Wireless local area networks are becoming more prevalent and they are leaving security holes in many organisations' networks.
DCA Technologies CEO and managing director Mario Calleja has a problem. People pay his company good money to provide expert, independent consulting on, among other things, implementation and management of communications networks. Yet after months spent working with numbers of customers exploring the potential for implementing wireless LANs (WLANs), neither consultancy nor customers have been able to satisfactorily quantify the security risks involved.
"Take-up of wireless infrastructure is a lot slower than we expected, because of the security issue, and because insufficient information is available on how real the scare is," Calleja says. "The corporate standard that's out there seems to think that the security scare is much ado about nothing, but you go to the vendors and you get many different answers."
The issue of wireless LAN security seems to be becoming more, not less, confused as time goes by. Sifting fact from vendor chaff to make their own judgements about security is just one of the problems besetting CIOs looking at the issue of wireless. Some are finding themselves having to scan their own networks to discover just how many wireless LANs are already installed behind their backs before they can even think about wireless security. At least, the canny ones who have woken up to the fact that their company has a problem are doing so.
Ask yourself these questions. If I were to drive past your building with a wireless network interface card (NIC) operating in "promiscuous" mode, could I pick up the signals and Media Access Control (MAC) addresses of all of your organisation's broadcasting devices so I could map your network access points? Could I then impersonate those MAC addresses to saunter through your wired network? If you think the answer is "no" because the IT group has not authorised installation of any wireless LANs, you might want to phone a friend before you answer out loud.
Wireless LANs are just too cheap. Inevitably, the do-it-yourselfers - perhaps the same people who bypassed the IT department to put a PC on their desk before business was ready to endorse them - have been every bit as cavalier about installing wireless base stations and NICs behind their CIO's backs. "It's essentially a grass roots revolution in which employees are bringing these devices into the organisations," says US-based Evans Data analyst Joe McKendrick. "Employees are still essentially the prime purchasers for these devices."
Wireless appliances are proliferating in Australia too, says DeMorgan managing director and CTO Craig Wright, at a time when CIOs still have relatively little understanding about how wireless works, and even less about wireless security. "Most companies don't have any good policies, so what happens is either IT groups decide to do these things without properly testing them, or end-user groups do," Wright says.
"Now quite often it's because they think they'll save money on cabling or whatever else, especially if they're in an office temporarily. Or if they're moving around in different areas it's quite often simpler to just whack in a box and away you go. But you have to justify the cost of having wireless, and trying to secure it as well. You have got to add up the whole equation, not just what the vendor tells you initially," he says.
Those users buying cheap hardware and hooking it up to networks without informing anyone probably do not realise it, but they are not only opening up huge vulnerabilities in the corporate network, they are also advertising them to the world. "Corporate information is floating through the air, and the company doesn't even realise they're wireless," Ed Skoudis, vice president of security strategy at New York-based IT services firm Predictive Systems recently told US Computerworld. "Of your Fortune 100 companies, the vast majority of them have wireless [networks]; they just don't know it yet."
To make matters worse, an Australian survey by CSC late last year found about 60 per cent of sites deploying wireless LANs across Australia had not enabled encryption. Director, global information security services, Kim Valois says most system owners and users have no idea where their data is going and fail to realise wireless networks are "always on".
Just Not Secure
Surveys show integrating new wireless devices into existing corporate computing systems is far more challenging than it looks. Worse, depending who you listen to, wireless security is either "relatively immature" or non-existent.
"As far as my opinion goes there is no security in wireless networks at the moment," says ITAC security senior security consultant Adam Bernau. "The encryption is 'crackable' reasonably easily and they're prone to eavesdropping, so people can drive down the street with their laptops and listen in to see what companies are doing." ITAC has a large number of customers who have faced this sort of issue in the government, banking and insurance sectors, Bernau says. The company has been involved in penetration tests to detect unauthorised wireless networks, and has been successful in detecting them.
"I guess the simplest thing to say is that wireless security is probably still relatively immature," says AUSCERT coordination centre manager Robert Mead. "Given that wireless uses radio waves and anyone can pick it up and listen, you don't have the luxury of building a relatively insecure network, [believing it's safe because] it is inside the building."
Such concerns stopped the National Electricity Market Management Company (NEMMCO) dead after it evaluated wireless LANs. CIO Ray DeMarco says along with the lack of a proven track record, worries about security were eventually enough to stop NEMMCO deploying wireless until the early adopters have worked the bugs out. "We're extremely conscious about adopting any technology which hasn't been proved security-wise and so we just decided to hold fire on this wireless stuff until the security standards are sorted out and we feel comfortable that it is safe to do it," says DeMarco.
Likewise Ernst & Young has ruled out using wireless at least until 2005, thanks to concerns with Wired Equivalent Privacy (WEP), even though most staff members have laptops. And overseas a US Department of Energy national laboratory has temporarily banned wireless local area networks. Lawrence Livermore National Laboratory (LLNL) acting CIO Ted Michels says the measure is necessary because of security risks created by WLANs.
"Any program or directorate with an existing wireless LAN in the property protection areas must disconnect it from all LLNL institutional networks and obtain an approved exception to this policy before resuming operation of the LAN," Michels says.
There's no doubt companies that unknowingly or carelessly give wireless devices access to corporate networks can open an environment to security breaches. Wireless systems can give hackers access to your e-mail, let them sniff for superuser accounts and passwords, and even allow them to seize root or administrative access to certain machines. Wireless access points can open your networks up to Trojan horses and can even be subverted to launch attacks against other businesses.
And a hacker of a wireless network has an advantage over his peers whose activities are focused on fixed line networks by not even having to be physically connected to the network. They can hack you just by driving by in a car or walking around a building. An intruder can even hide a handheld device somewhere outside your building to record traffic. In the US, David Dziadziola, CEO of San Francisco-based security consulting firm Wholepoint, claims to be aware of wireless security audits that have successfully penetrated military facilities from up to 32 kilometres away. Some of those cases involved military labs that had other LANs attached to the wireless networks.
Considering your corporate directors are now liable under the Privacy Laws and could end up in jail if personal information is improperly exposed, the implications are fairly frightening. It was a major issue for Collaborative Health Informatics Centre (CHIC), a national, independent, not-for-profit organisation whose focus was to facilitate improvements in business processes and patient care in the health sector through the application of appropriate information technology [CHIC ceased providing services on May 31 - ed].
Earlier this year IT manager Brett Silvester led New Zealand and Australian health industry CIOs on a tour of US sites looking at health records and wireless and mobile technologies. He says the dilemma for hospitals is the need to ensure maximum coverage within the hospital walls without making it easy for people in the car park to pick up transmissions. "That's the dilemma: you want less aerials, more coverage, but you don't want to have it going outside of your facility."
So while a lot of health organisations are talking about wireless, few have implementations on the ground, in part because of security concerns, he says. "Its not an environment where you can just throw up antennas and have people off the street basically start being able to plug into your network." On the other hand, he says there are some installations in the US which are doing some very good pilots.
Doubts About Standard
Wireless LANs stormed the market in the fourth quarter of last year when the new IEEE 802.11a standard hit the market (802.11a performs at 54Mbps compared to a maximum of 11Mbps for 802.11b).
The Wireless Ethernet Compatibility Alliance, an industry group representing more than 140 vendors, claims the built-in wireless fidelity (Wi-Fi) Ethernet security standard is a proven technology for most businesses, schools and home users. It claims Wi-FI gives users the level of privacy usually associated with a traditional wired LAN, so long as the WEP encryption regime is turned on and the default and WEP key are changed daily or weekly. It says drives and folders should be password-protected, and the default SSID (Service Set Identification) should be changed.
But some analysts call WEP encryption a joke, and claim SSID and MAC address authentication provide minimal levels of security that are easily sidestepped using tools available now. In February the US National Infrastructure Protection Centre issued a warning about wireless LAN vulnerabilities, saying computer experts had broken Wi-Fi and hackers were not far behind. And there is a school of thought that says even the foreshadowed Robust Security Network (RSN), which incorporates access control, authentication and key management in the 802.11 protocol, will not be enough.
Dr William Arbaugh, an assistant professor of computer science at the University of Maryland's Department of Computer Science, explores fundamental flaws in that process in a paper released in February. "The current combination of the IEEE 802.1x and 802.11 standards does not provide a sufficient level of security, nor will it ever without significant changes," his paper concludes.
So that leaves individual businesses to balance their own security needs against the convenience of wireless.
Dealing with the Problem
A comprehensive user and wireless security policy will help reduce those risks. Start by scanning your networks to find and map access points, using the software a hacker would. You can use your own wireless device to do this (the NICs ship in promiscuous mode), or you can use freeware and commercial wireless scanning tools. If your organisation has concerns at the level of risk posed by wireless LANs you should first and foremost ensure your security policy denies end users the right to install hardware and software independent of the IT department.
"A lot of it comes down to policy development. Regardless of what technologies are available, or even in place, with management of these devices it all comes down to policy and adherence to policy," says Symantec Asia-Pacific director of system engineering operations Tim Hartman. "Within our own company we have wireless devices and we have policies relating to usage and access points. If people don't adhere to policy and communication of those policies it's all fairly useless. You've got to equate this to parking your car in a supermarket car park. If you leave the doors unlocked you're 100 times more likely to get robbed than if your doors were locked."
If devices are allowed, an important starting point is to set up application security on each device. While that will not give you much protection, says Wright, it is better than nothing. "And some devices do have security built into the wireless application. Look at spending a little bit more money on those if you need to go wireless."
Analysts also recommend security awareness training for end users as to why such practices pose a risk to the business. And since many organisations will find dealing with the issue a balancing act between the competing needs of security and convenience, businesses should first and foremost consider the objectives they have for wireless security, AUSCERT's Mead says.
"For a lot of businesses it's not so much about the security, it's about the freedom of not connecting. So there are two competing things. One is where they want networking that's free and easy but as secure as cable, and the other is where people just want to provide a service out to everyone and they're not really worried about security.
"I think the best perspective to take with any of your communication is similar to that you take to being out on the Internet," says Mead. "If you weren't willing to put all your business files or your business data out on the Internet, then you probably shouldn't be willing to put it over a wireless network, unless you take extra security mechanisms."
Such mechanisms include using firewall-based point-to-point VPN-type technologies with full encryption and enhanced authentication, Mead advises.
"In the same way that you can have a degree of confidence by using VPN technologies over the Internet, you can have exactly the same level of confidence over wireless. In theory, someone might snoop all your traffic going over a wireless network, just as in theory they might snoop it over the Internet. So they're actually very similar, and really that's where people should draw the parallel. Would I happily send this data between these two computers if it had to go halfway across the world over the Internet. Yes or No? You should ask the same question for wireless at this point." vWireless InsecuritiesControl mobile computing vulnerabilities before they get control of youWhere wireless networks are authorised, ITAC security senior security consultant Adam Bernau recommends:
-Having a secure overall network design, isolating critical servers from desktop LANs, and locating wireless access points behind an extra layer of protection, such as a firewall or filtering router.
-Enabling WEP. It is not secure, Bernau says, but does at least provide an extra level of protection.
-Changing all default encryption and identifier keys on opening the box and occasionally thereafter.
-Changing the administration password on the wireless device, and ensuring you never administer the device via wireless.
-Restricting user access to the network via MAC address (the unique identifier on every network card) where possible.
-Running a VPN over the top to the wireless network for additional security of data.
A Simple Plan
Security experts say wireless policies should include the following guidelines The IT department must approve all wireless LAN access.
All wireless network cards and base stations must be registered.
Wireless NICs must be secured before they're issued. That includes turning off promiscuous broadcasting of MAC addresses, enabling the Wired Equivalent Privacy (WEP) and dropping the Service Set Identifier (SSID) as the default password (it's easily sniffed from the parking lot).
The corporate IT department should select, standardise and approve wireless security configurations. It should separate wireless traffic from the rest of the network with a firewall, use company-issued virtual private network (VPN) clients, and install desktop firewalls and intrusion-detection systems on wireless computers.
Quarterly audits (scans) for rogue wireless access points must be conducted.
Dos and Don'ts for Your Wireless LAN
Location, location, location
Do perform extensive site surveys before deploying access points.
Don't forget to routinely check access point locations to see if any alteration in the surrounding environment will interrupt connectivity.
Less is more
Do limit the number of protocols used. Sticking to TCP/IP will reduce chances of clogging the wireless LAN.
Don't deploy high-volume, bandwidth-hogging applications.
Keep it simple
Do design an intuitive and simple user interface to help users acclimate.
Don't try to meet all user whims. Keep the wireless LAN as simple as possible.
Do employ user identification/password, encryption, authentication and other security measures. Firewalls and VPNs are options for smaller wireless LANs (see CIO April "Secure Your Wireless Network", for more wireless LAN security tips.
Don't trust the out-of-the-box security vendors offer.
Do standardise access devices to ensure applications will work across laptops, PDAs and other handhelds.
Don't assume users will always respect corporate rules regarding the wireless LAN. Performing constant network discoveries may uncover unauthorised devices.
- Denise Dubie, April Jacobs and Kathleen Ohlson