USA India
Home Articles UserTV Press Releases Dictionary Books Education Careers B-Channels Resources Forums Blogs Classifieds
Saturday 19 Jul, 2008 eNewsletter Register Login
Archives
Articles By Date
Articles By Category
 
 
 Archives >> Details
Securing the Airways
Secrets to making your mobile environment safer.
Posted by : Mary E. Shacklett

Mobile and home-based workers comprise a growing percentage of the corporate workforce, making the implementation of wireless technology an important initiative for corporate IT. However, even as wireless solutions and Wi-Fi hotspots are growing in their numbers and distribution points, so are the security concerns that come with wireless technology.

Let's take a detailed look at these wireless security threats and the methods IT can use to combat them as it installs and supports wireless technology.

Wireless security in 2005

Companies are moving ahead with wireless technology. Some have formal planning strategies and projects in place, while others are adopting wireless technology informally at the end user level. In the latter case, this informal adoption can be as simple as a corporate executive purchasing a wireless PDA (personal digital assistant) or a laptop to use at home or on travel. Informal adoption of wireless technology is risky when devices are placed into operation before security is addressed.

Even with a plan, there are those in the wireless industry who maintain cautionary stances when it comes to wireless security. One industry executive recently observed that companies were using wireless technology at various levels of standard 802.11b-g. 802.11 uses WEP (wireless equivalency protocol), which has tried to address security shortcomings in the 802.11 standard, and newly evolving standards like WPA (Wi-Fi Protected Access) and WPA2 are even more promising and will probably replace WEP.

Nevertheless, there is still wariness when it comes to implementing wireless networks. Standards continue to evolve, and encryption and authorization algorithms can be implemented incorrectly in both software and hardware-which is where the vector for security attacks resides.

John Isaac, vice president of sales and program manager for Clare Computer Solutions, a network designer and installer, says: "Despite security risks, wireless security can be capably addressed if IT focuses on exceptional LAN security. When an individual connects with a network, whether that network is wireless or wired, there must be strong security policies and methodologies on the network."

Wireless information travels across the airways, and can be sniffed or captured by anyone monitoring those airways. To help mitigate this, sites can implement sophisticated user ID/password authentication, along with data encryption. This complicates the job of the hacker, because user IDs and passwords are harder to decipher, and without them, the hacker can't associate his device with a wireless access point.

To foil hackers, industry vendors also use data encryption algorithms (most commonly, 128-bit encryption). Most vendors additionally employ WEP, and are moving into WPA2 and other protocols for both wired and wireless networks.

"In combination, all of these security measures are there to prevent unauthorized use," says Isaac. "In addition, there are techniques like MAC level authorization, where a network card is associated with a specific device. There are pros and cons to the MAC strategy. If a laptop with a MAC identifier gets stolen, the thief has ready access to the network."

How easy is it?

Because wireless technology is being widely deployed in homes and public places, industrial-strength IT security, with regular security audits and strict security regulations, is not consistently planned for. It is no surprise that hacking into a wireless network can be easy and straightforward. Here are two examples:

Let's say you're at an airport with your laptop, and you want to connect into the office network to check e-mail. The airport has a Wi-Fib hotspot and your wireless laptop connects into the Wi-Fib access point. Anyone sitting nearby with the right set of tools can try to hack into your communications, which are even more vulnerable if you have an easily decipherable password.

Public disregard for security in a wireless setting, combined with malicious attempts at obtaining information and compromising networks, give IT managers considering widespread wireless deployment a lot to think about.

Most experts agree there are seven major threats to wireless security. Let's look at each in turn.

* Insertion attacks: Hackers can "insert" devices on your network, and can even create new wireless networks while bypassing security. Frequently, this is accomplished by connecting a wireless client like a laptop or a PDA to an access point without security authorization. This is where a sophisticated password scheme that is hard to decipher can become invaluable as a preventive measure. Other password protection techniques include password "timeouts" if login doesn't occur within a prescribed number of seconds, and a policy and process that assures the frequent reissuance of passwords.

A second type of insertion attack is more inadvertent. This attack occurs when employees of the company have personal wireless devices that they want to connect to corporate information in order to do work from home or offsite. The move might be innocent enough-but it is still unauthorized and potentially threatening. Regular network scans for authorized devices help to keep this in check.

* Interception and unauthorized monitoring of wireless traffic: Network traffic can be monitored and intercepted across a wireless LAN. For 802.11 standard wireless networks, the attacker needs to be within 300 feet of an access point, but in practice, this distance can even be greater, depending on the device reception and transmission ranges. Wireless intrusion is easier than its wired counterpart, because all a wireless intruder needs is access to the network data stream. In contrast, a wired attack minimally requires placement of a monitoring agent on a compromised system.

Wireless and wired network intrusions operate on the same principles. The intruder uses tools that capture the first part of a connection session, which typically includes the username and password. With these, the intruder can then appear to the network as an authorized user.

Wireless intruders can also monitor network broadcasts if your wireless network access point is connected to a hub instead of a switch. This is because Ethernet hubs broadcast all data packets to the wireless access point.

A third wireless network data interception approach occurs when the intruder creates his own wireless network, and broadcasts a signal that is stronger than the corporate network's signal. Wireless clients detect the stronger signal, and unknowingly give away passwords and sensitive information.

* Jamming: Denial of service (DOS) attacks victimize both wireless and wired networks. In a wireless network scenario, any attacker with the proper equipment and tools can easily flood the 2.4GHz wireless frequency, corrupting the wireless network signal to where it ceases to function. Wireless network transmissions can also be compromised with other proximate wireless devices like cordless phones and baby monitors, since all of these devices operate in the 2.4GHz frequency band.

* Client-to-client attacks: Two wireless clients can talk to each other, bypassing the wireless access point. In these communications, attacks can occur in two major areas: file sharing and TCP/IP abuse; and denial of service, where one wireless device floods others with bogus data packets. Peer to peer attacks will potentially become a greater issue with the promulgation of more peer to peer technologies in wireless and in VoIP.

* Brute force attacks against access point passwords: Many access points use a single key or password that is shared with all wireless clients. An attacker resorts to a brute force dictionary attack, trying every imaginable password combination until he "cracks" the password of the wireless access point. Failure to frequently change access point passwords increases network vulnerability.

* Encryption attacks: WEP has had some exploitable security weaknesses, and is being enhanced by new protocols like WPA and WPA2. The same applies to Triple DES (data encryption standard) encryption, which is moving to AES (advanced encryption standard). The key is balancing a strong encryption formula against the extension in transaction time that more robust encryption creates.

* Misconfigurations: Many routers and hubs deployed as wireless access points come preset from the factory to allow for easy configuration and installation at the site. These device presets are unsecured. It is critical for IT to have security configuration of these incoming devices on an installation checklist before the devices are placed into service. For sites subject to annual security examinations and audits, access point security is one of the first items reviewed by auditors.

Playing it safe

Regardless of where your organization is on the wireless adoption spectrum, here are nine best practices for wireless security that address the most frequent security threats.

* Adopt strong user ID, password and login policies: Passwords should be used at both the wireless network access and application access points-and policies should dictate that they are changed regularly. The passwords should mix lower and upper cases and alphas and numerics.

"Don't use your dog's name, or anything else that is straightforward to decipher," says Isaac. "And try to avoid using words that can be found in a common dictionary, because hackers have software that performs dictionary attacks--the hacker software literally runs a massive dictionary against your computer to figure out the password."

Login times can also be limited to 30 seconds on both remote user devices and the validating corporate servers. This limits the window for password interception.

* Distribute authorization to wireless access on a need-to-know basis:

"A lot of small and medium-sized businesses set up security, but they trust everyone by not restricting access," says Isaac. "Another common information access strategy is to leave everything open to everyone except for accounting and HR."

An alternative strategy is to give workers access only to the information they requires to perform their job. In a wireless scenario, this strategy also reduces corporate exposure when there is an information or access breach.

* Use security certificates: This is one more piece of software on your laptop that has to match the corresponding software on the server. It is relatively inexpensive, and it is very difficult to hack into.

* Deploy VPNs and heavy-duty data encryption: Many companies use virtual private networks to shield their network and their corporate users. They combine this with 128-bit data encryption, and some even use Triple DES or AES encryption.

* Buy security-enabling network components and make sure they're correctly configured for strong security: Some providers provide access control servers (ACS), which are especially created for tamper-proof security authentication. Others provide routers and hubs where security levels can be set to meet the corporate security standards identified in your policies. The latter devices ship from the factory with security defaulted to a wide-open status. You can lock down your network by pre-configuring these devices for the security called for in your corporate policies before they are installed on your network.

* Constantly monitor wireless network devices and activity: Commercially available network monitoring software monitor wireless devices and networks, access points and bridges 24 hours a day-for performance, availability and possible security breaches.

* Create security policies and procedures for your network and wireless technology, and have an independent party review them: Security policies and procedures are an absolute requirement for both networks and wireless technology. Because internal staff is so closely engaged with the technology, it is a good idea to either obtain some upfront consulting from an outside source when you are developing your policies and procedures, or to have an outside source periodically review the policies and procedures to ensure that there are no security holes, and that new technology developments are adequately covered in the existing set of policies and procedures.

* Have a proactive approach to disaster recovery: If someone breaks into your system and destroys or compromises data, nightly backups to tape or disc can save a lot of headaches and get the enterprise up and running again quickly. Nightly backups, regular media rotations, and offsite media storage should be integral parts of daily operations on your wireless network.

The cost of freedom

Wireless networks, standards and security measures are still evolving, but that's not preventing some organizations from aggressively pursuing wireless as part of their IT architecture. In many cases, the same security issues that confront wireless can also be found in wired environments. In both cases, careful planning; the development and enforcement of policies and procedures; and the adoption of the right tools and security measures create sound insulation for corporate data and communications.

Finally, wireless is unique because of its mobility as a solution, and its ability to travel in airways, where it is vulnerable to interception. However, even these unwired transmissions have to connect with access points, which in turn must connect to network resources and applications. Bullet-proofing these access points and interfaces goes a long way in securing a wireless network.

Mary E. Shacklett is president of Transworld Data, a marketing and technology practice for technology companies and organizations.

 
 
Archives by Date
 
 
 
 
 
Copyright © 2001-2008 ComputerUser, Inc., All Rights Reserved
About us | Terms of use | Privacy Policy | Legal | Trademark/Copyright | Awards | Advertise | Writer guidelines | Sitemap | Contact | FAQ's | Feedback  | Link to us

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services