this can cause a logistical headache for IT departments trying to control the use of these items and maintain security in the corporate infrastructure.

There are two issues facing IT departments attempting to deal with the control, implementation and restriction of wireless technologies. If you choose to implement this technology and deploy a wireless network within the company, how do you implement it effectively and maintain company security?

And, if you choose not to deploy this technology, how do you ensure that users are not compromising the security of the network by using it anyway?

Unwanted visitors

For companies looking to implement wireless technology on their networks, one of the greatest concerns is preventing the network from being visible outside of the business premises. Stories of wireless networks that have been compromised by unwanted visitors sitting in car parks have made some people wary of this technology.

Although some physical solutions to radio frequency (RF) leakage - radio waves escaping the building - have been developed, such as glass that prevents leakage through windows,

Michael Coci, director of product marketing and support at wireless Lan maker Trapeze Networks, said, "You do not have to go down the path of expensive physical barriers to stop this. By using directional antennae on external walls and directing the RF signal inwards and reducing the range of access points, you can minimise leakage."

Products from companies such as Trapeze and Airespace allow you to plan and manage the location of access points. By importing drawing files of floor plans into planning programs it is possible to take account of external walls and windows when planning where access points should be placed.

Access points typically serve between 10 and 15 users and can be configured and placed to make them more efficient according to the number of users they serve and the bandwidth required. The key to implementing a wireless network effectively is planning and management.

Why do you want wireless?

Joel Young, vice-president of engineering at network developer Digi International, said IT managers should be clear about what they want from wireless integration in the network at the planning stages as this will determine how the network should be structured.

"Before anything else, do a site survey of where you think you want to have wireless and fixed devices, as some can afford to have a lower signal," he said.

Unlike a wired network, which is static and contained, in the wireless environment different users may be doing different things at different times of the day.

Martin Cook, solutions consultant in Cisco's business development team, said, "The wireless network is dynamic. There are RF changes as the number of people in a room changes, and as furniture, such as a filing cabinet, is moved. Management is a big issue at the minute. Wireless networks are easy to deploy, but the total cost of ownership is reduced by effective management tools."

The same products can also be used to track unauthorised or rogue access points, such as those created when users bring in personal wireless devices and connect them to the network. Access points can be configured to scan neighbouring access points and monitor bandwidth, as well as any rogue access points that appear.

Rogue access points that occur through unauthorised use of wireless devices can be just as much of a threat as someone sitting outside the company building and sneaking on to the corporate wireless network.

Security policies

If security policies are not in place to control both the access to the network and the access points around the building, this is a potential security risk - and this can apply even to those networks that are not wireless.

Ian Hughes, manager of IP and mobility security at BT, said, "The decision to have a mobile network has been taken out of people's hands. The reality is you have probably got a wireless network even if you do not want one."

Feilder agreed. "Every organisation we have visited to talk about wireless security has had wireless in their building whether they wanted it or not," he said. "One company knew it had two rogue access points, but we found 32 hooked up to the main production network."

Companies should also be aware that if there is the possibility of access to a network, they could be opening themselves up to legal risk through not complying with data protection legislation by not securing data effectively.

For those looking to stop wireless access points appearing without permission, either from internal users or external hackers, the first challenge is to identify these devices when they appear.

One way of locating rogue devices is to patrol with portable scanners to locate where wireless signals are coming from, but this relies on the devices being active at the time.

Leakage is inevitable

The reality is that if there are wireless devices being used in the company, there will be some RF leakage. Minimising that comes down to ensuring that proper security policies are in place.

Steve Merrills, technical director at software maker Arc, advised continuous channel scan- ning for rogue access points and to see if anyone is trying to connect to the network.

Arc distributes and uses Network Instruments access points and runs Cisco Wireless Observer for Cisco cards in its own wireless network to provide IT, administration and sales staff with connection to the network. With standard Wep (Wired Equivalent Privacy) encryption running on the systems, Merrills said scanning was essential for peace of mind.

"The alarm facilities will let us know straight away if anyone tries to connect," he said.

After installing the wireless network in its own building, Arc became aware that a neighbouring company had chosen to base its wireless network on the same radio frequency.

"Because we were monitoring the frequencies, we were able to tell them about it and pick up any channel clashes. We have even been able to tell other companies in the building that unauthorised people were getting on to their networks," Merrills said.

Although some of these networks may happily provide access to the internet for visitors some, undoubtedly unknowingly, allow unauthorised access to company networks. The RSA Security survey found that 34% of networks were not using Wep security.

Pickard said, "Although the use of Wep was significantly higher in this survey compared with previous years, 27% of networks had no encryption at all."

Security protocols

Many in the industry believe Wep is not adequate for companies in which preventing network intrusion from unwanted access is critical.

Magnus Nystrom, technical director at RSA Security, said this has been one of the major barriers to wireless network deployment.

"Wep provides an assurance roughly at the same level of traditional Lans, but it had some weakness in how it is authenticated," he said. Hence the intermediate solution of WPA (Wi-Fi Protect Access), introduced two years ago. "WPA security is not as desirable as you would like in some environments, but I would not be concerned about deploying it," Nystrom said.

WPA2 and 802.11 security standards were announced last year, providing a tighter level of security for those environments that need it. Experts agree that these new levels of security mean that wireless networks can be more secure than traditional Lans.

However, there is a basic danger for companies deploying wireless technology that is being overlooked - the proliferation of hardware running on default settings. The RSA Security survey found that 25% of networks had kept the default settings on the hardware after installation, thus allowing easy access.

Pickard said, "An unauthorised user can effectively go in and kick all the users off the network and have a lot of bandwidth.

"A security policy needs to cover wireless in every form - smartphones and other devices - through 3G and other protocols. Security policies sometimes fall behind in the technology they cover. They should be covering new technology as it emerges."

Where at the outset of wireless technology companies relied on physical barriers to stop RF bleed outside the building, now network experts are advising that, with the availability of 802.11 security protocols, network administrators and IT managers should be able to maintain network integrity without expensive physical barriers.

One thing is clear, wireless technology is going to continue expanding. Companies must understand the necessity for a security policy that encompasses wireless devices, even if a wireless network is not deployed within the organisation.

Read more on Wireless networking