Johannesburg, 03 Sep 2002
Easily deployable without the underlying costs associated with cabling infrastructures, wireless networking is rapidly becoming more accepted within the corporate environment as it is seen as a convenient plug-and-play technology. However, its Achilles heel has been, up to now, its limited security.
In this article, Gary Boniface, CSO manager at 3Com SA, highlights some of the security tools, features and protocols that exist today to offer greater protection to wireless networks.
Security has always been a concern when talking about sensitive corporate data. Security for traditional, wired, corporate networks has been based upon the assumption that network traffic stays on the network, therefore physical security controls have been enough.
However, in terms of wireless networking, data travels over radio frequencies, not cables, and does not respect the physical security and boundaries that so many companies have implemented.
Even Wi-Fi security mechanisms have not proven to be completely resistant to determined hackers, many of whom have been able to access corporate networks from the outside armed with the appropriate wireless equipment.
So how do you minimise or even eliminate the risk of hackers accessing your 802.11, wireless networks?
First, you must control who gains access to the network through the deployment of an in-depth, layered defence approach. You need to implement mechanisms such as user authentication and data encryption - together with features such as dynamic key distribution.
There are more options to spoil a hacker`s attempts to exploit holes in your wireless network. My top 10 are:
1. Put the access point in the right place: Start with the basics - within your network configuration, ensure wireless access points are outside the perimeter firewall. This will give you an extra layer of defence to your network, based on the premise that all wireless users are untrusted.
2. Manage your wireless network ID: All wireless LANs come with a default SSID (Service Set Identifier) or network name. Change it - immediately - with an alphanumeric name. If your organisation can handle the administrative work, regularly change the SSID. And don`t do the equivalent of walking around with the network name written on your forehead: disable the automatic SSID broadcast feature.
3. WEP is great: Despite the bad press that WEP (Wired Equivalent Privacy) has received, it remains the standard 802.11b wireless security protocol. It`s designed to provide wired-like protection by encrypting wireless data as it transmits information. Simply put, enable it, and then immediately change the WEP key from the default. Ideally, have your WEP keys generated dynamically when a user logs on, making access to wireless data a moving target for hackers. Session-based and user-based WEP keys offer the best protection and add another layer of deterrence.
4. But WEP is not fool proof: Don`t put all your encrypted eggs into the WEP basket. WEP is one security layer of many and should not be relied on as the sole security measure, despite its role as the pre-eminent encryption security. Many network administrators have learned this lesson the hard way.
5. Ban rogue networks: WLAN set up is now simple enough that non-technical staff are installing their own wireless bridges or access points in their office departments, with little thought for security. Ensure a policy exists that restricts WLANs from being established without formal systems administration approval and deployment.
6. Add personalised authentication: Using MAC address, or better User Name and Password (802.1x)-based control lists, will allow only registered devices or users to access the network. This ensures only valid users can get a physical connection to the wireless network.
7. Leverage existing RADIUS servers: Remote users of larger companies are often authenticated to use the network through a RADIUS (Remote Authentication Dial-In User Service) server. IT managers can integrate wireless LANs into the existing RADIUS infrastructure to more simply manage users. It not only enables wireless authentication, but also ensures wireless users go through the same authorisation and accounting approvals as remote users.
8. Not all WLANs are created equal: While 802.11b is a standard protocol and all equipment bearing the WiFi trademark will operate with the same base functionality, not all wireless equipment is created equal. While Wi-Fi ensures interoperability, many manufacturers` equipment does not include enhanced security features.
9. Consider using a VPN: Virtual Private Networks have been deployed over the Internet (untrusted media) to allow secure communications for years. The same can be deployed in a wireless environment to add Layer 3 encryption to the wireless (Layer 2) communication. VPNs offer a higher layer of security (in addition to WEP) and allow a secure end-to-end tunnel between user and network.
10. Use a combination of security mechanisms: The ultimate defence from hackers comes in the form of multiple levels of security.
The combination of user name and password authentication, products that employ Dynamic Session keys to encrypt the data, and possibly using VPNs tunnelled through a perimeter firewall, will give you the best level of defence against hackers.
Share