Networking

Manage your company wireless network hardware to prevent security breaches

Adding wireless components to an established local area network can cause confusion and declining confidence in security. Here's how to manage expansion without compromising network integrity.

Wireless networking is unstoppable. It's growing faster than almost any IT technology ever has, and the lure is irresistible to professionals and consumers alike. With this unbridled expansion comes a pocketful of new security concerns. Can your company maintain security as your conventional network is hybridized with wireless components?

There's a natural impulse, given the ethereal qualities of wireless networking, to view the extension of a conventional network into a somewhat intangible hybrid network as two separate networks: the tried-and-true secure network you spent so much time locking down, and the breezy interloper that is now poking holes in it. But Mistake Number One is failing to keep the whole thing under one roof. It's all one network, and viewing it this way will help you get your arms around it.

Network management pros and cons

Network management encompasses a number of key functions: monitoring the network's activity; dynamically evaluating its availability; measuring its performance; and logging its errors. These functions are more important, not less, where the wireless portions of your network are concerned. Since the wireless zones are more portable, more variable in usage, and subject to greater interference than the conventional ones, performance tracking and error logging are more important than ever if you hope to optimize the network's efficiency.

It's not just about efficiency, of course. By doing this sort of management, you're monitoring what happens at your wireless access points, and you can spot attempts at network intrusion. So implementing network management of your wireless network zones is, in general, a wise move.

Now comes the tough call, however. There is plenty of network management software out there that performs the functions above for you (HP OpenView, Tivoli NetView), and if your wireless hardware supports SNMP, then it can be managed in the same way as any other network components. But you now run a new risk: If an SNMP-supporting access point is hacked, then the intruder has access to information about your network, through SNMP. (There's a distributed management information base at the heart of SNMP-based network management, to which SNMP devices read and write, and this is what the network management software uses to do its job.)

Is this a risk you want to take?

It's a kind of catch-22. If you have the means to button up your access points, then you can and should safely use SNMP-based network management; but if you're buttoned up well enough to do this, then by definition, you need it less. It's a trade-off, and you'll have to give it some thought.

You can audit, so audit regularly

Wireless components in your LAN do not affect your ability to audit the network as a whole; there is nothing intrinsic to wireless workstations or access points that affects an audit per se. You can and should continue to audit the network as you normally do, and do so frequently.

An additional consideration in the audit process, where wireless access points are concerned, is that the access points themselves can generate logs. These logs record the activity of stations connecting to them to gain network access. These logs need to be integrated into your audit process and regularly reviewed.

Control rogue APs

Rogue access points are one of the biggest headaches in wireless network security. Often deployed by employees informally for personal use, they exist beyond the perimeter of your formal procedures and deployment protocols and therefore pose a huge security risk, often representing as much as a third of your wireless network.

That's a great deal of vulnerability, and it tells us that rogue APs alone are justification for implementing stringent network management procedures. With SNMP-based network management software in place, the network can rapidly identify any rogue APs that employees have deployed (unless the SNMP support in the device has been disabled, which is beyond the knowledge of most employees).

Another way to detect rogue APs is the way hackers do it—i.e., with a WLAN scanner. A laptop with a wireless network card and WLAN-detection software such as NetStumbler, Air Magnet, or Wave Runner can sniff out all your APs, rogue or otherwise, which leads us to the next and final point of discussion.

Test your fences

The best way to feel good about your company's wireless perimeter security is to test it yourself. Anyone with a laptop, a wireless network card, and NetStumbler can cruise the streets around your headquarters and map your network. WLAN intruders use these tools and various nefarious means of entry to get into the network. (See the article "Top five don'ts in wireless network security" for more information.)

Have some fun with this project. Put your in-house people to work poking holes. Many are sure to have laptops with wireless network cards, and they can easily obtain LAN-detection software. Make it a contest, offering some incentive for anyone who can penetrate the wireless network and write a detailed report on how they did it.

And if it sounds like such a "contest" is throwing the door open to anarchy, then you have just the beginning of an idea of what the world of WLAN intruders is like: You can bet that several dozen of them started sniffing at your borders from the street outside as soon as your WLAN went up. The fences will be tested, whether you're out there among the testers or not. Doesn't it make sense to go with that reality and use it to make your fences stronger?

More WLAN management options

Since the security and hardware challenges of your WLAN differ from your conventional components, you may wish to look into some wireless-specific network management utilities. Here are a few to consider:

About

Scott Robinson is a 20-year IT veteran with extensive experience in business intelligence and systems integration. An enterprise architect with a background in social psychology, he frequently consults and lectures on analytics, business intelligence...

0 comments