The growing popularity of wireless technology and an increasingly mobile workforce should lead to a heightened awareness of WLAN security issues, says Carly Stevenson
One of the hottest topics in networking at the moment is how to secure wireless networks. RSA Security conducted an annual wireless security survey in four Cities worldwide including London. They reported WLAN technology had been widely accepted in the UK's capital both by corporations and consumers, yet levels of security had failed to improve between 2004 and 2005. The research showed 36 per cent of London businesses with WLANs were insecure. RSA also indicated that wireless security in London had actually deteriorated over the past year because of the explosion in the number of wireless networks.
The popularity of wireless technology and the increasingly mobile nature of the workforce are leading to a new type of network access layer – the 'mobile edge'. At the mobile edge of the network, users can connect over wireless networks wherever they go – the office, home or on the road. Mobility, including wireless technology, has the potential to expose corporate networks to intruders, leak sensitive data and subject the enterprise network to virus and worm outbreaks.
A surprising number of companies have incorrectly implemented WLANs that defeat the purpose of perimeter firewalls. There are a huge number of access points in use today that unintentionally advertise a default SSID, bridge directly to an Ethernet network, and use either weak or no encryption whatsoever.
Not taking measures to ensure that your wireless network is secure is as good as leaving your front door wide open to wardrivers, for example. Wardriving is the term used for searching for the existence of Wireless LANs (802.11). Wireless access points are located often using dedicated wardriving software and a GPS unit. Just a few months ago, the UK police service secured their first conviction for wardriving – the perpetrator was accessing pornography through a company's Wi-Fi connection, totally unbeknown to the computer's owner.
Even at this year's CeBIT, one of the biggest technology shows in the world, their wireless security measures under-performed. A series of 'wardriving experiments' were undertaken on two days during the show. The tests located some 300 wireless access points and 56 per cent of those were operating without encryption, so anyone could potentially obtain passwords and other sensitive data sent through them.
This is a huge contrast to last year's Infosecurity Europe event where secure wireless connectivity was provided to over 250 exhibitors. This was the first time an open wireless hotspot had been deployed at the Olympia conference centre. During the three days of the show, the Aruba Networks monitoring system registered hundreds of malicious attacks on the open wireless network. These included denial of service (DoS), man-in-the-middle, and other malicious attacks launched over the three-day conference and exhibition. The level of security provided by the centralised wireless infrastructure, enabled network administrators to disable rogue APs, identify and thwart malicious attacks and impersonations, and detect coverage holes and interference from a single point during the event.
Some key features to consider when looking at wireless security are as follows:
• WLAN intrusion prevention
• Identity based security
1. WLAN intrusion prevention
Among other tools, an Intrusion Detection System (IDS) can be used to determine whether or not a computer network or server has experienced an unauthorised intrusion. A new type of IDS is becoming more and more popular: the Intrusion Prevention System (IPS), technology that actively monitors a network or host for attacks and prevents those security breaches from occurring.
There are two main classes of wireless threats: the first is from wireless devices, including rogue APs, uncontrolled ad hoc wireless networks, wireless bridges and client devices that bridge traffic between wired and wireless interfaces. The second is the threat to wireless networks from attackers and intruders, and includes denial of service, man-in-the-middle, false identity and key-cracking attacks.
2. Identity and location-based security
It is essential to be able to control user access privileges on the network according to a variety of criteria, such as location, authentication method, time of day, device type and application used, and this is key to maintaining security. Using an identity-based security solution (such as Aruba's) dramatically improves network security by eliminating excess privilege on the network while also providing identity-based auditing of activity. The solution also includes an ICSA-certified stateful firewall that enforces per-user access rights.
Wireless LANs should not only provide the latest WPA2 or 802.11i encryption to secure the data 'in the air', but also keep the data encrypted over the wired network until all the security policies have been applied. This means keeping the wireless traffic separate as it traverses the wired network until security policies are applied at the wireless LAN switch. The answer is to find a solution that holds encryption keys on the centrally managed mobility controller rather than on the access points. This gives point-to-point rather than access point-to-client encryption and helps to resolve security and roaming latency issues.
Before buying or recommending a wireless solution you should consider if it is going to protect your network from all of the security risks – not just some of them. For example, is your WLAN solution identity aware with a per user policy enforcement firewall? Does it include integrated wireless intrusion prevention to lock the air in and around your network? And does it have centralised encryption to lock the data on your network?
You need to consider that anyone can tap into your internal wireless network. Whether that is someone trying to hijack your Internet connection, or a wardriver looking to access and steal company confidential information, the risk to a business is there.
If you have a guest or someone outside of your building with a wireless card they will be sending out RF signals. If an internal user is trying to connect to the wireless network and the RF signal from the rogue is nearer or stronger than the internal AP they will connect to them and broadcast their information. It really is as simple as that.
Carly Stevenson is Product Manager at Computerlinks (formerly trading as Unipalm), and can be contacted via tel: +44 1638 569600