WLAN: Cheap, Cool and Dangerous
The tools that hackers or curious interlopers use to look for WLAN traffic can help with defense as well. By using tools such as NetStumbler, a Windows utility, or IBM’s Wireless Security Auditor, CIOs can find out whether there are any rogue wireless LANs at the office.
They might be surprised, says Meta Group Senior Research Analyst Chris Kozup in Burlingame, Calif. "I’ve had customers who’ve done this, and one CIO found 27 rogue access points. That’s just one example," he says. And that’s just access points, each of which typically has 10 users.
Not only can an audit for WLANs help locate rogue installations, it can determine how far the WLAN signal is transmitting. Into the hallways? Out in the parking lot? Down the street? If the signal is stronger than it needs to be, the amplification level often can be turned down, or the device can at least be placed away from a window (which doesn’t block a wireless signal as well as a wall).
Beyond that, CIOs have five main options in deciding what to do about these WLANs, depending on the sensitivity of the data and how the wireless devices are used.
Make the best of what’s there.
Even though the security built into 802.11b devices is flawed, it’s better than nothing. Simply enabling WEP can go a long way to improving security. Companies that are relying on WEP for keeping out snoopers will also need strict policies to make sure the key gets changed daily?at the minimum.
A couple of other built-in features can help with authentication too. One is the media access control (MAC) address. This is a unique address written into the firmware of a network card. An administrator can configure the network so that only certain MAC addresses can log on. (The weak link? A hacker can watch the airwaves for a successful log-on, change his own MAC address on his computer or laptop and then gain network access.) The second is the service set identifier (SSID), an alphanumeric ID hard-coded into a wireless device. If the client doesn’t have the same SSID as the server, access is denied. Most users leave the SSID at its default settings, which can be looked up online, so administrators should be sure to change the default.
Segment the WLAN from the rest of the network.
If the data passing through the wireless LAN isn’t sensitive, it may be enough to separate the traffic from the rest of the network. That can be done with firewalls, treating the wireless access point like any other router.
$firstKeyword
Everything BlackBerry with tips, news and reviews from our mobility expert Al Sacco.
