Effective wireless security is available, but holes exist

Wireless networks are fun, convenient, portable, and loved by all. Except security managers, that is, who have been struggling to secure them since the dawn of wireless local area networks (WLANs).

If you're looking at a certain technology point in wireless and ignoring others you are still leaving holes in the security of your network. Jean Kaplan, research analystIDC

Security was a nearly insurmountable challenge in the beginning, but today, more companies are implementing WLANs. What has changed?

Have the IT departments overcome the hurdles, or is there still an element of risk in beaming sensitive data through the air?

"Security is more of an overall strategy than a technology," said Jean Kaplan, research analyst with IDC. "It's about the level of risk you're willing to tolerate or the level of work you're willing to put into securing your network. All the pieces exist to secure your wireless network."

The availability of security technology has improved. At one time enterprises were on their own to secure their networks, but today specialist vendors offer products that would allow even small businesses to run a secure wireless network without paying a high price for it.

"The technology has certainly evolved over the last few years," said Stephen Northcutt, president of the SANS Technology Institute, a graduate school that focuses on information security. "When wireless networking first came out, your encryption choice was [Wireless Application Protocol] and nothing else. These days the number of encryption and authentication choices has increased dramatically."

Wireless security: Security School: Wireless Security Security School: Wireless attacks, A to Z How to reduce wireless driver security vulnerabilities Blue Cross bears burden of 'no wireless' policy

But even though adequate security technology may exist and a talented admin may indeed be able to secure a WLAN, the availability of encryption technology doesn't mean that companies are using it. And one very real threat remains that even the most talented network administrator cannot control: employees. Look around you at your local coffee shop, says Northcutt, and you'll see plenty of people working with business data through a wide-open access point. Are all of them using crypto tunnels or virtual private networks? Probably not, Northcutt said.

Indeed, even though the corporate WLAN is secured, perhaps the biggest security challenge is the awareness and education of the staff.

"The old truth remains: most of the security threats to an organization come from the inside," Kaplan said. "Whether wired or wireless, the biggest challenge is still making sure that employees' environments are secure."

Northcutt warns of the potentially serious problem that can occur when employees set up rogue access points on their own, picking up the hardware at the local Kmart. When this is detected, he advises, management should crack down hard and the employee should be formally disciplined.

Of course, any corporation facing regular issues with employees setting up unauthorized WLANs with out-of-pocket money might consider that a need exists for the technology – and it might be advantageous to create official company access points.

"I believe most enterprises are going to do this right," Northcutt said. "They're going to actively look for rogue access points and put in professional grade gear."

Also keep in mind that wireless is much more than a plain-vanilla 802.11 specification, Northcutt warns. Bluetooth continues to spread and its range continues to increase. It used to be that something had a maximum range of 20 feet; nowadays you have 90 feet. And it matters.

"If you're looking at a certain technology point in wireless and ignoring others you are still leaving holes in the security of your network," Kaplan said.

Krissi Danielsson is a technical author and freelance writer for numerous publications, including DeveloperShed, Computerbits and Newsforge.