A sense of security

Is the teenager in the car park with the laptop and the empty Pringles tin: (a) addicted to snack foods; (b) strange but probably harmless; or (c) a real threat to the security of your corporate data?

Think (c), if you want to protect your network. A Pringles tin is a tool chosen by hackers to boost the WiFi antennae on a laptop or handheld computer.


In practice: Vodafone UK

As a mobile network operator, Vodafone UK has hundreds of staff in the field at any one time. But the company’s mobile working strategy extends beyond simply engineering and sales personnel. Mobile working techniques are even used on site at Vodafone’s UK campus in Newbury, Berkshire.

GPRS (general packet radio services) is the most common way for Vodafone staff to access the company network on the move but, according to Lee Power, networks and information security manager at Vodafone UK, there is also demand for WiFi connections and broadband access from home.

“We use a number of security techniques, depending on the user’s circumstances and the hardware they have access to,” he says. “Our policy is also based around the type of information they handle. It is inappropriate for someone dealing with sensitive data to use a device that cannot be [adequately] secured, such as a PDA.”

The cornerstone of Vodafone’s set-up is virtual private network (VPN) access over GPRS. Access to corporate email is secured by using RSA’s SecureID tokens. This, Power says, works well in a relatively low bandwidth environment.

For employees with access to broadband connections, mostly when working from home, Vodafone has a suite of security applications, based around digital certificates. This provides high levels of security and is also easy to use but, Power says, is less appropriate to low-power devices such as PDAs. Instead, Vodafone has a small security client based around Microsoft’s ActiveSync technology.

When it comes to WiFi, Vodafone UK operates two policies: one for on-campus access, and one for WiFi users on the road. “We have specific minimum levels of security for access points, including acceptable MAC [media access control] addresses and dynamic key rotation [for encryption].” For users on the move, the trusted VPN is the key once again, so that data is secure across the whole network.

And Power says that demand for remote access continues to grow. “Even 12 months ago it would have been quite unusual for staff outside sales and distribution to want to work from home or access the network remotely. But we are seeing some very pronounced changes in the way people operate.”



Some may only want a free ride on someone’s bandwidth – so-called ‘war driving’ – but others may have more sinister intentions. And businesses often make it all too easy for others to gain access to their networks.

“The transmitters for wireless networks have a range of about 100 yards, so they can easily reach outside a building,” cautions Graham Titterington, principal analyst at research house Ovum. “Hacking is so commonplace and we have seen surveys saying that as many as 70% of institutions in some large cities have open wireless LANs [local area networks].”

According to Titterington, unscrambling data carried over a wireless network is well within the capabilities of most hackers, should they want to do it. Instructions are readily available on the web. But this ease of intrusion is hampering adoption of wireless communications in the business community.

Remote efficiency

Businesses want to move to wireless networking for greater flexibility and productivity both on their premises and for staff on the road. Applications for wireless networking range from sales force, maintenance and engineering automation, to warehouse and production data collection, telemetry security, and remote working.

“The driver is remote workforce efficiency,” says Andy Thompson, security specialist within the IT infrastructure division at Cap Gemini Ernst &Young (CGEY), the consultancy group. “Extending the network through wireless is relevant to anyone with a mobile workforce.”

Within the office, adding wireless connections in conference rooms, reception areas and canteens adds to productivity by giving staff access to data when and where they need it.

Some companies have even moved away from wired connections altogether. At IBM’s microprocessor manufacturing plant in Fishkills, New York, there are no wired network connections on the production floor. Instead, staff use the wireless network and laptops to communicate with their peers and call for assistance. “A major concern is ensuring security from unwanted communications within the facility,” says Perry Hartswick, the facility’s senior program manager. “We established an isolation strategy by creating a security checkpoint for all communications, including wireless.”

IBM, however, does not use its wireless connections ‘out of the box’; it is the poor out of the box security of the 802.11b WiFi standard that causes concern among IT security experts.

Microsoft’s chief security strategist, Steve Charney, says that the earliest versions of the WiFi standard were short on security features but the standards bodies are now “addressing this issue.” Later versions will contain better features, but for now at least WiFi has some shortcomings, he admits. “Wireless will become more secure. We just need to do a better job of securing the communications mechanism to make sure data is robustly encrypted and that authentication is also robust,” he says.

Companies deploying wireless networks face two challenges: securing data in transit, and securing the wireless access points. But security on wireless networks is a more complex proposition than security on a wired LAN.

“The real issue with wireless, especially as we go forward to mesh computing, is authenticating users on the network and protecting the confidentiality of data,” says Charney. “We are talking to large enterprise customers about the security features they need so that they can ensure robust protection as more and more people carry sensitive data on mobile devices.”

With wireless, IT technicians may not even be able to tell if someone is accessing the network without permission. “Anybody can potentially listen in and you won’t know,” says Mike Lee, security specialist at BT Global Services. “With a wired network, at least you can see who is plugged in.”

Knowledge and segregation

Fortunately it takes just minutes to restrict access to a wireless LAN to known computers, via their MAC [media access control] addresses, although there is a management overhead in maintaining lists of authorised computers and handhelds.

Businesses might also want to segregate their wireless networks from other IT infrastructure, only allowing users back in to the corporate network over a virtual private network. “The best approach is certainly to have wireless as a separate network,” says Anders Huge, co-director of Intel’s wireless competency centre in Stockholm. “Then if hackers do break in, there is nothing they can do on the network.”

However, deploying a virtual private network (VPN) is the technique of choice to protect information, as this encrypts data in transit.

The basic 802.11b standard for WiFi supports Wireless Encryption Protocol (WEP) for data in transit, but security keys for WEP have been hacked.

“People think that WEP is secure, but it is not,” warns Andre Lamme, wireless and security product manager at networking vendor 3Com. “We have to show them how easy it is to crack a WEP key. There is still a lot of education to be done in the market.”

A new, more secure standard (802.11i), based around the internationally-accepted Advanced Encryption Standard (AES), is in the wings, awaiting ratification by the IEEE standards body. Some manufacturers, such as Cisco and 3Com, are already selling wireless hardware with support for AES.

The hope is that a simple firmware or software upgrade will be enough to make this newer hardware 802.11i compatible, but until then CGEY’s Thompson advises businesses to


Best practices for securing wireless LANs

  • Change the default wireless network IDs (SSIDs) immediately after installing access points, disable automatic SSID broadcasting, and change SSIDs regularly, if possible.

  • Enable (but don’t depend only on) the WEP (wired equivalent privacy) protocol on your 802.11b system. Give it your own WEP key instead of the default, and set up WEP keys to generate by session or by user.

  • Authenticate wireless users by employing the same Radius (remote authentication dial-in user service) servers you used to authenticate remote users.

  • Install virtual private networking (VPN) for a secure end-to-end tunnel between user and network.

  • Combine wireless and wired security policies to simplify implementation and maintenance (such as assigning an employee the same user ID and password for access to the WLAN or LAN).

  • Pay attention to the product feature details of the 802.11b equipment you choose for your WLAN. Security capabilities may vary, even if a device carries the WiFi label.

  • Regularly scan your WLAN for rogue networks set up by non-technical staff, and establish formal policies for approved installations.

    Source: Intel



    choose vendors that support open standards, and to scrutinise their product road map with care. “The standards are in flux, so you have to make sure you choose a manufacturer with a product road map you understand,” he says.

    Businesses that opt for a VPN, however, will be less concerned about wireless standards, as VPNs do not depend on the choice of wireless hardware or network. This brings another advantage: mobile workers can use the same client software at home, on the road or on a device running on GPRS.

    At BT, employees use a VPN to connect to wireless LAN access points as well as from home and over mobile connections. Security is reinforced by BT’s use of secure token identification for its staff, making password theft almost impossible.

    “Security over wireless is just a question of how long it takes, how much it costs and, sometimes, the power of the user’s device,” says Mike Lee, security specialist at BT Global Services.

    Virtual security

    But the power issue is the Achilles heel of the VPN approach to wireless security.

    VPN software brings a performance penalty. The 802.11b WiFi standard, with a nominal 11Mbit/s speed but a real world speed that can be just as half as fast, is often sluggish with a VPN connection on top. Newer, faster standards such as 802.11g, with speeds up to 54Mbit/s, will help.

    But faster wireless networks will do less to help users of lower-powered devices such as PDAs or smart phones. Not all of these machines have the capacity to run VPN software; if they do, performance may be unacceptably slow.

    Pocket PC-based handhelds are easiest to secure, as there is a wider range of VPN software available. They may have the power to run SSL [secure sockets layer] VPNs, which use the secure connection functions of the web browser. Securing a Palm OS computer, a Symbian-based phone or even a phone using the Windows phone operating system is harder, because of still-emerging software standards and low storage and processing capabilities.

    Nonetheless, securing these lower-end devices is critical if they are not to become another weak link in the security chain. It is not just about securing data moving between a handheld or cellphone and the network; cellular networks, such as GSM, are in fact inherently secure. But protecting information stored in the device itself is critical, if lost or stolen devices are not to become a security threat.

    “It is possible to protect data on most devices, but the advice has to be that if you have sensitive data and a device you cannot secure, you do not use that device,” says BT’s Lee.

    Avatar photo

    Ben Rossi

    Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

    Related Topics