Building a WLAN? Information Security Threat Is Overblown
A variety of measures are available that can help ensure networks are kept safe, starting with a firm company policy. But WLANs are not for everyone, and nothing is entirely safe.
Editor’s note: This is the second of a three-part series about Wireless Local Area Networks. Matt Gunter, a radio frequency engineer, founded Goose Creek Technologies.Information security is probably the biggest holdup for deploying a WLAN in the enterprise. It has been the whipping boy for too long and has constantly been overblown by hardware vendors and their media pawns.
The hardware/software vendors love it because they can sell you even more hardware and software to cover up their ‘security holes’. With all the security hype that has gone on, it is time to get real and examine the problem logically. As with any information system, even a wired one, nothing is ever completely secure. There will always be a crack for any security measure that is devised. With that in mind, you have to make smart decisions on how your network will be used. You cannot keep throwing away resources to keep up with the next ‘fix’.
Before your enterprise implements a WLAN, someone needs to carefully examine which applications and what type of information will be allowed over the network. A good system integrator will help you do a feasibility study to examine how and if a WLAN will make your core practices more efficient. The answer may surprise you because WLAN is notfor everyone.
The WLAN should not be used for every computer throughout the enterprise. It has its place and purpose and is far from being a panacea of network connectivity.
Set a policy
First and foremost, your employees need to be reminded of your security policies and proper network use. A revision of you usage policy may need to be made. The human factor, not the technology factor, is you most powerful weapon in the security of a WLAN. In fact, your own employees cause most security breaches in an enterprise.
Going ahead and implementing a WLAN can actually be a good security measure. By providing the wireless connectivity your employees want, you may prevent them from bringing unauthorized wireless devices to the workplace. Employees often bring a residential grade WLAN access point to the office. This unregulated device opens your network up to crackers and rogue use. If you had a WLAN in place you would probably have noticed the new device and been able to nip that problem in the bud.
It is a good idea to have some centralized wireless network monitoring appliance. These appliances actively log all wireless traffic and can help pinpoint problems. They can even be configured to show real time alarms of intrusion detection. Because there is truly no way to prevent a break in, you will at least have a log of what was done during the attack or break-in, thus minimizing the damages. These monitoring devices can be expensive, but they will earn their keep when properly deployed and actively monitored.
By having a RF Engineer design your WLAN, you also will be getting more physical security. The RF Engineer will design your WLAN to have adequate coverage throughout your floor plan while minimizing the spillage to the outdoors. Simply put, if the coverage is not spilling into the adjacent parking lot, it is much less likely a cracker will see the wireless signal and then hack into your network.
For the most part, the security features that come default with your WLAN devices will minimize your vulnerability. For ease of installation and configuration, many people do not even bother to turn these features on in the first place. Although each of these features can be cracked, turning them on will usually discourage a cracker from invading your WLAN. The cracker will probably not waste time on your system and move on to a more vulnerable target.
Using a wired equivalent privacy (WEP) key is still a very effective measure to encrypt the data traveling over the WLAN. A while back there was a fuss that the WEP key could be broken. Although this is true, breaking the WEP key is not an easy task. At least 500 megabytes to several gigabytes of data would have to be collected to crack the key. Before 2001 this was easier when ‘Weak IV’ frames were broadcasted, but now those frames are not broadcasted in most new WLAN firmware releases. Another encryption method available is Wi-Fi Protected Access (WPA), which is intended to be a stronger encryption replacement for WEP.
Another effective method is MAC address filtering. This authentication method allows only the MAC addresses of the wireless devices you specify to gain access to the WLAN. A cracker can gain access by ‘spoofing’ a MAC address, but that requires a little bit of effort. MAC authentication only provides access security for the hardware being used and not the user’s identity.
Each WLAN access point has an SSID, which is a name identifying itself. As a general rule, don’t name the SSID to something specific, like ‘Accounting’. Give it a silly name so as not to reveal where the access point is operating. Contrary to popular belief, hiding the SSID name is pointless and is a waste of system performance. It is easily found by sniffing data frames.
There are plenty of other security methods that can be implemented on a WLAN such as 802.1x, RADIUS, and some proprietary schemes. Again, with any security enhancement, there will always be someone who can break it, so you have to find that happy medium where you are comfortable enough with your information security yet you have not wasted enormous sums of money or reduced user efficiency. This is why you should do a thorough analysis of what applications you will use over the WLAN before it is implemented.
As a final note on security, in this standards-based age of networking, do not get trapped with a proprietary vendor-specific security solution. It might not migrate well into the future.
Part Three: WLAN Performance.
Part One of series: www.localtechwire.com/article.cfm?u=9124
LTW interview with Matt Gunter: www.localtechwire.com/article.cfm?u=9106
Goose Creek: www.goosecreekcom.com