Networking

SMBs need different security strategies for wireless

Wireless networking can make it easier for you to do business, but it also makes it easier for intruders to do their own dirty business. Small or large, all companies that decide to deploy a wireless LAN need to first design a security strategy and reevaluate and add to their wireless security mechanisms as the organization grows.

Wireless networking technology has made it possible for companies to greatly extend the usability of computers by their workers--especially highly mobile employees such as those in the health care industry, on sales and manufacturing floors, and so forth. In fact, in the past this column has addressed how to implement a scalable wireless local area network (WLAN) that can be accessed by laptops, handheld computers, and computers that need to be placed in locations where it's difficult to run cable.

But the major obstacle to implementing wireless, particularly for organizations that deal with a lot of sensitive information or belong to regulated industries where laws such as HIPAA and the GLB Act mandate confidentiality of certain types of data, is the security question.

It’s essential that you have a security strategy in place before deploying a WLAN, but the security measures that are adequate for a small company may not work so well in the enterprise. You need to develop your security plan with the unique needs of your organization in mind.

The wireless security problem

Because wireless transmissions travel over the open airwaves, they’re even more vulnerable to interception or disruption than data on a wired network. And if your WLAN isn’t properly protected, unauthorized "war drivers" or others within range may be able to:

  • Steal your Internet bandwidth, getting free access while contributing to congestion that slows down your legitimate users
  • Use your network as a launching point for attacks on others or illegal acts such as downloading or distributing pirated software and music or child pornography
  • View, copy, change or delete files on the computers on both your wireless network and your wired network
  • Infect your systems with viruses, Trojans, worms, spyware, and other malicious software
  • Cause a denial of service by crashing workstations and/or servers on your network or overloading the network so that it can’t be used by authorized users

Wireless security for small companies (and small budgets)

Small companies often have small budgets, which in many cases means no full time IT staff and no money to hire a security consultant to set up your wireless LAN properly. The good news is that you don’t have to spend big bucks to make your WLAN a lot more secure than it is "out of the box." Proper configuration is the key.

The goal of any security plan is to deter potential intruders or attackers by slowing them down, making it more difficult for them, and/or increasing the chances they’ll get caught. By putting up perimeter fences, locking gates, letting a pit pull loose in the yard, installing deadbolts on the doors and windows, and putting in an alarm system at your home or business, you don’t guarantee that a burglar won’t get in--in fact, a determined professional almost certainly can circumvent all of these measures--but you do make it a lot of trouble. That means the casual intruder is more likely to pass your place by and move on to one that’s easier.

In general, Internet hackers like to take the easier way just as much as old-fashioned thieves. So every obstacle that you place in an intruder’s way makes it more likely he’ll give up and move on to an easier-to-crack network. That’s especially true when there are so many wireless networks out there operating without even minimal security in place.

Some security experts will tell you that oft-recommended measures such as changing the default SSID, turning off SSID broadcasting, and enabling MAC filtering are worthless, because there are ways around each. That’s a bit like saying if your door only has a cheap lock that’s easy to pick, you should just not bother locking it at all. By no means should these methods be depended on as your entire security strategy, but each one slows down intruders a little and makes it a little more difficult for them, so they should be part of your security strategy.

Other low or no-cost security measures a small business can implement with a low-cost wireless access point (WAP) include:

  • Using static IP addresses and turning off DHCP on the router or WAP so an unauthorized person can’t easily get a valid IP address assigned
  • Positioning the access point to minimize its range so that an intruder will have to go to the trouble of using a high gain antenna to pick up the signal
  • Turning the WAP off if you don’t need to use wireless for a while. Some small companies may need the wireless network only occasionally, such as when partners or traveling employees are at the office with their laptops

Of course, encryption is the best no-cost security measure you can take. Be sure to use Wi-fi Protected Access (WPA) rather than Wired Equivalent Privacy (WEP) encryption, as the latter is much weaker and easier to defeat. You may need to upgrade your WAP and/or wireless NICs to use WPA, but it’s worth the expense. You may also need to install the WPA client if you haven’t kept your operating systems up to date, but installing the latest Windows XP service pack or switching to Windows Vista (both of which have many other security benefits) will get you the WPA support.

Wireless security for larger organizations

As your organization grows, it becomes more important that you restrict the use of wireless. It’s essential to establish policies prohibiting rogue access points, and to monitor for them regularly. But good policies aren’t enough; you’ll also need to expend some funds to enforce those policies.

Isolate your WLAN(s) with firewalls; consider placing wireless connections in a DMZ or perimeter network so if the wireless clients are compromised, intruders can’t attack the wired network. Require users on the WLAN to use a VPN if they want to connect to the wired network.

Use IDS and response sensors to monitor all traffic on the wireless network. Use network access protection to manage the wireless clients and ensure that they are properly configured before they’re allowed on the network.

Do penetration testing of your wireless network to identify security threats and address them.

Summary

Wireless networking can make it easier for you to do business, but it can also make it easier for intruders to do their own dirty business. It’s important to create a wireless security strategy that addresses the needs of your organization, and as the company and the budget grow, to fund the addition of more sophisticated security mechanisms.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

10 comments
naveen.rangarajan
naveen.rangarajan

Why not go for the RSN solution proposed by IEEE for security in large cooperations.

georgeou
georgeou

Small businesses can use a more robust multi-SSID multi-VLAN solution like a Cisco 851W wireless router. Here's a full tutorial of how that's done. http://articles.techrepublic.com.com/5100-1035-6112367.html Here's an even better solution for enterprise Wireless LAN security. http://blogs.techrepublic.com.com/Ou/?p=404 Guide to enterprise wireless LAN security (free e-book)!

darinhamer
darinhamer

George, I think it is unprofessional to contradict a fellow TechRepublic writer as blatantly as you have. Clearly you have some differences of opinion with Deb Schinder on some things. I believe she acknowledges this when she wrote "Some security experts will tell you that oft-recommended measures such as changing the default SSID, turning off SSID broadcasting, and enabling MAC filtering are worthless, because there are ways around each. That?s a bit like saying if your door only has a cheap lock that?s easy to pick, you should just not bother locking it at all." But you reference your article where you call the methods she is espousing "dumb." That is unprofessional. You make some good points in your article and they are valuable options for SMBs. But if, as Deb says, small business don't have much IT money and they are trying to have a wireless network that they configure themselves until they can afford professional IT services, then AT A MINIMUM they can employ the methods she is talking about to HELP secure their network. That seems pretty reasonable to me.

georgeou
georgeou

My point was that it DOES NOT take good IT resources to secure your wireless network. All it takes is a simple 10 alpha-numeric RANDOM key for WPA-PSK and you've got wireless security that even the top security researchers in the world can't crack. I've been trying to beat down these myths for so long that I've getting tired of it. I don't care how many so-called wireless experts push these myths, it's still worthless advice. These myths have been told for so long by so many people that many people are starting to believe that they might have some deterrence value. But that's not true and I've explained it over and over again including this blog why they have ZERO deterrence value and REQUIRE MORE IT RESOURCES. http://blogs.zdnet.com/askbloggie/?p=23 So if you follow these wireless myths, you will waste time, money, and resources to get ZERO benefits. But if you follow my advice to simply use 10 random alpha-numeric characters with WPA-PSK you'll have security that even the top researchers in the world can't break and it's so simple that a computer beginner can implement. "George, I think it is unprofessional to contradict a fellow TechRepublic writer as blatantly as you have." TechRepublic is a very diverse group of people and that's a good thing. But in this case, it's my job to point out any issues. I know Deb Shinder and she's a fine technical writer and does a lot of nice work; but everyone makes mistakes in articles (including me) and this is one case where I have to point out some problems. It is SPECIFICALLY my job as the Technical Director of TechRepublic to point these issues out. If there is a problem in an article, would you rather not hear about it? Would that really serve our TechRepublic audience well?

OKDOKI
OKDOKI

No offense to any of you, but seeing this from an outside view as a customer/client, this debate/fighting, call it what you want to call it, doesn't need to happen on the forum. Rather take it via email, as it looks very unprofessional for company employees/management t "fight" so in the open.

darinhamer
darinhamer

I get your point and I think you make a good one. And, yes, I think you need to point out if there are errors. But try to do it professionally, without making it look to the rest of the world (TechRepublic customers) that you are battling with one of the other TR writers (again, the article you reference says that the very advice she is giving is "dumb." Wouldn't there be a more respectful way of putting this?). Give some professional defferance to your colleague and, while gently pointing out that there is a better way, allow her to save some face.

Jaqui
Jaqui

why not use the linux os functionality and go for the max, 255 characters? and yes, the wireless networking routers are powered by linux. :D

georgeou
georgeou

Take a look at this blog where I explain how many years it takes to crack 10 alpha-numeric random characters with 1000 PCs at your disposal. http://blogs.techrepublic.com.com/Ou/?p=127 I calculated that it takes 1000 PCs about half a milenium!

georgeou
georgeou

Take a look at this blog where I explain how many years it takes to crack 10 alpha-numeric random characters with 1000 PCs at your disposal. http://blogs.techrepublic.com.com/Ou/?p=127 I calculated that it takes 1000 PCs about half a milenium.

Editor's Picks