Wireless security crucial to railway safety

Union Switch & Signal field workers can't just come and go as they please when there's a job to do on the railways. Homeland security rules mandate where they can park and when they can enter and leave a site. Under those restrictions, workers were forced to make a diagnosis and then return to a hotel to research options, order software or set up engineering tests before returning to the railroad. But because of wireless technology, that's no longer such a time-consuming issue. It is, however, now a security one.

"Out in the field and on the railways -- where we install and service our signaling, automation and control technology -- there's a lot of testing and documenting that goes into it," said Ted Davidson, IT manager of the Pittsburgh, Pa.-based company, which has over 1,000 employees, 1,100 workstations, 45 servers for Windows and 70 servers for Linux. "Given the homeland security procedures, it's better to have a portable device where you can go on the Internet and do all these things without having to leave the site."

And on the factory floor, it's much easier and less hazardous when engineers and technicians can test equipment and trade notes without a bunch of wires in the way. Plus, Davidson said, "It's more convenient for testers to take laptops into the lab to do reports instead of documenting their findings on paper and then returning to workstations to type it all in."

But with all that convenience comes a host of security issues for Davidson's department to manage. Workers are using wireless devices all over the world, often latching onto a third party's Wi-Fi connection where the security may or may not be sufficient. The department must keep track of these devices and make sure they're all fitted with the latest patches and that the antivirus and firewall programs are up to date. It must also make sure users accessing the network remotely have a connection that's safe from hackers.

"Since people want the ability to connect at hotels and airports, we wanted to make sure that we had the latest antivirus and antispyware systems on all the laptops," he said. "We always worry about what's happening in someone else's wireless field."

Security needs are identified
The first order of business for Davidson's department was to find a way to keep the war drivers, evil twins and data hackers from hijacking the company's wireless signal.

"The biggest issue has been non-employees picking up on our access points," he said. "It hasn't happened, but that was our big worry and we spent a lot of time talking about how to limit the bleeding of signal outside the building."

The company's solution was to use an IPsec-based virtual private network (VPN) from Cisco and not broadcast its Wired Equivalent Privacy (WEP) key.

"When you buy a wireless device for your home there's a default WEP key," Davidson said. "The wireless device broadcasts the key so the wireless card knows how to communicate with the wireless access point. We don't allow that. We supply our own specialized keys to keep out the war drivers. All traffic from the access point is rerouted to our VPN server, so the only thing the access point talks to is the VPN server."

Wireless security: UNWIRED: A look at four IT shops and the push for secure wireless networks War drivers, evil twins and data hackers, be damned. Despite a variety of security threats, enterprises have launched ambitious plans to boost wireless capabilities. This series looks at what IT departments from four different business sectors are doing to minimize the security pain points and maximize workforce mobility and efficiency.   SERIES MENU Day 1: Wireless security: Companies deal with software updates Day 2: Preventing danger on the rails Day 3: One hotspot, 910 square miles Day 4: A wireless threat to student safety

Davidson also had to figure out the best patch management method. Though it could be done, he said patches are not deployed over the wireless connection. Instead, security updates are installed as people bring their devices back to the office. "Most people reside in Pittsburgh or South Carolina, so we're able to have them come in for regular patch and antivirus updates," he said. "When they come in the office and log in they get any updates they may have missed" while in the field.

Policy enforcement and two-factor authentication
To help it meet most of the wireless security and functionality challenges, Union Switch & Signal turned to Blue Bell, Penn.-based Fiberlink. Using its Extend360 client, Davidson said workers can use Microsoft Outlook out in the field, instead of filling out paperwork to order a piece of software, a log test or an analysis, then having to go back to the hotel to finish the job.

An important security feature is that the Fiberlink client gives Davidson and his team the ability to enforce its policies. "You can instruct the client not to transmit data if it doesn't see an active firewall or VPN connection," he said.

Davidson's team also relies on strong authentication procedures to ensure security. "We use one-time password tokens and two-factor authentication from [San Jose, Calif.-based] Secure Computing," he said. "Basically, you push the button and it gives you a password that's good only once. This eliminates the ability for someone to log back in if their credentials are compromised. A password generated by a token is synchronized with the server and you can't get VPN access without the token."

Davidson said the system is not used in place of the Windows XP log-in process. It's used to add an extra layer of protection when people need remote access to the network. Here's how the system works:

• Each person requiring remote access is issued a token. The token works by replacing their standard remote password with the combination of the token password plus a PIN. "The two factors -- something you have being a token and something you know being a PIN -- provide for secure logins," Davidson said.
• The employee selects the mobile data button on the Fiberlink client and enters their remote access username. For the password, they push the button on the token. "It may display, for example, '3867A1,' which is entered in combination with a PIN in the password field," Davidson said.
• The Fiberlink client connects to the wireless network and passes the credentials through to the Secure Computing SafeWord server for authentication. After a successful connection, Fiberlink launches the Cisco VPN client. The same basic process is repeated.
• Once a password is used it becomes invalid.

Not for everyone
Despite the benefits Davidson lists for using wireless technology, only 5% of the traffic on his network is wireless right now. But he expects that to increase.

"A few months ago wireless wasn't a default option on our laptops. Now it is," he said. "More people have asked for it. My department's mission is to provide continuous global access to information, so we look at whatever new technology is required as part of that. Right now, wireless is one of those technologies and I see our use of it increasing in the next year or so."

That doesn't mean he envisions the day where Union Switch & Signal is 100% wireless.

"We don't see it as the solution for everybody," he said. "Airspace is shared and when many try to use the same access point you run into bottlenecks that can complicate the design."

For now, at least, he believes vendors like Fiberlink and Secure Computing are helping his department strike a balance between security and functionality for those who are using wireless.