Conventional wisdom on wireless networks goes like this: They are inherently dangerous. They can leak your secrets to the outside world, through easily accessible radio waves. You'd be better off carrying around your corporate treasure in a sieve.
That's been the common view among IT and network managers for several years, supported by analysts' reports that warn of vulnerabilities, published exercises in "wardriving" that uncover porous access points and the occasional case bringing criminal charges against a defendant for allegedly swiping corporate data or consumer IDs. The view persists, but it's fading. In fall 2004, a survey of more than 400 companies by research firm NOP World showed that security concerns were a "significant barrier" to wireless adoption for 44 percent of respondents and a "moderate barrier" for another 33 percent. Richard March, NOP World Technology senior vice president, says his recent conversations with enterprises show they are now less concerned about the theoretical risks of a wireless deployment and more focused on specific deployment concerns.
The good news for CSOs is that this danger-fraught view is fading, not because the conventional wisdom is wrong
Here, we're laying out the questions to ask and the risks to assess, and how different organizations have addressed them and exploited the benefits of wireless technologies.Ask the right questionsAs with other areas of security risk assessment, there is no single way to secure wireless networks. So organizations considering wireless local area network (LAN) deployments need to answer these questions to determine which security strategies and tactics are right for them.
* Where will the wireless network be available? Will its signal extend beyond my control? The issues are different for a business sharing a building than for one with a suburban headquarters surrounded by fenced-in parking lots.
* What data will the network carry? A general-purpose network that carries e-mail, corporate applications and database traffic will require more complex security methods than one carrying snippets of data for specialized devices such as bar codes.
* Who should have access to the network? The greater the variety of end users
* How mission-critical is the wireless LAN? Can you regulate access and bandwidth usage to ensure that essential operations continue if there's an unexpected spike in access demand? Do you have backup connections in case of failure or intrusion?
* Will users access your data remotely from public wireless hot spots? Besides ensuring standard remote-access security, you may need to secure the signal and data at the end user's notebook or PDA.
By working through these issues, organizations with highly sensitive data
Such a policy also needs to account for the physical environment. For example, it's easier to secure a facility's wireless network if no intruders can get near enough to pick up the wireless signal, but that luxury doesn't exist if you share a building with another company. It's also easier to secure wireless access when employees use only your equipment in your facility, but many organizations will need to do additional work to secure traveling executives, salespeople and field staff who use public Wi-Fi or cellular networks.Plug the authentication holeThe goal: Approve the right users for network access.
Ways to achieve it: Use encrypted authentication software and end user device validation. Deploy hardware tokens where needed.
For several years, enterprises have been rightfully concerned about securing the first line of defense against unauthorized wireless access: user authentication. Authentication is one of the trickier aspects of wireless security. Because the signal is transmitted over radio waves, others can listen in to any transmissions, so the authentication mechanisms are also visible.
The original IEEE 802.11 wireless standard included an encryption method called WEP (wired equivalency privacy) that was meant to secure the authentication process. But because it used unchanging, static encryption keys and a weak encryption method called RC-4, it could quickly be broken down. That rightfully concerned IT, network and security managers.
After industry analysts and technology publications highlighted WEP's flaws, a series of interim improvements were released, culminating in the 802.11i standard. Since the standard's release in summer 2004, most new wireless network and client hardware has come with it. And most other wireless hardware released since 2003 can be upgraded to support it, often with free firmware downloads. However, a confusing parade of authentication technologies delivered since 2000
The 802.11i standard does meet many organizations' security needs, but stronger authentication technologies are available to raise the bar on intruders. The practices (described below) at UPS, the Columbus Regional Health System in Columbus, Ga., and in the military illustrate the point.
Rather than rely on the built-in authentication capabilities of products, Schwartz says, UPS will implement Protected Extensible Authentication Protocol (PEAP), developed by Cisco Systems, Microsoft and RSA Security, to provide stronger user validation on its notebooks. For PDAs, which don't yet support the higher processing requirements of PEAP, the delivery company is still exploring authentication options and for now allows synchronization via cradles only rather than over wireless LANs.
At Columbus Regional Health System, Stephen Lewack, director of technological services and communications, says the hospital uses a two-pronged approach. To authenticate users, he has deployed authentication tools from AirDefense and Fortress Technologies, which use public-key infrastructure (PKI) encryption. To protect data traffic, the hospital uses military-grade Advanced Encryption Standard (AES) encryption. The privacy protections mandated by the federal Health Insurance Portability and Accountability Act (HIPAA) require more than the standard 802.11 and TCP/IP security, says Lewack.
Military networks also use either AES or 3DES (triple Data Encryption Standard) encryption, so the traffic remains secure even if someone breaches the access points, says Ken Wood, president of Capitol IT Solutions, a Germantown, Md., consultancy that has deployed wireless LANs for the Defense Department's Advanced Research Projects Agency's telematics unit. (The unit works on robotic vehicles for the battlefield.) AES requires fewer computational resources than 3DES, so it's better suited for PDAs and older computers, Wood says.
Hardware tokens are also an option to eliminate log-in forgery. The Columbus hospital's Lewack says he validates users by storing their hardware IDs in the wireless access points so that only specific wireless cards registered by the IT staff can connect to the network. That makes the wireless cards act as physical tokens to ensure that the user is legitimate, providing forgeryproof authentication before users can even be asked to log in.
David Worth had similar concerns at the Columbia, S.C., law firm of Nelson Mullins Riley & Scarborough, where he is IT director. In addition to using the standard IEEE 802.1x server-based authentication and virtual LANs (VLANs) to protect the firm's wireless LAN, Worth uses SecurID fobs connected to notebooks via USB connections. These fobs provide two ways to authenticate users granted remote access to the LAN. They generate a new access key every 60 seconds, all but eliminating the chance that someone is using stolen IDs to access the network, whether over wireless or other connections. The fobs are also tied in to a specific user. If someone steals the fob and tries to log in with another person's password, he'll be stopped.Control access to limit risksThe goal: Restrict resource access to approved users, keeping data secret.
Ways to achieve it: Regulate what employees access. Restrict guests. Don't advertise.
When an end user does gain access to a wireless network, the next security step is to control what they access.
There are three ways to go about it. First, you can use standard LAN management techniques to control what applications users can run (through log-in requirements, for example). Second, you can use typical remote-access tools, such as Citrix terminal emulation, so that no data is actually transmitted to the local drives. That's what CIO Worth does at Nelson Mullins. And third, on wireless networks, you can use virtual LANs to control when access points are available to users.
The use of wireless networks typically allows for guest access, such as for consultants, suppliers and auditors. Just like wired networks, wireless networks support VLANs, which let wireless access points and routers separate different kinds of users, giving them different levels of access to network resources.
At software and consulting company Optimus Solutions, CIO Steve McDonald uses one VLAN for guests on the company's wireless network and another VLAN for its employees at its Norcross, Ga., headquarters.
Of course, it's not just invited guests who pose a risk. It's all but impossible to get full wireless network coverage internally while preventing signal leakage outside your walls. For facilities surrounded by fenced parking lots or greenbelts, there's a natural buffer (with physical security still required). But in most cases, such space is not available.
You can still limit outsiders' access. At consumer electronics maker Logitech, CTO Pierre-Olivier Monnier is evaluating a new capability in Trapeze Networks' wireless LAN management software that automatically shuts off access points at night, depriving hackers of the ability to park outside all night to try to break in. Staff working late inside the office would be able to use access points that don't leak their signals outside, or they could use a wired connection.
Another option is to make the wireless LAN physically separate, says Wood of Capitol IT Solutions. Military deployments require such separation. Many businesses used this technique in their early wireless deployments as well, but it doesn't scale well to cover an entire building or campus. Although the severe separation of a military-grade wireless network requires more resources to manage, "security is more important than cost and ease" for the Defense Department, Wood notes. Add security through obscurityThe goal: Keep data secret.
Ways to achieve it: Transmit data that only the users understand.
A very simple security technique is security through obscurity.
NYK Logistics tags shipping palettes with wireless radio frequency identification, or RFID, transponders that broadcast each palette's ID every few seconds so that NYK can track the palettes' location inside its huge yards. (The transshipment company unloads palettes from ships, sorts them and loads them onto trains and trucks.) But that ID means nothing to outsiders, so in theory, NYK would not care if anyone intercepts it, says Rick Pople, former general manager at NYK. You would need access to NYK's management software to know what the ID referred to, and to access the palette's status, and that requires having appropriate log-in credentials and access to computer terminals in NYK's building in Long Beach, Calif.
UPS uses a similar strategy at its package shipping centers. "We're not concerned that someone can pick up package traffic," says Schwartz. The data has no meaning unless you are using UPS's management software, she says.