Wireless Networks at Risk

Why is this so easy? Several reasons. First, corporations haven't paid much attention to securing their wireless networks, either because users outside the IT department have installed them or because the IT department is unaware of how insecure they really are. Second, most wireless networks bypass firewalls and other checks and balances that are placed at the edge of the wired networks, allowing intruders easy access to file servers and other corporate data. Third, most wireless access points don't enable encryption by default. While all products include techniques that make it harder for drive-by hackers to gain entry, most corporations don't bother to turn on these features when they install wireless networks inside their buildings. Finally, even when encryption is running, a determined hacker can easily break it, as there have been several reported cases of vulnerabilities with the weak wireless encryption protocol called wired equivalent privacy (WEP).

The data is alarming. Dan Park, wireless product manager for Intermec Technologies, based in the Seattle area, estimates that less than one-fourth of his customers are using encryption. "We do not have a substantial base of clients who have taken wireless security seriously," adds Norbert Sluzewski, president of New York-based DataVox Technologies. Both companies are wireless integrators with a wide variety of experience in setting up corporate networks, big and small.

"We did a survey of our customers and found that of more than 250 access points in the metro Detroit region, less than 16 percent had turned on encryption, and more than 50 percent hadn't even changed the default parameters of their access points," says Caston Thomas of Interworks Technology, a wireless VAR based in Auburn Hills, Mich.

All this presents plenty of opportunity for drive-by hackers to practice what is called "war driving." Anyone can just pull into your parking lot or sit at a coffee bar across the street from your office building and gain access to your corporate network. All it takes is a laptop with a wireless network card and some software from NetStumbler.com that can display the ID of your wireless access points that are in range. While some war drivers make use of higher-gain antennas and other specialized equipment, others just use the standard PC card wireless network adapters and a Windows laptop.

NetStumbler can let the user know several things: whether the access point has encryption turned on, what its media access control address is, the name of the network or vendor, and signal strength and other parameters. What it won't tell you is the packet stream coming from that access point,but that is easily accomplished with other "sniffing" tools you can also load on a laptop. And such tools aren't all that hard to use.

"Wireless security is like the early days of backup where people talked about it but didn't do it until the first disaster struck," says independent industry consultant Bobby Orbach. "They have to see the downside before they implement it."

The problem is compounded by two factors. First is Windows XP. "Windows XP is the first Microsoft OS that is wireless-aware and the first to implement 802.1x as part of its security solution," Intermec's Park says. That makes it both easier to implement wireless networks with XP, and it also creates more opportunities for XP users to break into networks they aren't authorized to access.

A second issue is securing the actual applications themselves across the wireless network. "For instance, many companies have data-collection and shop-floor handhelds on wireless networks," says Interworks Thomas. Those more often than not are connected to Unix/Linux hosts or log in to a database server directly and never see any Windows file servers. Thus, the business applications are what become the vulnerability point, not the network OS."

Tracking down what is needed to secure those applications can be difficult unless a VAR has specialized knowledge about the inner workings and protocols used. The problem is that wireless networks are designed to provide open access and connectivity, according to Adam Ruef, former technical director for wireless vendor MobileStar, who was part of the team behind deploying wireless networks in Starbucks and hotels across the country. "But what is needed by most enterprises is 180 degrees from providing connectivity in public spaces," he says.

Security Approaches

Given all of those challenges and how few wireless networks are properly secured, what can a VAR do? Several approaches are fairly simple to deploy and can provide huge security benefits to wireless networking customers.

First, make sure that you design in security from the beginning of any wireless network deployment. "Project management, coordination of wireless networking equipment and a complete site survey are recommended to ensure that the investment in wireless technologies meets expectations," Mobility Concepts' Loane says. That includes where the access points will be placed around a corporation's buildings. Sluzewski suggests conducting a good "air survey," making sure that the radio signals can reach places that are occupied by the corporation's employees and not extend very far into public spaces, such as common corridors, lobbies or parking lots.

Next, turn on the built-in++

encryption for the wireless access point and choose the strongest 128-bit keys possible for the product. Almost all products have a range of key strengths for encrypting their data. The larger the key, the more difficult it is to break. Ruef takes this a step further: "In addition to implementing 128-bit encryption on their networks, I recommend that corporations also reconfigure their public keys on a 90-day cycle to provide maximum protection, as much of a nuisance as that would be," he says.

In addition to encryption, change the default service set ID (SSID) on all wireless access points to something that doesn't contain the corporate name, address or anything that can easily identify the source or location of the network. NetStumbler and other tools can easily detect those SSIDs and [they can be an invitation for hackers and war drivers to penetrate the network.

Another step is to secure your wireless networks by using a combination of authentication and firewall services. Both are needed for different reasons, according to Sluzewski. "In one case, you are securing and authenticating access to wireless systems, while with the other you are securing the data content during wireless transmissions," he says.

Resellers recommend a variety of strategies for both operations, ranging from using and extending existing authentication and firewall services to wireless users to more extensive and expensive options, such as purchasing specialized appliances that can provide both from a single integrated solution. A number of these integrated solutions vendors have begun shipping products, including the BlueSocket WG-1000 Wireless Gateway, ReefEdge's Connect System and Vernier Networks' IS 5000 Integrated System.

"These integrated systems provide for access security, content encryption and wireless quality-of-service traffic shaping, including bandwidth management on a user-by-user or per-application basis," Sluzewski says.

Integrated systems offer several advantages. First, they provide for a wide range of security services, including support for several industry-standard encryption protocols, such as IPsec, PPTP and L2TP. Second, they can be more readily set up and managed because they are oriented toward wireless users rather than all general LAN users. Finally, they can be tuned for individual user's access rights, depending on the location and wireless network gear installed in each user's workstation, something that would be difficult to accomplish with general access control and VPN software.

"Yes, you could piece together equivalent functionality with other products," Thomas says. "We could do it all with just Microsoft products and drivers, but the costs in time to implement and support such a solution far exceed the cost of integrated appliances such as BlueSocket."

Regarding costs, expect to shell out $10,000 to $30,000 for these appliances. While that is many times over what wireless access points and network adapters cost, the cost is on par with a corporate firewall and other enterprise-level devices.

One of the biggest challenges for any wireless network architect is supporting users who roam across the corporation's campus. Roaming users present a challenge because they need to connect to several different wireless access points and make use of different IP addresses on different subnets as they move.

Sluzewski talks about understanding the placement of access points as part of the design process. "A key requirement is for network roaming or subnet hopping," he says. Depending on where the wireless access points are attached, a wireless network can be rendered useless if users can't walk between different floors in their buildings without having to reboot their wireless laptops."

Finally, once a wireless solution is deployed, the VAR should also perform a security audit of the enterprise.

"We typically use several tools in parallel when we conduct our security audits," Sluzewski says. "We make use of Cisco's NetScanner, various Linux-based utilities and port scanners, as well as some targeted tools for the wireless networks, such as AirSnort. All of those can very effectively decode most wireless security access controls."