The first widely available wireless LAN technology, 802.11b, has been available since 1999, yet it's surprising how many companies still don't take appropriate wireless security measures, both on LANs and Wide Area Networks, those inside their walls and those used elsewhere. Today, businesses are seeing a real uptake in mobile devices that adds a whole new set of security concerns. "A lot of organizations still have not done the basics," says Allan Carey, a senor research vice president at the Institute for Applied Network Security, an organization for practicing information security professionals.
Yet the basics of wireless security are not difficult to accomplish, says Eric Maiwald, senior analyst at Burton Group, a research and advisory firm. There are proven, widely deployed security standards for the two main forms of protection in wireless networks, which are authentication and encryption.
Although the first generation of mobile devices often paid scant attention to security issues — Research in Motion's BlackBerry being the notable exception — the new crop of Web-friendly devices such as the Apple, iPhone, Palm, Inc.'s Treo and devices based on Microsoft 's Windows Mobile 6 are increasingly designed with enterprise-class wireless security in mind. Case in point: The first Apple iPhone lacked basic security standards such as VPN, strong passwords, security manageability, encryption and remote-kill capabilities. But as business adoption has grown, Apple has added VPN support and has promised to plug other security gaps, with the possible exception of strong passwords, in June 2008 with a software update.
Each generation of Windows Mobile and Palm Treo devices have likewise improved security features. For example, the forthcoming Version 6.1 Windows Mobile software will let administrators encrypt data stored on memory cards in Windows Mobile devices, as well as control which applications may be installed. Last year, Palm introduced an option based on military requests that uses Bluetooth card readers to swipe second-factor authentication cards, in addition to requiring a password to be entered on the Treos, before the handhelds can be used.
Some organizations in highly security-aware industries have gone beyond wireless security basics, Carey notes. Chief among these are health care organizations, which are bound by HIPAA's stringent data privacy requirements, and universities, which have a large, mobile workforce and a student base working in multiple locations. These organizations were havens for hackers in the early days of wireless networking and so have learned their lessons the hard way, Carey says.
The issue, then, is not technology availability but how businesses prioritize and think of security for their wireless networks and mobile devices. There are still plenty of companies that have not yet formulated a security strategy for wireless networks and mobile devices.
The Basics for Protection
Wireless users face one key threat: having their data, passwords, and so on intercepted during transmission. The venues for such interception can vary, such as from a Wi-Fi eavesdropper or through a rogue access point. Similarly, mobile users face the similar threat: having their devices' data exposed to someone who hacks into them if lost or stolen.
In both cases, encryption of data (both at rest and during transmission) and authentication of user access (to data, devices and networks) are the key security methods. These techniques should be coupled with commonsense security techniques for any network or computer, such as requiring strong passwords, imposing user access control policies, and segregating traffic through techniques such as VPNs and virtual LANs.
The trick is ensuring that these methods are applied throughout the network and the devices using them, so any individual breach has limited impact.
Any wireless network should authenticate users via an encrypted "handshake," 'which means using the WPA protocol or the newer, slightly more secure version called WPA2. Both are based on the 802.11i standard, but WPA was based on a draft version, while WPA2 was based on the final version. WPA and WPA2 also come in two flavors: personal and enterprise. The personal version uses a pre-shared key (PSK), meaning all users are given the same credentials. The enterprise version uses an 802.1x server to create unique credentials for each user, making it more secure, since if one credential is discovered, the others are still secure. But the enterprise version does require more work for IT, notes Paul Kocher, president of the consultancy Cryptography Research. "It's not a great solution for a large company with lots of users," he says.
That's why WPA should be only the first line of defense in a wireless network. The next line of defense should be the use of virtual LANs, to segregate traffic and users from each other. This is the same principle as using subnets in a wired network. By confining users to specific VLANs, you can use access control policies to monitor wireless activity and determine role-based access, Kocher says, even if an unauthorized person gets past the WPA authentication step.
IT should also ensure that wireless users follow the same security approaches as in any remote connection, Maiwald says, including ' using SSL or other forms of encryption for email and server access, as well as VPNs to create secure connection tunnels. This last recommendation is particularly critical when users access the corporate system from public wireless hot spots, adds 'Carey, because their access points tend to not use SSL in the connections to the user's' laptops.
If you're using 3G networks — such as the cellular carriers' EVDO and HSDPA networks — you can relax a little on security, says Maiwald. These networks handle authentication and encryption, so issues such as WPA authentication and SSL encryption for email are essentially handled for you. But as such networks gain in popularity — and new ones such as WiMax and the 700MHz spectrum are deployed — you can expect hackers to start looking for ways in, so it makes sense to apply a consistent security strategy to all connection channels, even if the means to achieve it may vary based on the specific channel, Maiwald says.
Dealing with handhelds
Mobile devices should use the same standards as laptops, .and they should also support data encryption—so that if a device is lost or stolen, it's data can't be easily accessed, Kocher says. This also applies to removable media and laptops. ' Other requirements include strong passwords (not four-digit PINs such as on the iPhone) that can be managed centrally by IT. Strong passwords are particularly important for mobile devices because they can more easily be lost or stolen, and because they tend to use less capable security approaches due to their limited processing power, they are easier to crack, he adds.
For laptops (and home PCs used for work), Kocher recommends whole-disk encryption so there's no question as to what had been encrypted if there is a breach. It doesn't matter whether the encryption is built into the operating system, such as with Windows Vista's BitLocker, or comes from a third party, such as the commercial PGP or open-source TrueCrypt.
The problem is that most mobile devices don't support these various security approaches (encryption, strong passwords, VPNs and more), or at least not all of them. The BlackBerry does, which is one reason it is so popular in the enterprise, says Jon Allen, information security office at Baylor University in Waco, Texas. Apple's promises for the iPhone 2.0 software indicate it may come close, "but the jury's still out," 'Maiwald says. Windows Mobile 6 offers most of these capabilities when managed from Windows Exchange Server 2007, and vendors such as Bluefire Security Technologies in Baltimore, Md., Motorola' Good Technology Group and Sybase, Inc. offer an array of tools to add to many Windows Mobile and Palm devices.
It's also important to consider potential security holes when evaluating specialty mobile devices,—such as wireless meter readers, airport baggage claim scanners, package scanners and retail kiosks—Maiwald warns. At Baylor University, Allen saw this issue surface in its point-of-sale terminals, which "hadn't anticipated wireless" in their original security designs, he says. When the university added wireless connectivity,"we had to button that down," he says.
Set security policy standards, and make the devices comply
Whatever security options are available for various devices, one approach to protect your enterprise data is to mandate that any PCs and handhelds allowed to connect to an organization's network and other systems must support a specified set of security methods, such as VPN, WPA2, remote kill and on-disk encryption. This puts the burden on users and vendors to comply and allows IT to come up with security policies centered around its data protection needs, not on specific technology implementations, Allen advises. '
For example, Allen decided that personal information had to be protected wherever it resided. That meant students could no longer access registration information, even those who worked in the registrar's office. To protect such data that is stored on laptops, such as student grades, Allen' has also begun requiring all 800 faculty laptops to use PGP' encryption. He also requires VPN usage so any personal information is shielded when transmitted.
The Duke University Medical Center in Durham, N.C., took a similar approach in February 2008, after previously being more lenient with its 3,200 staffers, says Gary Harrison, IT application manager for mobile computing. "If a device won't support the [Sybase] Afaria mobile management tool's security requirements, then sorry, you can't connect," he says. Alternatively, staff can use BlackBerrys, since that device has its own security mechanism," he says. The medical centered lowered the boom for two reasons: increased laptop and handheld use increased the risk of HIPAA violations, and more and more devices support the necessary security standards, so it's now possible to enforce them.
Southeastern Polytechnic State University in Marrietta, Ga., also has imposed standards on what devices can access the campus's wireless network. It requires everyone to have EAP-TTLS, a tunneled form of the TLS (Transport Layer Security) authentication protocol that exchanges the public and private keys in the tunnel so they cannot be snooped. Apple's Macintosh devices supports the protocol out of the box, and many PCs that use Intel's wireless drivers do as well, says CIO Bill Gruzka. Other PC and laptop users must install the open source SecureW2 software to gain this capability.
But the iPhone doesn't support EAP-TTLS, even though it is based on Mac OS X, and given its popularity among the roughly 5,000 students and faculty — it's the main handheld in use at campus — Gruzka couldn't enforce this standard on mobile devices. But he relies on other policies, not just EAP-TTLS, to secure data access on campus. For instance, one critical policy is the use of virtual LANs to segregate both traffic and data access based on roles, Gruzka says. Another is to keep data stored on network drives rather than on users' computers, which resolves the issue of — inconsistent encryption capabilities of Macs, Windows, PCs and handhelds, which inhibited him from enforcing a consistent encryption policy. He also uses an SSL-based VPN from Juniper Networks that enforces password policies, looks up ActiveDirectory-stored user privileges and wipes out session data on users' computers. The VPN requires no client software (it uses Java and ActiveX controls instead to manage the client through the browser), so the university can manage everything consistently without worrying about user actions.
Block intruders before they connectrogue access points. The Meru access points "know" each other and can thus identify rogues, Gruzka says, and when they detect one, they use the second radio to send a data pulse that essentially obscures the rogues' spoofed SSID so users can't see it and connect to it. All of this happens in a fraction of a second.
At Southeastern Polytechnic, Gruzka noticed that hackers would spoof the access points' SSIDs — the names that identify them and their VLANs to computers seeking to connect to the right network. The idea was to fool a user into logging onto the hacker's computer and capturing the user's' credentials and data. On a campus, the signals of access points' reach into the open, so there was no physical way to keep hackers out. So Gruzka used dual-radio access points from Meru Networks. One radio handles the connections to users, while the other scans for
IANS's Carey says Southeastern Polytechnic is by no means alone in facing the threat of rogue access points. It's easy to put such an access point in a potted plant or bring one into a lobby, he notes. And because PCs and laptops can be set to operate in ad hoc mode — making one computer a virtual access point — almost anyone with a PC can be a rogue. IT can ensure that its users' computers are set in such a way that they don't connect via ad hoc mode, eliminating this latter threat, he says. But the actual rogue access point that is snuck into the building — or in a location near enough for its signal to penetrate your walls — is harder to deal with. Using wireless sniffers to conduct periodic sweeps is one approach, as is using interconnected access points that can detect rogues.
Despite these threats, the good news is that there are proven techniques to protect your wireless and mobile environments. The bad news is that many organizations haven't done so yet. ##
Galen Gruman, a freelance writer based in San Francisco, can be reached at