Connected: Time to turn on to wireless?

In the second of his fortnightly series on communications, Antony Savvas examines the security issues raised by wireless...

In the second of his fortnightly series on communications, Antony Savvas examines the security issues raised by wireless networking and explains the ground rules for a successful implementation.

Drive-by hacking may sound somewhat contrived. Users may feel the IT industry is over-hyping the genuine risks of running wireless networks. But as a responsible IT manager you would be well advised to assess the true extent of this wireless security threat.

The Pentagon recently banned the use of wireless LANs within the building because it couldn't ensure the security of this type of network. Now if the Pentagon cannot guarantee wireless security, what hope is there for business users? How can companies broach the subject of maintaining the highest level of security on their wireless LAN rollouts?

You may have read about recent publicity stunts involving security consultants driving through the City of London, tapping into corporate networks using equipment no more sophisticated than a Pringle box (once you've eaten the crisps) and some free Internet software.

This drive-by hacking is often made easier by users not configuring even the most basic of security measures when they unpack and install their new wireless access point devices. In a recent survey IT managers said they were concerned that their staff lacked the relevant skills to install wireless networks in a secure fashion. Training issues clearly have to be addressed.

But wireless is an emerging technology. Users who deployed the early wireless LANs were at the bleeding edge. The first wireless LAN products only supported 40-bit encryption. This level of security was barely enough.

"If the Pentagon cannot guarantee wireless security, what hope is there for business users?"
Antony Savvas
security experts now recommend a minimum of 128-bit encryption. They also advise users to improve security of wireless LANs by configuring them as virtual private networks (VPNs), which can provide a secure tunnel for sending information between the less secure wireless environment and a business' internal corporate network.

The price of protection
Such measures do not come cheap. Clearly there is a need for a risk assessment exercise. If companies do not vigorously manage their wireless networks, they risk not only exposing their commercially valuable data to intruders, but also the bandwidth on their network could be stolen by an outsider.

Think about it: you set up a wireless network for your own business' use, but anyone can tap into this network since it is wireless. Every unauthorised user on that network is taking away valuable bandwidth from your legitimate users.

The Confederation of British Industry earlier this month expressed its concern about the appearance of markings on corporate buildings showing where the easy-to-hack networks were. Members of the public could theoretically tap into these corporate networks to gain free broadband access, a bit like someone linking their electricity supply to a street lamp to get free energy.

Beyond these potentially serious wireless concerns, anyone considering wireless needs to appreciate that the whole industry is in a state of flux. Much of the focus on wireless LANs so far has been based on systems using the 802.11b protocol where data can be accessed at up to 11Mbps across rooms via fixed accessed points. This is now being superseded by 802.11a, which supports data rates up to 55Mbps.

Getting from b to a
So everyone should start buying 802.11a equipment now, right? Not quite. In the UK, the use of 802.11a is controlled by the Radio Communications Agency whose job includes making sure wireless applications don't interfere with the country's critical infrastructure like defence and emergency response teams. To date, the agency has yet to agree a standard for 802.11a. This means that wireless 802.11a products on sale in the UK at the moment could be technically illegal.

Clearly there is plenty of change ahead. Companies that plan to roll out anything beyond the simplest of wireless networks would be wise to consider a service contract with a specialist consultancy. This is arguably the surest way to minimise the risk in deploying wireless LAN technology.

Using such a provider would, at the very least, ensure the wireless rollout is implemented correctly. You should get some degree of comfort from the knowledge that the third-party consultant you use would have a track record configuring wireless LANs securely. And as the 802.11 standard evolves, a third-party relieves the burden on you to keep up with the changes.

What's your view?
Are security issues putting you off wireless technology?> Let us know with an e-mail.>>>> reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication

Antony Savvas
is an independent observer and commentator on the telecoms and IT industries.

Read more on Wireless networking