The popularity of hotspots is presenting IT directors with the problem of protecting remote users as well as the corporate network.
The growth in wireless hotspots has freed up users to access the internet from almost anywhere. But as more companies experience the convenience of wireless internet, there is a growing concern regarding the security of such hotspots.
Technology suppliers have tried to address security issues with a range of technologies and protocols to secure the wireless network, and some have been more effective than others. This has put the onus on IT managers to find out just what level of security they need to protect their wireless users.
IT managers are also obliged to ensure that any hotspots their employees are using are genuine and secure, and that the connection to the corporate network is not being monitored.
Security experts have shown that it is very easy to set up a rogue hotspot using just a laptop and wireless router, and studies have found the security of many wireless networks, particularly home office networks, to be weak.
By their very design, wireless local area networks offer roaming users open access, and similar to cordless phones, they use radio waves to transport data. But unless security is enabled, these signals can be readily intercepted by nearby receivers. In addition, many wireless access points, small office/home office gateways, and wireless network interface cards use their default settings – particularly ones used in the home.
The risks to business of unsecured wireless networks are serious according to analysts. Richard Brain, technical director at security testing firm ProCheckup, said, “Using unsecured Wi-Fi equipment is no different from letting complete strangers connect to your network without realising a security breach. You may as well add network access points to the outside of the building.”
He said, “The main risks include misuse of corporate internet access and potential theft of confidential company data.”
“There is a very large percentage of businesses that do not have secure wireless Lans in the office,” said Gartner research vice-president Ian Keene. And those that do use a secure wireless Lan with a good security policy often leave their home office networks wide open, he added.
“An employee has a work laptop and a broadband line at home – they share the laptop with the kids, and the end result is they have a wireless Lan. This is very common in homes with broadband connections. Companies need to have a policy on wireless Lans at home, even pre-configuring a wireless access point for home use. The problem is being swept under the carpet at the moment,” said Keene.
There is a range of technologies and protocols that businesses can use to mitigate the risk of attacks on their wireless infrastructure, and many of these are being built into Wi-Fi equipment.
One of the first security standards established to protect wireless networks was the Institute of Electrical and Electronics Engineers-ratified (IEEE) Wired Equivalent Privacy (Wep). This was designed as a native security mechanism for 802.11 wireless Lans.
Wep is still used today, particularly for securing home networks, but is no longer sufficient for enterprise-class networking.
By 2001, several independent studies had found weaknesses in Wep, showing that, even with Wep enabled, an intruder equipped with the proper tools and a moderate amount of technical knowledge could gain unauthorised access to the wireless network via the wireless Lan.
Brain said, “All 802.11b networks are fairly easy to infiltrate, even access points secured by the Wep security standard can be broken. If Wep is used frequently, change the Wep key and change the default SSID network name.” A service set identifier (SSID) is a sequence of characters that uniquely names a wireless Lan.
Because of the weakness of Wep, enterprises and wireless Lan equipment manufacturers have found it necessary to supplement it with other security technologies.
The first of these is Wi-Fi Protected Access (WPA), a strong, standards-based Wi-Fi security specification introduced in 2003 by the Wi-Fi Alliance.
WPA is secured by using Temporal Key Integrity Protocol (TKIP) to encrypt data. TKIP produces a 128-bit “temporal key” and encrypts every data packet sent over the air with its own unique encryption key.
As a result, TKIP increases the complexity and difficulty of decoding the keys for hackers. The system does not allow intruders enough time to collect sufficient data to decipher the key, said the Wi-Fi Alliance.
In 2004, the Wi-Fi Alliance updated WPA with WPA2, which organisations can download for free as a firmware upgrade, if their supplier's equipment allows. WPA2 is based on IEEE 802.11i, a more secure wireless protocol. It uses the Advanced Encryption Standard (AES), which replaces the devalued Wep encryption.
AES was suitably secure to be adopted as an official government standard by the US Department of Commerce, and uses variable key sizes of 128-, 192- or 256-bits, making it far more difficult to decipher than Wep, said the Wi-Fi Alliance.
“Higher-end wireless access points by companies like Cisco support more advanced protocols like WPA or WPA2, though these may require special software to be installed on the client PC. It just means that the encryption on these is very hard to break,” said Brain.
Organisations can attain a higher level of security with servers that run IEEE 802.1X authentication services. These offer a different approach to wireless security, and like virtual private networks, 802.1X was originally designed for wired networks.
It uses the Extensible Authentication Protocol (EAP) and Remote Authentication Dial In User Service (Radius) servers to authenticate clients and distribute encryption keys.
The Radius server consolidates user password authentication to a central location, making it easy to manage them. Also known as port-based network access control, 802.1X has received widespread industry support since 2001.
IT directors cannot ignore wireless security given the growth in popularity of wireless Lans. Not only must they deploy wireless security measures like Wep, WPA, AES and Radius servers to protect the corporate wireless network, they should also ensure that the wireless networks of tele workers are locked down.
Case study: the belt and braces approach
US military aircraft manufacturer Lockheed Martin Aeronautics has built a wireless Lan that covers more than 100 buildings at facilities in Texas, Georgia and California. The company produces aircraft including the F-16 and the new F-35 Joint Strike Fighter, and the IT department has security high on its list.
Lockheed Martin uses several levels of security technologies and policies to make sure hackers do not intercept its systems, which they often attempt.
The Wi-Fi network uses strong authentication, and users are required to plug a hardware security device into the computer and input a password. The company uses preconfigured laptops with dedicated firewalls. They also have encrypted hard drives and PC-to-PC connections are disabled. Software is used to disable the wireless port when a laptop is plugged into a wired network, and the company also uses VPN software on its wireless computers and does not rely on the encryption built into wireless devices.
Lockheed Martin has an intrusion detection system that can sniff out radio waves, with sensors placed where no wireless network is supposed to exist. The firm also uses software from AirMagnet on handheld computers to discover the origin of unauthorised wireless network activity.
There is a checklist of procedures that Lockheed Martin's network managers follow when they respond to alerts from the intrusion detection system. Network managers also adhere to written policies, allowing them to confiscate wireless equipment that is brought into the company without notice, or used improperly.
How to secure your wireless users
IT directors have to balance convenience with security, but when using hotspots, a secure VPN is the minimum security you should use, according to Gartner.
However, a belt and braces approach is best, said Gartner research vice-president Ian Keene. “You can use encryption in the office using 802.11i. Also make sure you have up-to-date Wi-Fi equipment.
“You also need to understand which access points and users are active in the office – this ties into having a policy to manage that.”
Keene added that offices should use software, which can be downloaded onto a PDA, to monitor the radio waves to check which access points are active in the office.
“You need some sort of a system to see where the network bottlenecks are and where the access points are operating. Ensure that the access points are approved and raise an alarm if there is an unauthorised device. Any business, large or small, should not allow employees to bring an access point from home and plug it in unsecured.”
Richard Brain, technical director at network security testing firm ProCheckup, said, “From experience, we have found that many routers and access points have the admin account left with the default settings. Listings of usernames and passwords for different devices can easily be found on the internet and this means that malicious Wi-Fi users could modify the hardware configuration and change the password, rendering the hardware useless in some instances."
He also advised companies to secure their Wi-Fi networks by using a VPN client on the laptop, connecting to an intermediary VPN server treating Wi-Fi in the same way as an unsecure internet connection. “You wouldn't connect your network directly to the internet so why do it with Wi-Fi?" said Brain.
“Get your company tested for unapproved Wi-Fi access points, and consider removing Wi-Fi and Bluetooth cards from laptops if your company has a policy of no wireless access. Theoretically, due to the penetration of Wi-Fi, a future worm or virus could be created utilising Wi-Fi or Bluetooth as a vector. There is already a Bluetooth worm for the Nokia 60," said Brain.
Forrester Research senior analyst Thomas Raschke, said that it is now essential for IT managers to secure the growing number of mobile devices being used in businesses.
“Devices often ship without adequate security configurations, and are vulnerable to attack through Bluetooth, SMS and other channels. Wireless networks are not set up to prevent or limit the spread of attacks.
“As a result, wireless networks will likely go through similar growing pains, with worms and denial-of-service creating widespread disruption,” said Raschke.
He recommended organisations:
- Establish a clear, consistent, and enforceable mobile security policy
- Implement tools like Sybase Afaria, Intellisync, Altiris, Landesk, and Novell to secure and manage mobile devices
- Educate users about mobile security best practices
- Select mobile management and security tools based on user requirements and the overall security risks that mobile devices pose.
“On-device encryption is only necessary if confidential or proprietary data is stored on the device," said Raschke.