by Thomas Wailgum

Wireless Security – The Security Plan for Your Wireless LAN

Jun 15, 200613 mins

Oliver Tsai sees it every quarter. Fresh-faced medical students, new to Sunnybrook and Women’s College Health Sciences Centre and armed with the latest Wi-Fi-enabled laptops, see no reason why they shouldn’t be able to hop right onto Sunnybrook’s wireless network with those shiny new laptops they just bought.

The same scenario plays out with doctors and office managers and anyone else whose new gadget automatically sniffs the airwaves and picks up signals from Tsai’s wireless LAN, or WLAN. “They can see what’s available, but because of the security, they can’t access the network until the device is properly configured,” says Tsai, the director of IT at the academic health sciences center in Toronto. It’s a look-but-don’t-touch situation that can frustrate users—but, Tsai says, it’s a necessary, if temporary, frustration.

Whether they’re medical students, CEOs or cube dwellers, today’s mobile phone and BlackBerry-equipped workers are clamoring for even greater wireless access while on the job. It’s nearly certain that their company-issued laptop has a Wi-Fi chip built-in, and they see no reason to be shackled to their desks anymore.

Yet IT executives are still distrustful of wireless LANs because of perceived security nightmares such as wireless denial-of-service attacks and network breaches. “They are scared,” says Nick Selby, an enterprise security analyst at The 451 Group. A December 2005 Forrester Research report echoes Selby’s take: Security is the number-one obstacle when acquiring wireless technologies, regardless of industry.

But some of those fears may be based on old news. “Most of the security problems that have scared away early adopters have been solved,” says Selby. New authentication and encryption schemes (such as 802.1x for user access and 802.11i advanced encryption standard, or AES) are more vigorous. And vendors now offer intrusion-detection products and architectural schemes that make enterprise wireless networks just as safe as wired ones.

“Most of the things you’ll need to do [for security] will come from the vendor. It’s just a question of turning it on,” adds Selby. Last year, Gartner went so far as to say that Wi-Fi was one of the most overhyped IT security threats.

So for 2006 and beyond, here are the five security areas that will help you and your users get the most from a wireless LAN—without all the nightmares.

Start Planning

First questions first: Why do you need a WLAN? Who’s going to use it and for what purpose? And what are the necessary internal and external safeguards? By answering those questions early, CIOs can also determine just how much security their WLAN will need.

IS Director Bill Tomcsanyi’s initial plan last year was to implement a wireless network beginning in the emergency department at Torrance Memorial Medical Center. The more he looked at then-current security safeguards, the efficiencies his clinicians and administrators could realize, and the relatively low cost to install the network, the more he thought of enveloping the entire hospital and other buildings on campus, which is what he did. “[Wireless] is absolutely an integral part of our five-year information technology plan,” says Tomcsanyi. “In the end we’re providing faster patient care and eliminating all of the things that could lead to errors.”

Once CIOs have an idea of what they want, the next challenge is to quantify the capital outlay and the expected benefits—but don’t expect to produce hard numbers. “We haven’t been able to quantify why these networks are worth making the investment,” says Joel Conover, a research director with research firm Current Analysis. Instead, the benefits are mostly soft, such as increased productivity and efficiency because users can go anywhere (conference rooms, outdoor patios, the cafeteria) and tap into the network if there’s a wireless access point (AP) in range. And even without hard ROI, some CIOs find adequate value. “[Our users] can stay connected to Lotus Notes and the CRM and ERP packages, and can cleanly and easily move and stay connected consistently,” says Steve McDonald, VP of IT of Optimus Solutions, a $92 million integrator and reseller of software and hardware. McDonald has covered some 25,000 square feet of space with nine APs using 802.11b/g networking capabilities.

But Ellen Daley, principal analyst with Forrester Research, sums up the consensus of today’s WLAN deployments: “For primary data access to every network in the enterprise, [Wi-Fi] is really an additive—not a replacement [for the wired network]. And it’s an additive cost.” Payback figures from WLAN vendors are a bit rosier. On a typical installation using 802.11a, b or g, for example, Nortel claims that organizations can realize a 2 percent to 3 percent productivity improvement for users and a payback on the WLAN investment in a year’s time.

Write the Book

The industrious cube dweller or visiting contractor who plugs his wireless router into an Ethernet port probably doesn’t have evil intentions. But it’s up to you to make it clear to every user how bad such behavior can be: This rogue access point now sits behind the outward-facing protection of the firewall and can’t be detected by most intrusion-detection systems, and somebody sniffing the air with a simple, inexpensive handheld device or wireless-enabled notebook could lock on to the signal and have full access to the corporate network. “You have to define the policy for your wireless LAN: when people can use it, the restrictions on use, or guest-access use for consultants and partners,” says Daley.

CIOs cannot overestimate the amount of user education needed for a wireless LAN policy. Users don’t need to know how to tell a MAC address from an SSID, but they do need to know right from wrong. For example, they need to know about being tricked into accessing a wrong (and potentially malicious) access point that doesn’t belong to their organization. “It really requires that awareness of a new set of risks that this freedom permits,” Selby says.

Next, CIOs all agree that any new wireless policy must dovetail with the existing wired policy. “You have to follow the same rules of the road for wireless that we follow in the wired environment,” says Bryon Fessler, CIO and VP of IS for the University of Portland in Oregon. Since last year, Fessler has rolled out 50 access points in three buildings on campus, with plans for at least 25 more in the future. He takes every opportunity (face-to-face discussions, e-mails and other get-togethers) to ensure that the 4,500 students, faculty and university members understand the reasons behind his wireless LAN policies—why, for example, student laptops have to be quarantined, inspected for viruses and credentialed before they can connect to the WLAN.

Always Authenticate

Where wireless education ends, authentication and encryption technologies step in as the enforcers of policy—they’re the teeth when all the talking stops.

Authentication is one of CIOs’ first lines of defense. Boiled down, it is the ability to ensure that the client (laptop or other device) asking to latch on to the network signal is both what it claims to be and has been given permission to use the WLAN.

Right now, the 802.1x standard for port-based authentication, which originated in the wired networking world and has been retrofitted for WLANs because of the deficiencies of the wired equivalency protocol (WEP), is one of the top tools for credentialing users. The protocol behind 802.1x is called EAP, for extensible authentication protocol, and it uses encrypted tunnels to exchange information (user names and passwords) between device and network. According to WLAN vendor Aruba, although an intruder can monitor the exchange over the air, data inside the encrypted tunnel cannot be intercepted. Because EAP is used on wired networks, it’s attractive to CIOs pushing a unified network strategy. Its mutual authentication ability gives users the added protection that the network they’re seeing is actually legit—and not a hacker’s fake access point (referred to as an “evil twin”). Client-based software from vendors such as AirDefense and AirMagnet can help as well.

Tsai of Sunnybrook and Women’s uses protected EAP for his authentication to access the corporate wireless data network. Since he’s a Microsoft shop on the systems side, Tsai is able to take advantage of the controls in Windows XP, which supports EAP.

Another authentication scheme that bridges the wired and wireless worlds is called NAC, or network admission control. This Cisco-led initiative is a network-based policy that ensures that devices looking to hop onto a WLAN are both trusted and free of worms, viruses and spyware. At the University of Portland, Fessler uses NAC to quarantine new devices, run diagnostics and then allow users onto both the wired and wireless LAN; his system also uses an Active Directory database to verify users in the system and grant them access to an ERP system or student database, for example. “It applies the trust-and-verify” line of thinking, he says, that works very well in an open university environment, where students have a notion of many technological freedoms.

Encrypt Well

Authentication and encryption go hand-in-hand, and in March, both received a much-needed boost when the Wi-Fi Alliance announced that WPA2—the strongest encryption specification for 802.11—was now mandatory on all Wi-Fi products. WPA2 stands for Wi-Fi Protected Access 2 and is the long-awaited successor to WPA (which itself supplanted the earlier WEP standard). “WPA has some questions, but WPA2 is pretty darn good,” says The 451 Group’s Selby.

Whereas authentication is about ensuring mutual trust between device and network, encryption is about making sure the connection and data transfer is safe, “so that someone with malice couldn’t start looking at the packets,” says Tomcsanyi. Laptops and access points with WPA2 inside use the advanced encryption standard to provide the top level of security.

If CIOs want to dive deep into the technical schematics of WLANs and access points, they certainly can. But thanks to the maturing vendor technologies, the encryption plan is fairly straightforward: Just turn WPA2 on. “It sounds like a very complex situation, but it’s not,” says Optimus Solutions’ McDonald.

Of course, the base elements of authentication and encryption require industrial-strength user names and passwords—ones where attackers cannot easily guess them (such as eight or more characters and a mix of alphanumeric and other characters). That concept should “almost go without saying” in this day and age, but according to Daley, “you’d be surprised at how many companies don’t do that.” That sentiment is backed up by security vendor Kaspersky Labs, which estimates that about 70 percent of Wi-Fi networks do not use any type of data encryption.

Sniff Out Bad Guys

A significant security mindshift during the past several years has been the change from a defensive WLAN posture to one that is more offensive. CIOs shouldn’t sit back and wait to be attacked; new technologies can detect, locate and shut down attacks before they do damage. “It’s critical that enterprise environments have the tools that allow them to police their own networks,” Tsai says.

And for those CIOs who still say no to WLANs, they’d better make certain that’s really the case by monitoring their airwaves. “It’s strange: Let’s deploy Wi-Fi sensors in an environment where you have not deployed Wi-Fi,” says The 451 Group’s Selby. “But having a way to search for rogue networks is a must.”

Sunnybrook and Women’s Tsai has spread out 300 APs over three distinct campus environments in the Toronto area—two urban and one suburban campus. He uses an AP detection-scanning technology that’s built into Symbol’s WLAN products, and his experience verifies the notion that dense, urban areas are much more dangerous than suburban locales. “There’s a significant number of rogue detections in the hospitals downtown surrounded by offices and apartments,” Tsai says. At the suburban campus, “we pick up very few.”

While intrusion-detection systems, or IDSs, aren’t all that new, it’s the new prevention part of the IDS equation that is helping to cut off threats before they can manifest. At Torrance Memorial Medical Center, Tomcsanyi has a detection system in place and is rolling out a new prevention element by the third quarter of this year. “This takes more of a proactive approach,” he says. Using new technology from vendors such as Aruba, the access points act as both radio frequency connectors and wireless sensors for intrusion prevention, which can save on costs from having to install both the APs and a separate IDS. (Tomcsanyi, however, says he plans to continue using multiple security systems—such as a new intrusion-prevention system from Cisco to be installed later this year—in concert with each other.)

“Anyone who doesn’t monitor their WLAN is looking for future problems,” says Fessler, who uses a detection and prevention product from AirSpace (which was recently acquired by Cisco) inside his Cisco infrastructure. “At a centralized level, we can see the rogues and shut them off.”

Segregate Traffic

Though it may seem like an insane idea to some security-minded CIOs, many IT execs are opening their wireless networks to the public: guests and business partners who want to surf the Web and check e-mail while in the buildings. Tomcsanyi says that his ability to give patients and other visitors wireless access is a valuable asset in the health-care field.

Torrance Memorial Medical Center has 211 APs throughout its five-building campus that provide 100 percent wireless coverage, Tomcsanyi says. He is able to offer public Wi-Fi because he has the ability to segregate traffic within the network architecture. There’s an open network just for patients and guests, and a secure corporate network that provides the encrypted connections for employees. The two networks stay separate, he says.

According to Cisco, a wireless guest network is an easy way to allow access while eliminating the need for IT personnel to authorize each user. Guest networks use an open security method segregated on a specific SSID (a unique name for each WLAN) that routes traffic to a network that accesses the public Internet only. Tomcsanyi cites increased patient satisfaction levels because of the WLAN access.

While wireless networking has come far in a short time, CIOs now need to realize that the security mechanisms have finally caught up with much of wireless’s blistering hype. “It used to be that you’re going to have to sacrifice some security policies and procedures because you want to have that wireless connectivity,” Fessler says. “Now I’m not having to sacrifice that.”