Company tackles wireless network security risks

By Edward Hurley, News Writer 15 Nov 2002 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

When Charles Hudson of Wilmington Trust was asked about wireless network access, he said no.

"It's like having LAN jacks for your intranet on the sidewalk," he said at the time. Within a year, Hudson, senior security officer and infrastructure security manager for the Wilmington, Del.-based trust company, relented -- but he made sure the wireless access was secure.

FOR MORE INFORMATION: SearchSecurity.com news exclusive: "Wireless LANs are inevitable, security measures a must" SearchSecurity.com news exclusive: "Wireless insecurity: It's all in the device" SearchSecurity.com technical tip: "Appliances, standards boost WLAN security" Feedback on this story? Send your comments to News Writer Edward Hurley

Alas, not all companies are as forward thinking as Wilmington Trust. Often times, employees decide wireless access would be cool, so they go out and buy access points. "Some don't care if the company pays for it or not," Hudson said. "For $89, they'll give it a shot."

Whether security pros want to admit it or not, wireless "is here now, and they have to deal with it," said Michael Disabato, an analyst with the Midvale, Utah-based Burton Group. Security can be a primary consideration when wireless access is installed centrally. On the other hand, it's usually a retrofit for points slapped into place by employees, Disabato said.

The technology is past the toy or gadget phase. "It starts out as convenient, then it becomes critical to businesses," he said.

Employees may initially find it convenient to get network access from conference rooms without having to worry about tripping over cords. Over time, however, they begin to see how wireless access at airports and other public places helps make them more productive, Disabato said.

There are security threats posed by wireless networks ranging from nuisances to disasters. The most severe threat is someone sniffing and hijacking sensitive business or personal data in transit. Lesser risks include people using your bandwidth for free Internet access. This could eat up bandwidth but it could pose a darker issue as virus writers can use the access to anonymously send viruses out.

The risks associated with such access can't be ignored. "You can spend millions on firewalls, but a $500 [access point] can cut right through it," Disabato said.

There are ways to mitigate the risks posed from wireless access. The access points should be placed outside the firewall, and users should access them through VPNs. Wireless Encyption Protocol (WEP), though it has been cracked, should also be turned on for good measure.

A flaw in the WEP encryption algorithm makes it fairly simple to guess the encryption keys. Static keys are used so an intruder can sniff as little of 100MB of data to determine the key.

Next year, Wi-Fi Protected Access will be available. "It essentially fixes the holes in WEP," Disabato said.

Hudson has taken a pretty comprehensive approach at Wilmington Trust. He created a wireless security policy, which spells out what employees can and can't do. For example, employees must use company access points only. All access is through a VPN client and users must use password and SecurID authentication.

Lunch-time training sessions were also held to educate employees about wireless access at home. The sessions included topics such as changing default features and limiting connections to the access point. Many access points allow 50 connections by default.

To monitor for rogue points and other security problems, Hudson has a central scanner running. For remote locations, he has people walk around with scanner-enabled PDAs looking for remote points.

Additionally, Hudson installed some wireless honey pots that aren't connected to the network and can't be administered remotely. This allows the company to analyze the types of threats posed from outside.

So far, Hudson hasn't found any rogue access points. "There really isn't a need for rogue access points, as we've given them what they want," he said.

Tags: Mobile Device Security,  Managing Mobile Users,  Mobile Policies and Procedures,  Mobile Management Tools,  Mobile Technologies and Trends,  Mobile Security,  Mobile Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Device Security Fingerprint recognition and mobile security Traditional security threats coming soon to mobile device near you Securing your Windows Mobile devices Mobile security: Protecting your data, not just your devices Prevent mobile malware: Learn how to protect your enterprise and devices Podcast: The truth about network security and mobile device access Protecting data on your BlackBerry Going green: Recycling and energy saving tips for mobile devices -- podcast New challenges in mobile device discovery Quiz: Mobile Device Security -- Who else can hear me now? Mobile Device Security Research Managing Mobile Users Mobile device management strategy for diverse mobile devices Employees using their own mobile devices are a growing challenge Hospital chain boosts indoor cellular with distributed antenna system DiVitas adds mobile unified communications to its FMC client iPhone Help: Troubleshooting the top five enterprise problems Mobility support and strategy are finally priorities in 2008 User experience, not hardware, is the problem Latest Zenprise offering helps automate BlackBerry support Managing mobile workers Mobile worker strategies Mobile Policies and Procedures Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security: Asserting control over mobile devices Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary mobile VPN  (SearchMobileComputing.com) real-time location system (RTLS)  (SearchMobileComputing.com) screaming cell phone  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary