Enabling wireless security

Wireless technology is increasingly used by companies that want to enhance their agility and increase productivity by enabling mobile, remote and flexible working. However, BT's business continuity, security and governance practice believes that a vast number of organisations and their users do not fully understand the associated security implications and are leaving themselves very vulnerable.

To make matters worse, wireless capability is being added to more and more devices, and the tools to locate and hack wireless networks are easy to find and download from the Internet - so this situation can, and will, only get worse.

The first and most important step to using wireless technology securely is to find out exactly what equipment is in use.  Ian Hughes at BT says: "In our experience companies who believe they have 100 per cent control of all wireless technology always have something unaccounted for.  Even businesses that believe they don't have any wireless connectivity at all are usually wrong. These 'rogue' devices can put the entire network at risk.  It is, therefore, essential they secure the wireless network they know they have - as well as monitor for and identify the one(s) they don't yet know about."

The reason there is often so little knowledge about the actual number of wireless devices in the enterprise is that nearly all new laptops and PDAs come with WiFi, infra-red or Bluetooth capabilities enabled and turned on as standard, which many users are unaware of.  Individuals can also use devices with the wireless capability deliberately turned on, or add wireless connectivity through USB ports, which are relatively cheap, readily available and easy to install, without fully appreciating the risks this entails. 

Ian Hughes says: "Most large organisations find they have a number of unofficially installed pieces of equipment that are outside the control of the IT department, which represents a major security risk.  People like wireless because it is easy - but it's not so easy when a hacker brings down your entire network. We have seen plenty of examples of employees taking company laptops home and connecting to wireless broadband, and then leaving that connection open when they return to the office, or use their laptop or PDA on the train, in a hotel room, and even when parked in a motorway service station.  The device continues to look for a base station or other wireless-enabled appliance to connect to, thus advertising its presence to any scanning apparatus within a fairly wide radius - often many hundreds of metres or more. It's then relatively straightforward for an unscrupulous individual to intercept those connections and hack into the device. Some products can connect directly to others, without needing a base station, so direct device-to-device transfers can occur without either user being aware." 

Hughes continues, "At the very least, organisations have got to run some form of wireless intrusion detection system (WIDS) to identify and locate rogue devices. No security policy can be effective if there are unknown elements on the network, so security teams need to remain on constant look out for new devices, and ensure that users follow policies on how they should, and should not, be used."

Companies also need to ensure that specific measures for wireless networking are included in the wider security policy.  Focussing on protecting the virtual and physical boundaries of an organisation is no longer sufficient. Mobile devices, by their very nature, have effectively broken down these borders and created an open environment that is more vulnerable to attack. The previously accepted "Inside/Outside" (or "Redside/Greenside") model, relying on physical security and firewalls to protect the network, do not work when wireless is added. Everything becomes "Oneside" and is accessible to all within range of the wireless signal.

Authentication and identity management are also essential - from both sides of the connection. Hughes says: "With wired networks the onus is on the user to prove their identity to the server - usually through a username and password.   The physical connection has traditionally been accepted as providing a sufficient guarantee that the network is what it claims to be.  However, in the wireless world, the user and the network now need to prove their mutual identities to each other, without divulging any sensitive credentials in the process."

Ian Hughes concludes: "Establishing connectivity to wireless networks no longer requires a great deal of expertise, but neither does hacking them. It is obvious that wireless security needs to be taken seriously. The technology may be there in terms of data encryption and user authentication, and the development of standards such as IEEE 802.11i.  But for these to be effective, all devices need to be fully identified and must be used in accordance with a policy that is specifically designed for that purpose."

  Report sourced from www.ciol.com