The Hazards of Wireless LANs

Falling prices for wireless hardware has resulted in an explosion in the popularity of wireless local area networks (WLANs), both in general and for business use. The potential benefits of WLAN to companies are considerable, driving demand on the part of business executives. But the popularity of the technology should inspire caution as insurers consider implementing it.

Among the good reasons to use wireless LANs are cost and rapid deployment advantages over wired LANs, as well as the productivity advantages of mobility, according to Manuel Barbero, technology group leader, financial services, BearingPoint (McLean, Va.). WLANs can also help with the overhead associated with transient occupancy or frequent relocation. "There's a surprising amount of 'churn' in financial services organizations," Barbero says. "So any kind of technology that helps your employees to be more mobile will help."

Underestimated Threat

Unfortunately a WLAN is too often deployed without proper attention to its vulnerabilities. In the wake of the season of the SoBig and Blaster viruses, Internet security consciousness is high. But appreciation of wireless dangers is not, according to Barbero. "When you survey enterprises you find that they're leaving themselves extraordinarily open to external threats," he asserts.

While Web servers are generally segregated from other company systems into a "DMZ"-limiting the scope of hostile breaches-insufficiently protected WLANs can allow deeper penetration. "If you hop on a wireless access point, you're essentially at the heart of the internal network," says Matt Tanase, president of network and security engineering firm Qaddisin (St. Louis). "You're behind the firewall and have access to everything that legitimate users can see."

While technology executives can generally be counted on to address WLAN security issues as a matter of course, the same is not true of other workers at financial services companies, BearingPoint's Barbero claims. "What happens is that organizations at the workgroup level go out and buy cheap devices-for 50 bucks you have a wireless router," he says. "Because the deployment of the WLAN access point is not centrally managed by the technology group, it's really deployed without any oversight as far as security is concerned." Furthermore, rogue users seldom activate the built-in encryption for the devices they buy.

Even if they were to activate the typically available security measures, they wouldn't provide a very effective barrier to breaches, claims Qaddisin's Tanase. "The first problem is that the WEP [wired equivalent privacy] security standard for the 802.11b protocol is flawed," Tanase says. In theory, a wireless network with WEP will restrict access to those granted a pass key. The problem, however, is that "you can sit within range of the network, listen and take a traffic sample. Once you've built up enough traffic samples, there are programs such as (the freely available) AirSnort that can analyze the packets flying back and forth along with the encryption they use, and guess at the key and eventually figure it out."

Authentication and further layers of encryption can make WLANs secure, Tanase emphasizes, but that's not characteristic of unauthorized use of the technology. Making things worse, very little sophistication is needed to tap into open networks. Many laptop computers and hand-held devices come equipped for easy wireless access.

Mapping Accessibility

This has given rise to the normally benign activity of "war chalking" where wireless users-seeking Internet access on the move and on the cheap-mark public spots with chalk to identify facilities that contain unsecured, active WLAN access points. But it has also given rise to "war driving," which is often done in a more malicious spirit, according to Tanase. "You can actually drive up and down a popular street finding access points. You can even use a GPS device and have a map generated which shows you the exact location of an access point and the network's name."

The ease of the technology and the naivete of rogue users can result in a remarkable degree of vulnerability, says Tanase. "Let's say you're located in a high-rise building and you have a wireless network, and someone pulls out a laptop on the floor above you," he postulates. "Both Apple and Windows laptops have built-in software to pick up on these networks instantly-they assume that they're there for your use. A dialogue box will pop up and say, 'X, Y and Z networks are available; which one do you want to get on?'"

MBIA Insurance Corp. (Armonk, N.Y., $6.2 billion in assets) limits its use of WLAN to Internet-only access. "When we have clients, vendors and the like come on campus they can access the Internet through various hot-spots we've implemented throughout the building and in public access areas," comments Andrea Randolph, CTO. "We do not at this point have a WLAN that allows access to our own internal systems, and I do not foresee our having it in the immediate future."

Significant Issues

In the longer term, Randolph sees an important opportunity in WLAN but opines that for the time being "there are significant issues involving encryption, vulnerability points and authentication requirements," she says. "At this point I think we would have to re-architect our entire DMZ if we were to allow access via WLAN."

MBIA policy dictates that no unauthorized technology can be used on campus, but its efforts go further. "We also have appropriate monitoring tools in place to detect any time someone might attempt to set up a rogue LAN," Randolph remarks.

Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio