Home » Data Protection » Wireless/Mobile

Sweep Time for Rogue Access Points

Left unguarded, wireless networks will expose your company secrets to the outside. Luckily, there are tools to root out unauthorized access points.

October 01, 2004 — CSO — By now, practically every CSO and IT manager on the planet is familiar with both the benefits and the risks of 802.11 or Wi-Fi wireless networking. I wrote about them here back in January 2003 (see "On the Same Wavelength" at www. csoonline.com/printlinks). But the wireless world has changed a lot during the past two years, and it's time for an update.

Dropping a wireless access point on your office LAN is an easy way to provide mobile Internet access to people using laptops and handheld computersmany of which now come with built-in Wi-Fi support. What's more, a new generation of Wi-Fi telephones is about to hit the market. Some of these will be cellular phones that automatically switch to lower-cost voice over Internet protocol (VoIP) whenever they can pick up a Wi-Fi signal; others will be Wi-Fi only phones that work like standard cordless phones, except that they will work anywhere on your organization's wireless LAN.

Unfortunately, an unguarded access point can open up your network to people outside your company's four walls. These access points can be dangerous because they are invariably placed behind the corporate firewall. And most organizations are pretty lax when it comes to matters of internal security.

Organizations have struggled to deal with this double-edged wireless sword. Some require that the media access control (MAC) address of every wireless card and device be registered; access points are then configured so that only the registered machines can have network access. (Recall that both wireless and wired Ethernet systems use a 48-bit MAC address to identify the manufacturer and serial number of every network card. These addresses are typically written as 12 hexadecimal numbers separated by five colons, such as 00:03:6d:14:f1:c7.)

An alternative strategy is to divert all wireless users to a "captive portal"that is, a Web registration form that forces users to provide a user name and password. Some of these systems will then go further and make users consent to a "terms of service" agreement that promises, among other things, that they won't use their newfound wireless access to hack the network. Unfortunately, captive portals don't work too well with those wireless phones and other Wi-Fi devices that don't have Web browsers. This is something to keep in mind if you are considering installing a "portal" system within the next year: Make sure that what you get today can grow with tomorrow's unanticipated network needs. Open ChannelsBecause they rely on radio waves, and because radio waves travel in all directions, wireless networks are inherently open channels: Anybody in the vicinity can eavesdrop on your signals without your knowledge. Unless you take measures to protect the privacy of your communications, transmitting something over a wireless network is a lot like putting a file on your website.