CHICAGO -- According to a top Gartner analyst, when companies are developing their wireless security strategies,...
they need to consider far more than whether to deploy Wi-Fi Protected Access (WPA) or other out-of-the-box security fixes.
Speaking at the Gartner Wireless and Mobile Summit 2004, John Pescatore, a vice president at the Stamford, Conn.-based research firm, urged businesses to consider security ramifications from the time they begin a wireless project with a site survey, to the way they manage a system once it is deployed.
Pescatore said the improved encryption that WPA offers over its predecessor, Wired Equivalent Privacy (WEP) is helpful, but there are many more factors for businesses to consider. For example, it may be easy for network managers to assume that a wireless signal radiates from an access point for the same distance in all directions -- but that is rarely the case.
Also, many believe that 802.11b signals peter out after 300 feet, but Pescatore said they often continue at very low levels for many times that distance. In fact, it is nearly inevitable that there will be some signal outside company property for a hacker to pick up on, Pescatore said.
Pescatore recommended a number of approaches to protect against unauthorized network access and the proliferation of rogue access points. After shedding VPNs for less cumbersome technology, many companies are returning to them, he said. From a security perspective, some firms are smartly beginning to view a Wi-Fi network as a kind of remote access, rather than simply an extension of the wired network, he said.
"You should treat a wireless LAN like an untrusted network outside of the firewall," Pescatore said.
However, one attendee, Fred Wittenberg, the senior network engineer at the Fox Chase Cancer Center in Philadelphia, said that users found the VPNs he deployed for use with his organization's Wi-Fi network to be cumbersome.
As a result, the organization is switching to an 802.1x standard authentication system and Cisco Systems Inc.'s wireless LAN Solutions Engine. This system uses both access points and devices to monitor the network for irregularities, such as rogue access points and unauthorized users.
Such systems help secure the network because they give a more consistent view of network activity, as opposed to other systems that use only access points to monitor radio waves, Pescatore said. He also recommended that businesses set up separate intrusion-detection systems and that IT security professionals walk through the Wi-Fi-enabled areas with a laptop that can sniff the airwaves to search out irregularities at least once a quarter.
Policies have also been an effective means of curbing rogue access points. Leonard Hermens, an attendee and manager of information systems security for Potlatch Corp., a Lewiston, Idaho, paper products company, said that his company had problems with rogue access points for a number of years before it officially deployed a wireless network.
Today, the company has stringent policies when it comes to rogue access points. Employees who install an access point -- or who are even aware of one and fail to report it -- will face disciplinary action, he said. That has helped curb the problem, Hermens said.
As much of a problem as rogue access points are, neighboring external wireless networks can be a concern as well, Pescatore said. With the growing popularity of corporate Wi-Fi networks, they are likely to begin intruding on one another.
Windows XP, for example, is configured by default to log into the first network it finds. That means that an employee may be logging his computer onto another company's unsecured network, rather than his own firm's network. Businesses need to make sure that laptops are properly configured to find the correct wireless connection, Pescatore said.
Even though wireless network security is more complicated than it once was, it is finally at the point where many companies are willing to trust it. The Fox Chase Cancer Center is expanding its network from 20 to 200 access points.
Hermens said Potlatch sat on the Wi-Fi fence for two years. But now, he said, the organization feels confident that it is not taking any unnecessary risk by deploying Wi-Fi.
"I feel good about where we're heading," Hermens said.