When Charles Hudson of Wilmington Trust was asked about wireless network access, he said no.
"It's like having LAN jacks for your intranet on the sidewalk," he said at the time. Within a year, Hudson, senior security officer and infrastructure security manager for the Wilmington, Del.-based trust company, relented -- but he made sure the wireless access was secure.
Alas, not all companies are as forward thinking as Wilmington Trust. Often times, employees decide wireless access would be cool, so they go out and buy access points. "Some don't care if the company pays for it or not," Hudson said. "For $89, they'll give it a shot."
Whether security pros want to admit it or not, wireless "is here now, and they have to deal with it," said Michael Disabato, an analyst with the Midvale, Utah-based Burton Group. Security can be a primary consideration when wireless access is installed centrally. On the other hand, it's usually a retrofit for points slapped into place by employees, Disabato said.
The technology is past the toy or gadget phase. "It starts out as convenient, then it becomes critical to businesses," he said.
Employees may initially find it convenient to get network access from conference rooms without having to worry about tripping over cords. Over time, however, they begin to see how wireless access at airports and other public places helps make them more productive, Disabato said.
There are security threats posed by wireless networks ranging from nuisances to disasters. The most severe threat is someone sniffing and hijacking sensitive business or personal data in transit. Lesser risks include people using your bandwidth for free Internet access. This could eat up bandwidth but it could pose a darker issue as virus writers can use the access to anonymously send viruses out.
The risks associated with such access can't be ignored. "You can spend millions on firewalls, but a $500 [access point] can cut right through it," Disabato said.
There are ways to mitigate the risks posed from wireless access. The access points should be placed outside the firewall, and users should access them through VPNs. Wireless Encyption Protocol (WEP), though it has been cracked, should also be turned on for good measure.
A flaw in the WEP encryption algorithm makes it fairly simple to guess the encryption keys. Static keys are used so an intruder can sniff as little of 100MB of data to determine the key.
Next year, Wi-Fi Protected Access will be available. "It essentially fixes the holes in WEP," Disabato said.
Hudson has taken a pretty comprehensive approach at Wilmington Trust. He created a wireless security policy, which spells out what employees can and can't do. For example, employees must use company access points only. All access is through a VPN client and users must use password and SecurID authentication.
Lunch-time training sessions were also held to educate employees about wireless access at home. The sessions included topics such as changing default features and limiting connections to the access point. Many access points allow 50 connections by default.
To monitor for rogue points and other security problems, Hudson has a central scanner running. For remote locations, he has people walk around with scanner-enabled PDAs looking for remote points.
Additionally, Hudson installed some wireless honey pots that aren't connected to the network and can't be administered remotely. This allows the company to analyze the types of threats posed from outside.
So far, Hudson hasn't found any rogue access points. "There really isn't a need for rogue access points, as we've given them what they want," he said.