On Guard!
July 1, 2005
A wireless LAN uses ultra-high frequency (UHF) radio technology to either replace or extend a conventional wired LAN. In a WLAN, data is superimposed onto a “carrier” radio wave using a process called “modulation.” The carrier wave acts as the transmission medium, replacing the cable. Like conventional radio or TV, a WLAN can transmit data through walls and floors, thereby dispensing with the need for workstations and conference rooms to be wired to hubs and switches, and laptop users have the freedom to locate anywhere in an office without first hunting down an available jack. Those using a wireless connection can do everything that a wired user can do, including access the Internet, work on shared documents, send e-mail and the like. Ease of setup and flexibility has contributed to the WLAN’s popularity. Due to its unrestricted transmissions, however, WLANs inherently are insecure and unless precautions are taken, any suitably equipped person easily can join the party.
Solutions providers have seen an increase in demand for corporate WLANs, placing an added emphasis on providing adequate security for corporate networks. When planning, designing, implementing and managing any type of network infrastructure, security always should be one of the key considerations. Securing and protecting a customer’s computing environment and business is a top priority for any channel partner, and it is key that partners are aware of the risks, challenges and solutions of today’s latest technology. WLANs are no exception.
WHAT ARE THE RISKS AND CHALLENGES?
The security incorporated in WLAN technologies falls short of providing sufficient protection, and nonsecure WLANs can expose an organization’s network traffic and resources to unauthorized outsiders. Unauthorized outsiders that tap into the network can access data and take advantage of networkbased resources, including Internet access, disk storage and fax servers. More notably, wireless access to a network can represent the entry point for numerous types of attacks that can leave services unavailable and subject the customers organization to possible legal liabilities.
Additionally, radio signals from a WLAN can extend beyond the planned boundary and “leak” through the physical limits of a floor or building. As these signals pass into common, public or private areas, they may fall victim to a “drive-by hacking” attack - the term used for hacking a target’s WLAN while outside of the target’s offices.
Ease of outside access is a challenge customers should be aware of as they consider the implementation of a WLAN. With many of todays laptops being shipped with embedded Wi-Fi capabilities, hackers can access a device’s data and the organization’s WLAN. Even if that particular device has never been used to send or receive wireless transmissions, a hacker still can gain access.
Also, some employees may not be willing to wait for the solutions provider or IT department to deploy a wireless LAN and simply try to do it themselves. When unapproved technology is plugged into a corporate network, a number of challenges may follow, including end-user and equipment support difficulties.
WHAT CAN BE DONE?
As the world becomes more mobile, it is important to remember that there is no fundamental difference between the wired and wireless world. Vulnerabilities still must be identified, problems remediated and common sense security practices followed, regardless of the environment. Channel partners can help guide organizations in mitigating many of the risks associated with wireless LANs by providing a thorough assessment, solid security solutions and employee education. The following steps will aid solutions providers in this process.
Assess the Environment.
Assessing an organization’s environment is a significant step in deploying a secure, wireless LAN. An evaluation of a business’s computing and working environment gives the solutions provider a starting point and offers guidance and direction in moving forward. The following steps can be used as a guide in the evaluation process.
Elimination of Unneeded Protocols - The possibility of unidentified holes and vulnerabilities can be minimized by eliminating unnecessary or redundant protocols from the LAN segments that connect the APs to the VPN gateway. Retaining the Domain Name System (DNS) and IP Security (IPSec) protocols is recommended to support the VPN.
Limits on AP Connections - The use of authorization tables lets administrators allow LAN connections to those select devices with approved NIC addresses. Each NIC has a distinctive address that can be included in a table of authorized users. Most vendors’ APs support Media Access Control (MAC) restrictions through authorization tables. Therefore, APs can be pointed to a centrally managed database, instead of editing each AP individually.
Division of Internal Networks - The segments of the LAN that connect to wireless APs should link to a corporate VPN gateway, but not directly to the production network. The risk of attack techniques such as packet sniffing can be minimized by eliminating APs from the production network.
Security Design - Wireless coverage should be employed only where needed. Installers should consider signal bleed into uncontrolled areas where transmissions can be intercepted when placing wireless APs for strategic coverage.
Security Solutions.
Obviously, security solutions play a vital role in the process of securing a WLAN. Today’s technology industry offers numerous products and techniques, and the solutions are seemingly endless. By employing and encouraging the customers’ use of the tactics below, channel partners will be sure to create a protected wireless network for their clients.
VPN Access Only - Requiring customers to connect to the WLAN by way of a VPN is a good recommendation. Authorized users, once authenticated, can communicate using an encrypted tunnel between the connecting device and the LAN. This reduces the risk of a transmission capture.
Protection of Wireless Devices - Personal firewalls are another source of protection. They can shield individual devices from attacks launched via the “air connection” or from the Internet. All unused features of new client devices, like shared drive access, should be disabled. Installers also should reconfigure default settings according to the needs of the client’s organization.
Educate Employees.
In an effort to protect consumers from losing priceless data to today’s ever increasing threats, channel partners sell and implement robust, integrated security systems. However, many organizations still fail to manage a major security hole that exists within all companies - employees. Solutions providers are in an influential position and should encourage clients to develop security practices and educate employees, thus developing a culture that enables security.
The most important part of an effective wireless LAN strategy is the defining, standardizing, documenting, disseminating and enforcing of security policies and practices. While it is true that some of the technologies that secure wireless devices are different from those that protect wired systems, a customer’s corporate security policy does not need to be radically different. Wireless security policies should be integrated into existing IT guidelines - not developed separately.
By identifying the make, model, configuration and settings of the wireless LAN equipment authorized for use, a solutions provider can assist its clients in developing a solid security policy. The access points and connected network infrastructure should also be documented and managed.
Once the policies and practices of a client’s organization are established, employees need to be educated concerning them. The security policies of an organization are valid only if employees abide by them.
A WLAN can be a powerful complement to an organization’s networking capabilities - possibly increasing employee productivity while reducing overall IT costs. However, with the potential benefits also come some risks, such as leaky buildings, unauthorized deployments, signal interference and other potential security breaches. Solutions providers must be aware of both the benefits and the risks associated with establishing a WLAN. They have the responsibility of aiding customers in finding that delicate balance between opportunity and risk - all the while confidently implementing a secure, effective WLAN.
Walter Kendrick is a Symantec Specialist for En Pointe Technologies, an El Segundo, Calif., provider of IT hardware, software and services. He can be reached at [email protected].
Links |
---|
En Pointe Technologies www.enpointe.com |
Read more about:
AgentsAbout the Author
You May Also Like