04:21 PM
Prudence Over Paranoia: Using Wireless LANs Securely
Wireless local area networks (LANs) are proliferating both within enterprises and in public spaces, giving employees far greater flexibility and availability to company systems. Those benefits carry risks with them, of course, but a prudent approach to wireless LAN can neutralize the threats.
Since wireless LANs ease the availability of data, they create a security exposure; but this is true of any networking technology. "You could get so carried away that the only thing you would allow were desktops hard-wired into a LAN and you wouldn't permit employees to bring in floppy disks or have any means of communicating with the outside world," argues David Cottingham, product director, managed security services, AT&T. "If you put the right pieces in place, the benefits of being able to take advantage of the mobility that wireless affords far outweighs the security risks."
Some of the paranoia surrounding wireless LANs is rooted in the aggressive way hackers -- malicious and otherwise -- have sought to break into such networks for their own purposes. A large portion of that culture has been recognized as benign and actually encouraged to grow through the provision of open wireless "Wi-Fi hotspots," such as those available at many Starbucks locations. Among more sinister developments have been efforts to overcome the WEP (wireless equivalency protocol) encryption measures deployed by private LANs.
"Shortly after that standard [WEP] was initially put out there, articles were published showing how you could crack it," Cottingham relates. "There are also downloadable tools, such as WEPCrack; in theory, if they sit there long enough and watch your traffic going by, they can crack the encryption keys that are used to set up the session, and thereby hijack its traffic." Later versions of WEP -- specifically WAP, or Wi-Fi protected access -- have addressed that vulnerability by providing constantly changing encryption keys, which made it extremely difficult for hackers to collect sufficient packet information in order to break the encryption, according to Cottingham.
The capabilities of today's WAP products is moot, however, when it comes to the question of employees taking advantage of public Wi-Fi hotspots, since these involve no shared key information between a session participant and the open network. In order to take advantage of Wi-Fi, employees' computers should be equipped with two fundamental security measures, Cottingham recommends. "Deploying a basic firewall will protect you from people trying to get into your machine to install key-stroke locks or spyware," Cottingham says.
Another important measure is to restrict all access to home-office systems to VPN (virtual private network) traffic. "When people drop into a hotspot, they would launch a VPN client to connect back to some office applications," explains Cottingham. "Most of those clients are configured in such a way that they only allow traffic to traverse up and down that established tunnel and deny any other attempt to connect to the computer."
Companies deploying internal wireless LANs need to install encryption to ensure secure use. But even if companies decide not to deploy wireless LANs, they still face the hazard of employees deploying their own. "Rogue access points is a big enterprise problem," Cottingham cautions. There are several popular products for creating wireless LANs on top of existing wired networks, Cottingham explains. "An employee can simply go to the local consumer electronics store, grab one, bring it into work and create a nice little wireless LAN for his co-workers."
While such activity is more likely to be innocent than otherwise, it effectively exposes the network unencrypted to hackers in the area who might be interested in listening in or disrupting the network. Companies should not underestimate the potential for such breaches, as Cottingham explains by recounting experiences of having a built-in wireless access card accidentally tuning in to a company's network. "I've seen a lot of situations where as a visitor you walk into environments that you would think would be well locked-down. You turn on your laptop -- forgetting that you left your Wi-Fi card in there -- and up pop three unsecure networks there in the bank or business you happen to be in."
It's important to put policy measures in place explaining to employees what is and is not acceptable, and making clear that the consequences could be severe. Nevertheless, to ensure network security, "you have to assume that people are going to do it anyway," Cottingham advises. "Network administrators have to take a proactive approach, using tools to sense for the presence of wireless access points being installed and then go and shut them down."
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio