'

Advice on wireless security policy

One of our readers who works in an American Government State agency named Dawn asks about the relationship between SSL and Wireless LAN security.

One of our readers named Dawn works in a State government agency and asks the following question:

Hello, I am working on a project that is having some debate on developing a usage policy for wireless Internet usage.  We are in the process of implementing a web app that collects sensitive and confidential client information.  The application does require digital certificates for authentication and uses SSL.  My concern is that we have no way to ensure that wireless networks are appropriately secured with current encryption (WPA), SSID broadcast disabled, etc. and that allowing users to use wireless is not a wise idea with this data.

The argument I'm frequently facing is that it's still encrypted with SSL and that the method of transport (wired vs. wireless) is not the issue.  I am just not comfortable with this, and something deep in my gut tells me there is still reason to be concerned.  Can you provide me with any sources of information that can clarify this for me, or should I be satisfied that the data is adequately protected by SSL alone?  Any help would be most appreciated!

Dawn, that's a great question.  But before I answer that, I want to put to rest the myth that SSID broadcast disabled is a security feature.  I want you to strike the words "SSID broadcast disable" and "MAC filtering" from your vocabulary.  I wrote this wildly popular blog "The six dumbest ways to secure a Wireless LAN" early last year and it is still very relevant today.  Many people still believe these urban legends or that they still have some kind of deterrence value, but I put that to rest here.

Now you want to know if SSL security is good enough for sensitive data and if it negates the need for Wireless LAN security.  The truth of the matter is an SSL tunnel when implemented properly with two-way authentication is good enough to secure online banking.  If you were hosting the server to be available to the general Internet, then be exposing TCP ports 80 and 443 to the entire World Wide Web and the clients are coming from an insecure source to begin with.

I'm not sure what your fear with Wireless LANs are because they can actually be more secure than your wired network when properly implemented.  This is because your wired network properly has zero authentication and encryption requirements and anyone with physical access to the cable is on the network.  Any enterprise implementation of a Wireless LAN should use strong authentication with a minimum of PEAP or EAP-TTLS and use strong encryption with a minimum of TKIP or preferably AES.

The bottom line is that you need both SSL and Wireless LAN security for different purposes.  SSL secures your Application Server to Client communications end-to-end at the transport layer, while Wireless LAN security protects the Data Link Layer of your internal network.  The need for a secured Wireless LAN has nothing to do with whether SSL is good enough and it has everything to do with your private network's defensive perimeter.  You don't ever want foreign bodies to be able to invade your private network via your Wireless LAN and be in the soft underbelly of your network.  Conversely, having good Wireless LAN security does not negate the need for end-to-end SSL encryption even if it is on an internal LAN or WAN network because you can't assume there will never be any malicious parties at work on an internal network.