5 Essentials to Wireless Security

1 2 Page 2
Page 2 of 2

Of course, both NYK and UPS use access-control techniques (described earlier) for notebooks and handheld scanners that connect to their internal wireless networks, which provide access to data that could be useful to snoopers.Protect the network itselfThe goal: Maintain mission-critical operations.

Ways to achieve it: Intrusion detection, limited authorized access, deploying parallel networks.

In many organizations, the security focus tends to be on protecting the information that travels through the network. But the network itself can be mission-critical, and its availability can be a security issue.

At its sorting facilities, UPS is concerned about roaming users picking up tracking data, even though most won't understand the data. But what worries the company more is "that someone can get in and start sniffing around the network," says Fred Hoit, the shipper's manager of wireless LANs. The network keeps package data current both for customers (who can log on to the Web to check on a parcel's status) and UPS itself (for determining routing schedules and equipment needs as package volume and destinations shift). To prevent unwanted access to this data, the company is installing an intrusion-detection system to identify and lock out unauthorized network users.

UPS is also working to limit the risks posed by too much demand on its wireless networks. Hoit says UPS is testing whether it can let wireless package scanners coexist with white-collar workers' wireless notebooks. One option, he says, is to set up separate wireless LANs, one for package sorters and another for notebook users, using a different radio spectrum for each set so that there is absolutely no possibility of interference with each other.Secure public wireless accessThe goal: Ensure data and access security for users in external networks.

Ways to achieve it: Proprietary networks and devices, isolated connections.

With thousands of public Wi-Fi hot spots, built-in wireless radios on most new laptops and high-speed cellular data services now available in many urban areas, enterprises face the challenge of securing remote access by users who connect wirelessly when outside the building, where IT has no control over the originating network.

For example, consultants at Optimus connect to corporate systems using Verizon Wireless's EVDO broadband service, which Optimus pays for. But the consultants can also use wireless hot spots on the public Internet, such as at hotels, a customer site or at home.

McDonald's security policy is to isolate remote devices when connected to Optimus's servers at headquarters, making them inaccessible to other devices on the network at either end of the connection. Optimus uses Cisco Systems' VPN client software on PDAs and notebooks, coupled with a Cisco firewall on its servers, to isolate the connected devices. Thus, even if someone somehow connects to the consultant's PDA or notebook wirelessly, that intruder can't piggyback on the connection to Optimus's servers. The use of firewalls and VPNs is a standard technique for remote accesswhether dial-up or Web-based, wired or wirelessand McDonald says it should be the first line of defense no matter how users connect.

Optimus also gets security without extra effort by using Research In Motion's BlackBerry PDAs. The BlackBerry network funnels all wireless connections to a military-grade server that acts as the way station between the device and the corporate systems. (Competitor Good Technology has a similar approach.) Because the BlackBerry doesn't connect directly to the corporate system, someone else can't piggyback onto the connection, since they would be blocked at the independent BlackBerry server, McDonald says. Also, the BlackBerry service lets only the server initiate communications, so an outsider can't log in to the system using forged credentials; the server will connect only with known devices.

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.