Wireless networks carry risks, but understanding what you need from your network - and what you don't - will help you limit those risks and gain benefits from the popular technology.
Conventional wisdom on wireless networks goes like this: They are inherently dangerous. They can leak your secrets to the outside world, through easily accessible radio waves. You'd be better off carrying around your corporate treasure in a sieve.
That's been the common view among IT and network managers for several years, supported by analysts' reports that warn of vulnerabilities, published exercises in "wardriving" that uncover porous access points and the occasional case bringing criminal charges against a defendant for allegedly swiping corporate data or consumer IDs. The view persists, but it's fading. In late 2004, a survey of more than 400 companies by research firm NOP World showed that security concerns were a "significant barrier" to wireless adoption for 44 percent of respondents and a "moderate barrier" for another 33 percent. Richard March, NOP World Technology senior vice president, says his recent conversations with enterprises show they are now less concerned about the theoretical risks of a wireless deployment and more focused on specific deployment concerns.
The good news for CSOs is that this danger-fraught view is fading, not because the conventional wisdom is wrong - wireless networks do carry risks - but because network implementers are getting more sophisticated and better able to weigh those risks against what they want to accomplish. The security and technology executives in this article, who have overseen implementations in a variety of industries, agree that whatever the environment, securing wireless networks requires five essential tasks: authenticating users so that only authorized people gain access, managing the access privileges of those allowed to connect, limiting network traffic to only what is needed, ensuring that mission-critical traffic is maintained, and enforcing security of end users' resources.
Here, we're laying out the questions to ask and the risks to assess, and how different organizations have addressed them and exploited the benefits of wireless technologies.
Ask the Right Questions
As with other areas of security risk assessment, there is no single way to secure wireless networks. So organizations considering wireless local area network (LAN) deployments need to answer these questions to determine which security strategies and tactics are right for them.
- Where will the wireless network be available? Will its signal extend beyond my control? The issues are different for a business sharing a building than for one with a suburban headquarters surrounded by fenced-in parking lots.
- What data will the network carry? A general-purpose network that carries e-mail, corporate applications and database traffic will require more complex security methods than one carrying snippets of data for specialized devices such as barcodes.
- Who should have access to the network? The greater the variety of end users - for example, administrative staff, salespeople, warehouse workers and visitors - the more complex it will be to segment them and manage their access.
- How mission-critical is the wireless LAN? Can you regulate access and bandwidth usage to ensure that essential operations continue if there's an unexpected spike in access demand? Do you have backup connections in case of failure or intrusion?
- Will users access your data remotely from public wireless hot spots? Besides ensuring standard remote-access security, you may need to secure the signal and data at the end user's notebook or PDA.
By working through these issues, organizations with highly sensitive data - such as hospitals and the military - have successfully deployed wireless networks and enabled wireless access via public venues without compromising security. In some cases, having a secure wireless network means deploying additional wireless security tools to regulate user access. More often, it simply means developing and implementing a wireless security strategy that uses existing technologies and policies, both wired and wireless. "If you have a good, solid remote-access policy" applied to all devices and connection paths, "you're fine", says Tamara Schwartz, application manager, business continuity, recovery and access management portfolio for United Parcel Service (UPS).
Such a policy also needs to account for the physical environment. For example, it's easier to secure a facility's wireless network if no intruders can get near enough to pick up the wireless signal, but that luxury doesn't exist if you share a building with another company. It's also easier to secure wireless access when employees use only your equipment in your facility, but many organizations will need to do additional work to secure travelling executives, salespeople and field staff who use public Wi-Fi or cellular networks.
1 Plug the Authentication Hole
The Goal: Approve the right users for network access.
Ways to Achieve It: Use encrypted authentication software and end-user device validation. Deploy hardware tokens where needed.
For several years, enterprises have been rightfully concerned about securing the first line of defence against unauthorized wireless access: user authentication. Authentication is one of the trickier aspects of wireless security. Because the signal is transmitted over radio waves, others can listen in to any transmissions, so the authentication mechanisms are also visible.
The original IEEE 802.11 wireless standard included an encryption method called WEP (wired equivalency privacy) that was meant to secure the authentication process. But because it used unchanging, static encryption keys and a weak encryption method called RC-4, it could quickly be broken down. That rightfully concerned IT, network and security managers.
After industry analysts and technology publications highlighted WEP's flaws, a series of interim improvements were released, culminating in the 802.11i standard. Since the standard's release in mid-2004, most new wireless network and client hardware has come with it. And most other wireless hardware released since 2003 can be upgraded to support it, often with free firmware downloads. However, a confusing parade of authentication technologies delivered since 2000 - WEP, dynamic WEP, WPA (Wi-Fi Protected Access) and now 802.11i (also called WPA2) - means that many organizations have not upgraded their hardware from the ageing WEP standard because all of their devices must work on the same standard to authenticate each other. And, depending on their risk assessment, these organizations may be vulnerable as long as they use WEP.
The 802.11i standard does meet many organizations' security needs, but stronger authentication technologies are available to raise the bar on intruders. The practices (described below) at UPS, the Columbus Regional Health System in Columbus, Georgia, and in the US military illustrate the point.
Rather than rely on the built-in authentication capabilities of products, Schwartz says, UPS will implement Protected Extensible Authentication Protocol (PEAP), developed by Cisco Systems, Microsoft and RSA Security, to provide stronger user validation on its notebooks. For PDAs, which don't yet support the higher processing requirements of PEAP, the delivery company is still exploring authentication options and for now allows synchronization via cradles only rather than over wireless LANs.
At Columbus Regional Health System, Stephen Lewack, director of technological services and communications, says the hospital uses a two-pronged approach. To authenticate users, he has deployed authentication tools from AirDefense and Fortress Technologies, which use public-key infrastructure (PKI) encryption. To protect data traffic, the hospital uses military-grade Advanced Encryption Standard (AES) encryption. The privacy protections mandated by the federal Health Insurance Portability and Accountability Act (HIPAA) require more than the standard 802.11 and TCP/IP security, says Lewack.
Military networks also use either AES or 3DES (triple Data Encryption Standard) encryption, so the traffic remains secure even if someone breaches the access points, says Ken Wood, president of Capitol IT Solutions, a consultancy that has deployed wireless LANs for the Defence Department's Advanced Research Projects Agency's telematics unit. (The unit works on robotic vehicles for the battlefield.) AES requires fewer computational resources than 3DES, so it's better suited for PDAs and older computers, Wood says.
Hardware tokens are also an option to eliminate log-in forgery. The Columbus hospital's Lewack says he validates users by storing their hardware IDs in the wireless access points so that only specific wireless cards registered by the IT staff can connect to the network. That makes the wireless cards act as physical tokens to ensure that the user is legitimate, providing forgeryproof authentication before users can even be asked to log in.
David Worth had similar concerns at the South Carolina law firm of Nelson Mullins Riley & Scarborough, where he is IT director. In addition to using the standard IEEE 802.1x server-based authentication and virtual LANs (VLANs) to protect the firm's wireless LAN, Worth uses SecurID fobs connected to notebooks via USB connections. These fobs provide two ways to authenticate users granted remote access to the LAN. They generate a new access key every 60 seconds, all but eliminating the chance that someone is using stolen IDs to access the network, whether over wireless or other connections. The fobs are also tied in to a specific user. If someone steals the fob and tries to log in with another person's password, he'll be stopped.
2 Control access to limit risks
The Goal: Restrict resource access to approved users, keeping data secret.
Ways to Achieve It: Regulate what employees access. Restrict guests. Don't advertise.
When an end user does gain access to a wireless network, the next security step is to control what they access.
There are three ways to go about it. First, you can use standard LAN management techniques to control what applications users can run (through log-in requirements, for example). Second, you can use typical remote-access tools, such as Citrix terminal emulation, so that no data is actually transmitted to the local drives. That's what CIO Worth does at Nelson Mullins. And third, on wireless networks, you can use virtual LANs to control when access points are available to users.
The use of wireless networks typically allows for guest access, such as for consultants, suppliers and auditors. Just like wired networks, wireless networks support VLANs, which let wireless access points and routers separate different kinds of users, giving them different levels of access to network resources.
At software and consulting company Optimus Solutions, CIO Steve McDonald uses one VLAN for guests on the company's wireless network and another VLAN for its employees at its Norcross, Georgia, headquarters.
Of course, it's not just invited guests who pose a risk. It's all but impossible to get full wireless network coverage internally while preventing signal leakage outside your walls. For facilities surrounded by fenced parking lots or greenbelts, there's a natural buffer (with physical security still required). But in most cases, such space is not available.
You can still limit outsiders' access. At consumer electronics maker Logitech, CTO Pierre-Olivier Monnier is evaluating a new capability in Trapeze Networks' wireless LAN management software that automatically shuts off access points at night, depriving hackers of the ability to park outside all night to try to break in. Staff working late inside the office would be able to use access points that don't leak their signals outside, or they could use a wired connection.
Another option is to make the wireless LAN physically separate, says Wood of Capitol IT Solutions. Military deployments require such separation. Many businesses used this technique in their early wireless deployments as well, but it doesn't scale well to cover an entire building or campus. Although the severe separation of a military-grade wireless network requires more resources to manage, "security is more important than cost and ease" for the US Defence Department, Wood notes.
3 Add security through obscurity
The Goal: Keep data secret.
Ways to Achieve It: Transmit data that only the users understand.
A very simple security technique is security through obscurity.
NYK Logistics tags shipping palettes with wireless radio frequency identification, or RFID, transponders that broadcast each palette's ID every few seconds so that NYK can track the palettes' location inside its huge yards. (The transshipment company unloads palettes from ships, sorts them and loads them onto trains and trucks.) But that ID means nothing to outsiders, so in theory, NYK would not care if anyone intercepts it, says Rick Pople, former general manager at NYK. You would need access to NYK's management software to know what the ID referred to, and to access the palette's status, and that requires having appropriate log-in credentials and access to computer terminals in NYK's building in Long Beach, California.
UPS uses a similar strategy at its package shipping centres. "We're not concerned that someone can pick up package traffic," says Schwartz. The data has no meaning unless you are using UPS's management software, she says.
Of course, both NYK and UPS use access-control techniques (described earlier) for notebooks and handheld scanners that connect to their internal wireless networks, which provide access to data that could be useful to snoopers.
4 Protect the network itself
The Goal: Maintain mission-critical operations.
Ways to Achieve It: Intrusion detection, limited authorized access, deploying parallel networks.
In many organizations, the security focus tends to be on protecting the information that travels through the network. But the network itself can be mission-critical, and its availability can be a security issue.
At its sorting facilities, UPS is concerned about roaming users picking up tracking data, even though most won't understand the data. But what worries the company more is "that someone can get in and start sniffing around the network", says Fred Hoit, the shipper's manager of wireless LANs. The network keeps package data current both for customers (who can log on to the Web to check on a parcel's status) and UPS itself (for determining routing schedules and equipment needs as package volume and destinations shift). To prevent unwanted access to this data, the company is installing an intrusion-detection system to identify and lock out unauthorized network users. (Choosing a wireless intrusion prevention system is not a case of one size fits all. For more, see "Making Sense of Wireless IPSes", page 4)
UPS is also working to limit the risks posed by too much demand on its wireless networks. Hoit says UPS is testing whether it can let wireless package scanners coexist with white-collar workers' wireless notebooks. One option, he says, is to set up separate wireless LANs, one for package sorters and another for notebook users, using a different radio spectrum for each set so that there is absolutely no possibility of interference with each other.
5 Secure public wireless access
The Goal: Ensure data and access security for users in external networks.
Ways to Achieve It: Proprietary networks and devices, isolated connections.
With thousands of public Wi-Fi hot spots, built-in wireless radios on most new laptops and high-speed cellular data services now available in many urban areas, enterprises face the challenge of securing remote access by users who connect wirelessly when outside the building, where IT has no control over the originating network.
For example, consultants at Optimus connect to corporate systems using Verizon Wireless's EVDO broadband service, which Optimus pays for. But the consultants can also use wireless hot spots on the public Internet, such as at hotels, a customer site or at home.
McDonald's security policy is to isolate remote devices when connected to Optimus's servers at headquarters, making them inaccessible to other devices on the network at either end of the connection. Optimus uses Cisco Systems' VPN client software on PDAs and notebooks, coupled with a Cisco firewall on its servers, to isolate the connected devices. Thus, even if someone somehow connects to the consultant's PDA or notebook wirelessly, that intruder can't piggyback on the connection to Optimus's servers. The use of firewalls and VPNs is a standard technique for remote access - whether dial-up or Web-based, wired or wireless - and McDonald says it should be the first line of defence no matter how users connect.
Optimus also gets security without extra effort by using Research In Motion's BlackBerry PDAs. The BlackBerry network funnels all wireless connections to a military-grade server that acts as the way station between the device and the corporate systems. (Competitor Good Technology has a similar approach.) Because the BlackBerry doesn't connect directly to the corporate system, someone else can't piggyback onto the connection, since they would be blocked at the independent BlackBerry server, McDonald says. Also, the BlackBerry service lets only the server initiate communications, so an outsider can't log in to the system using forged credentials; the server will connect only with known devices.
Special Concerns for Voice Over Wireless IP
An emerging use of wireless local area networks (LANs) is to carry voice traffic, letting companies extend phone service to mobile workers inside a building or campus without paying for cellular service. Hospitals have spearheaded adoption, with retailers and facilities managers also using it.
But voice over wireless IP has a security drawback: Any authentication technology more powerful than the wired equivalency privacy (WEP) will cause delays of several seconds as users roam from one access point to another. However, WEP is easily hacked and is not considered appropriate for business, education or government deployments.
Fortunately, there are several techniques to get around these limits. The simplest is to use virtual LANs (VLANs), which separate the voice and data traffic. In this case, the voice traffic's VLAN would use WEP encryption, while the data traffic's VLAN would use a better method such as IEEE 802.11i. That's what the HP Pavilion sports arena in San Jose, California, did when it deployed a wireless LAN for its facilities and events staff, notes General Manager Jim Goddard.
Another option would be to build a second wireless LAN using a different radio spectrum, again using WEP for the voice network and a better technology for the data network. This approach allows more network traffic, but it is more costly.