Home » Data Protection » Wireless/Mobile

Basics

Wireless Security: The Basics

Encryption and authentication are the fundamentals of wireless security - here's your guide.

By Galen Gruman

Page 4

Set security policy standards, and make the devices comply
Whatever security options are available for various devices, one approach to protect your enterprise data is to mandate that any PCs and handhelds allowed to connect to an organization's network and other systems must support a specified set of security methods, such as VPN, WPA2, remote kill and on-disk encryption. This puts the burden on users and vendors to comply and allows IT to come up with security policies centered around its data protection needs, not on specific technology implementations, Allen advises. '

For example, Allen decided that personal information had to be protected wherever it resided. That meant students could no longer access registration information, even those who worked in the registrar's office. To protect such data that is stored on laptops, such as student grades, Allen' has also begun requiring all 800 faculty laptops to use PGP' encryption. He also requires VPN usage so any personal information is shielded when transmitted.

The Duke University Medical Center in Durham, N.C., took a similar approach in February 2008, after previously being more lenient with its 3,200 staffers, says Gary Harrison, IT application manager for mobile computing. "If a device won't support the [Sybase] Afaria mobile management tool's security requirements, then sorry, you can't connect," he says. Alternatively, staff can use BlackBerrys, since that device has its own security mechanism," he says. The medical centered lowered the boom for two reasons: increased laptop and handheld use increased the risk of HIPAA violations, and more and more devices support the necessary security standards, so it's now possible to enforce them.

Southeastern Polytechnic State University in Marrietta, Ga., also has imposed standards on what devices can access the campus's wireless network. It requires everyone to have EAP-TTLS, a tunneled form of the TLS (Transport Layer Security) authentication protocol that exchanges the public and private keys in the tunnel so they cannot be snooped. Apple's Macintosh devices supports the protocol out of the box, and many PCs that use Intel's wireless drivers do as well, says CIO Bill Gruzka. Other PC and laptop users must install the open source SecureW2 software to gain this capability.

But the iPhone doesn't support EAP-TTLS, even though it is based on Mac OS X, and given its popularity among the roughly 5,000 students and faculty — it's the main handheld in use at campus — Gruzka couldn't enforce this standard on mobile devices. But he relies on other policies, not just EAP-TTLS, to secure data access on campus. For instance, one critical policy is the use of virtual LANs to segregate both traffic and data access based on roles, Gruzka says. Another is to keep data stored on network drives rather than on users' computers, which resolves the issue of — inconsistent encryption capabilities of Macs, Windows, PCs and handhelds, which inhibited him from enforcing a consistent encryption policy. He also uses an SSL-based VPN from Juniper Networks that enforces password policies, looks up ActiveDirectory-stored user privileges and wipes out session data on users' computers. The VPN requires no client software (it uses Java and ActiveX controls instead to manage the client through the browser), so the university can manage everything consistently without worrying about user actions.