......and 9 other security do's and don'ts when setting up a wireless LAN.
Most IT managers should have got their heads around the
obvious security issues thrown up by the Internet but now there's a new
challenge: wireless. Wire-free networking offers a lot of flexibility but
without proper handling there's a very real chance that company secrets can
literally disappear out of the nearest window.
WLANs are spreading fast, starting with booming sales in the consumer and
small-business sectors and now edging into even the most conservative of
enterprises. This is partly because WLAN equipment and services based on the
Wi-Fi standard are cheap and increasingly ubiquitous outside the workplace.
Research firm IDC says 55,000 new Wi-Fi hot spots, or public access points, will
be installed in the next five years in the US alone. More than half of business
notebook PCs are expected to arrive Wi-Fi-ready by the end of this year,
according to Gartner. Intel has announced it will integrate Wi-Fi into PC
chipsets, potentially turning any desktop machine into an unsecured access
In this climate, the possibility that some careless employee will set up a
wireless access point in the office, most likely neglecting to switch on any
sort of security, is becoming increasing likely. Far from ignoring wireless,
most UK firms are actively investigating it, with half of the respondents to a
recent survey saying they planned to invest in wireless equipment in the next 12
months. But only 21 percent said they had a strategy for deploying wireless -- a
key error. Industry analyst Gartner has noticed the same trend. "In our
conversations with enterprise clients, a big problem has been they didn't have a
strategy on WLAN," Gartner analyst Ian Keene says. "That's leaving them open to
all sorts of security breaches."
The resulting situation, to go by security experts' accounts, is more than a
little chaotic. Last autumn a wireless LAN security software vendor called
AirDefense drove around in Atlanta, Chicago and San Francisco, finding that 57
percent of the access points they stumbled across weren't using any form of data
encryption, not an atypical experience. "If you drive down a major street in a
major city like London with an AirMagnet (WLAN sniffer) turned on in your car,
you'll come across an unsecured access point three or four times in every
block," says AirMagnet vice president of marketing Richard Mironov.
On the other hand, this isn't bad news for enterprises just getting to grips
with wireless: it means a few basic measures will probably be enough to
discourage all but the most persistent attackers. "If you turn on security,
someone who's not specifically targeting your company can find other places to
break into," Mironov says.
The following are some of the most important and practical steps in setting
up a well-run, secure wireless network -- and some of the most common mistakes.
DO: Take control of your airspace.
Before you even start to hook
up access points, it might be a good idea to do a site survey, even if that is
just taking a walk around the office. Wi-Fi uses unlicensed spectrum, meaning
you don't need special permission to turn it on. The downside is neither does
anyone else, and the 2.4GHz spectrum is already starting to get crowded.
Interference can come from cordless phones, not to mention the Bluetooth radios
built into more and more mobiles.
If you're in a building with several tenants crammed together, you may need
to have a quiet word with your neighbours about who's going to use which Wi-Fi
channel. If you notice they haven't got security turned on, well, that might
also be worth mentioning to them -- if nothing else, security will stop your
employees from accidentally logging onto their network. Access points on your
own network shouldn't use adjoining channels; only channels 1, 6 and 11 are
spaced far enough apart to prevent interference.
Some companies may find it useful to shape their airwaves. A directional
antenna will provide access exactly where it's wanted, without spilling over
into the street; turning down the power on some access points will also reduce
the airspace where access is available.
DO: Choose and implement a security model
This may sound obvious,
but consider that every Centrino laptop arrives in your company ready to connect
to the nearest access point with zero security. Just as with wired networks,
keeping equipment in line with whatever security model you choose is an ongoing
process. Even turning on WEP (Wired Equivalent Privacy), the now-discredited
basic Wi-Fi encryption standard, will put you miles ahead of the pack. "WEP is
better than nothing -- at least with that, it takes five to ten minutes to crack
in," Mironov says.
For a step up, add NICs (network interface cards) and access points with
Wi-Fi Protected Access (WPA), which fixes many of WEP's problems. WPA is a
stopgap measure before the release of the upcoming IEEE 802.11i standard, which
will incorporate the Advanced Encryption Standard (AES), using block cyphers
instead of the less powerful stream cyphers in WEP and WPA. (For more on these,
If you're already running a virtual private network (VPN) for remote workers,
and want another layer of security in the office, you might consider extending
the VPN for workers in the building, though this requires considerable
processing power for each user added to the VPN. Another alternative is to
create a firewall between the wired and wireless network, or to choose access
points that allow you to create virtual LANs, segmenting off parts of your
DO: Prepare for upgrades
As noted above, security standards for
WLAN are constantly evolving -- and this isn't likely to level off. Look at
access points with flash memory, allowing them to accept security patches and
encryption standard upgrades, and work out a strategy for blocking equipment
that doesn't have up-to-date security. Keep in mind that when 802.11i arrives it
is likely to require new equipment to handle the extra processing overhead.
DO: Consider using third-party security apparatus
recommend companies regularly scan their airwaves with sniffers, to keep track
of exactly what is connected to the network. Besides monitoring for, and even
retaliating against attacks, these devices let you examine wireless traffic,
disconnect or block clients and locate rogue access points.
Wireless security controllers can simplify administration of your chosen
security model, particularly if you feel you need a firewall or VPN. These
devices often incorporate firewall and VPN, while centralising administration.
DO: Integrate wireless and wired security
Ultimately, you will not
want to manage your wireless and wired networks separately, but much of the
security gear available won't necessarily integrate with your administration
systems. Make sure whatever you invest in uses standard protocols such as SNMP
(Simple Network Management Protocol). "Newer products enable network managers to
integrate WLAN management with the wired LAN," says Gartner's Keene. "If you're
managing them as completely separate functions, you're going to be doubling the
tasks you have to perform."
DON'T: Declare a WLAN-free zone
"Wireless LANs are attractive to
home users, and they make it easy for mobile workers to be more productive,
downloading the latest client information or catching up with email in their
down-time," says Keene. "It's going to be increasingly difficult to ban WLAN
use. And even if you do make it clear to users it's against company policy, it's
going to be difficult to enforce."
Ignoring WLANs might not make financial sense, either. "You've got to
consider the cost of retrofitting your notebooks if, in two years' time, you
decide WLAN is a good idea after all," Keene points out. At the very least, he
argues companies should be carrying out controlled trials to examine the
benefits of WLAN.
DON'T: Use your default SSID password
When you plug in a new
access point, don't forget to change the default Service Set Identifier (SSID)
password. Every Cisco access point arrives with the default password "tsunami",
and once a user logs on they can change your security settings or deny you
access to your own equipment. You should also change the device's default IP
DON'T: Broadcast your SSID
It's common for businesses to forget to
turn off SSID broadcasting. This feature is necessary for public hot spots, but
otherwise is an open invitation for someone in the parking lot to try and break
into your network.
DON'T: Mix 802.11b and 802.11g
It's very kind of wireless gear
makers to come out with dual-mode equipment, as it means companies can move from
the older b standard to the faster, better g standard whenever they're ready.
The downside: an access point can only handle one of the standards at a time, so
that as soon as someone on the access point fires up a b-powered laptop, the
bandwidth for everyone else plummets. If you want to use 802.11g on your
network, you will need to ensure all the NICs are also g-compatible.
DON'T: Enable ad-hoc mode
Ad-hoc mode allows a Wi-Fi client to
form a direct link with another laptop nearby, acting as a kind of relay
station. Unfortunately, it also opens up the laptop's entire hard drive for
anyone to read, and on a corporate network may act as an unsecured entry point
to the LAN. "I've been in airport lounges and noticed people who didn't remember
they had ad hoc mode turned on," says AirMagnet's Mironov. "You could read
everything on their laptop. If that isn't chilling, it should be."