Is the teenager in the car park with the laptop and the empty Pringles tin: (a) addicted to snack foods; (b) strange but probably harmless; or (c) a real threat to the security of your corporate data?
Think (c), if you want to protect your network. A Pringles tin is a tool chosen by hackers to boost the WiFi antennae on a laptop or handheld computer.
Some may only want a free ride on someone’s bandwidth – so-called ‘war driving’ – but others may have more sinister intentions. And businesses often make it all too easy for others to gain access to their networks.
“The transmitters for wireless networks have a range of about 100 yards, so they can easily reach outside a building,” cautions Graham Titterington, principal analyst at research house Ovum. “Hacking is so commonplace and we have seen surveys saying that as many as 70% of institutions in some large cities have open wireless LANs [local area networks].”
According to Titterington, unscrambling data carried over a wireless network is well within the capabilities of most hackers, should they want to do it. Instructions are readily available on the web. But this ease of intrusion is hampering adoption of wireless communications in the business community.
Businesses want to move to wireless networking for greater flexibility and productivity both on their premises and for staff on the road. Applications for wireless networking range from sales force, maintenance and engineering automation, to warehouse and production data collection, telemetry security, and remote working.
“The driver is remote workforce efficiency,” says Andy Thompson, security specialist within the IT infrastructure division at Cap Gemini Ernst &Young (CGEY), the consultancy group. “Extending the network through wireless is relevant to anyone with a mobile workforce.”
Within the office, adding wireless connections in conference rooms, reception areas and canteens adds to productivity by giving staff access to data when and where they need it.
Some companies have even moved away from wired connections altogether. At IBM’s microprocessor manufacturing plant in Fishkills, New York, there are no wired network connections on the production floor. Instead, staff use the wireless network and laptops to communicate with their peers and call for assistance. “A major concern is ensuring security from unwanted communications within the facility,” says Perry Hartswick, the facility’s senior program manager. “We established an isolation strategy by creating a security checkpoint for all communications, including wireless.”
IBM, however, does not use its wireless connections ‘out of the box’; it is the poor out of the box security of the 802.11b WiFi standard that causes concern among IT security experts.
Microsoft’s chief security strategist, Steve Charney, says that the earliest versions of the WiFi standard were short on security features but the standards bodies are now “addressing this issue.” Later versions will contain better features, but for now at least WiFi has some shortcomings, he admits. “Wireless will become more secure. We just need to do a better job of securing the communications mechanism to make sure data is robustly encrypted and that authentication is also robust,” he says.
Companies deploying wireless networks face two challenges: securing data in transit, and securing the wireless access points. But security on wireless networks is a more complex proposition than security on a wired LAN.
“The real issue with wireless, especially as we go forward to mesh computing, is authenticating users on the network and protecting the confidentiality of data,” says Charney. “We are talking to large enterprise customers about the security features they need so that they can ensure robust protection as more and more people carry sensitive data on mobile devices.”
With wireless, IT technicians may not even be able to tell if someone is accessing the network without permission. “Anybody can potentially listen in and you won’t know,” says Mike Lee, security specialist at BT Global Services. “With a wired network, at least you can see who is plugged in.”
Knowledge and segregation
Fortunately it takes just minutes to restrict access to a wireless LAN to known computers, via their MAC [media access control] addresses, although there is a management overhead in maintaining lists of authorised computers and handhelds.
Businesses might also want to segregate their wireless networks from other IT infrastructure, only allowing users back in to the corporate network over a virtual private network. “The best approach is certainly to have wireless as a separate network,” says Anders Huge, co-director of Intel’s wireless competency centre in Stockholm. “Then if hackers do break in, there is nothing they can do on the network.”
However, deploying a virtual private network (VPN) is the technique of choice to protect information, as this encrypts data in transit.
The basic 802.11b standard for WiFi supports Wireless Encryption Protocol (WEP) for data in transit, but security keys for WEP have been hacked.
“People think that WEP is secure, but it is not,” warns Andre Lamme, wireless and security product manager at networking vendor 3Com. “We have to show them how easy it is to crack a WEP key. There is still a lot of education to be done in the market.”
A new, more secure standard (802.11i), based around the internationally-accepted Advanced Encryption Standard (AES), is in the wings, awaiting ratification by the IEEE standards body. Some manufacturers, such as Cisco and 3Com, are already selling wireless hardware with support for AES.
The hope is that a simple firmware or software upgrade will be enough to make this newer hardware 802.11i compatible, but until then CGEY’s Thompson advises businesses to
choose vendors that support open standards, and to scrutinise their product road map with care. “The standards are in flux, so you have to make sure you choose a manufacturer with a product road map you understand,” he says.
Businesses that opt for a VPN, however, will be less concerned about wireless standards, as VPNs do not depend on the choice of wireless hardware or network. This brings another advantage: mobile workers can use the same client software at home, on the road or on a device running on GPRS.
At BT, employees use a VPN to connect to wireless LAN access points as well as from home and over mobile connections. Security is reinforced by BT’s use of secure token identification for its staff, making password theft almost impossible.
“Security over wireless is just a question of how long it takes, how much it costs and, sometimes, the power of the user’s device,” says Mike Lee, security specialist at BT Global Services.
But the power issue is the Achilles heel of the VPN approach to wireless security.
VPN software brings a performance penalty. The 802.11b WiFi standard, with a nominal 11Mbit/s speed but a real world speed that can be just as half as fast, is often sluggish with a VPN connection on top. Newer, faster standards such as 802.11g, with speeds up to 54Mbit/s, will help.
But faster wireless networks will do less to help users of lower-powered devices such as PDAs or smart phones. Not all of these machines have the capacity to run VPN software; if they do, performance may be unacceptably slow.
Pocket PC-based handhelds are easiest to secure, as there is a wider range of VPN software available. They may have the power to run SSL [secure sockets layer] VPNs, which use the secure connection functions of the web browser. Securing a Palm OS computer, a Symbian-based phone or even a phone using the Windows phone operating system is harder, because of still-emerging software standards and low storage and processing capabilities.
Nonetheless, securing these lower-end devices is critical if they are not to become another weak link in the security chain. It is not just about securing data moving between a handheld or cellphone and the network; cellular networks, such as GSM, are in fact inherently secure. But protecting information stored in the device itself is critical, if lost or stolen devices are not to become a security threat.
“It is possible to protect data on most devices, but the advice has to be that if you have sensitive data and a device you cannot secure, you do not use that device,” says BT’s Lee.