When Intel introduced the Centrino chip in early 2003, laptop users cheered that they'd no longer be scanning the shelves of Best Buy in search of separate wireless cards for their new mobile computers. In contrast, IT staff cringed with the knowledge that built-in wireless cards in the hands of users who weren't technically savvy could wreak havoc on efforts to keep their companies' wireless networks secure.
"Wireless networks are particularly vulnerable to security breaches and attacks because the signal is wide open," explained Chuck Conley, VP of Marketing for Boston-based Newbury Networks. The executive for the wireless security provider noted that, "For the first time in computing history, you don't know where your device or your user is. And because you don't know where that user is, you also sometimes don't know who that user is."
Conley pointed out that because wireless networks typically cover a 300-foot radius, signals can bleed out through brick and glass to the hallway, the sidewalk, and maybe even the parking lot across the street. He cautioned, "Anyone who might not be in line of sight can hop onto that signal with relative ease, hack into the network from behind the scenes, and create a major security breach of the network and the data behind it."
Beware the war driver
With the built-in Centrino chip, when a user turns on a new-model laptop it automatically creates a wireless LAN, instantly emitting an 802.11 signal. If it's running Microsoft XP, the laptop will automatically seek a network connection. With the growing ubiquity of wireless network devices used by mobile employees, Conley recommended educating wireless users in some fundamental practices to safeguard their transmissions from a growing band of hi-tech thieves known as war drivers.
According to a January 19, 2004 article in The Herald, experts said that using a laptop and a modified wireless access card, anyone with the technical knowledge of an average university student can trawl through the computer records of a company that hasn't properly secured its wireless network. With more companies opting for wireless networks in place of expensive cabling throughout their offices, the opportunity for taking advantage of this unwitting "open door" policy is growing.
A 2002 survey conducted by business advisers at KPMG International found that of those companies that had fully implemented a wireless LAN, some 38 percent had failed to use any type of encryption technology to protect the information flowing over their networks. Such lax security left them vulnerable to serious breaches.
Ways to thwart hackers and attackers
Alan Greig, a registered e-security consultant with Ogilvie Communications, a telecommunications company based in the United Kingdom, suggested some basic precautions to make it more difficult for war drivers:
- Change your standard factory settings.
- Conceal your IP addresses.
- Deploy encryption to conceal the content of e-mail and other documents.
Although, like any computer system, wireless can't be made 100-percent secure, Greig claimed that the only way to make a WLAN relatively secure is to "treat it as a hostile connection and place [your access points] outside the firewall."
Jon Edney, author of Real 802.11 Security, agrees with Greig. "The simplest solution for business use is to keep the access points on separate wire lines and run the connection through a firewall to a VPN server." But, he admitted, it's a pain. He's looking forward to the new WPA (Wi-Fi Protected Access) security standard to address some of the fundamental issues of wireless vulnerability.
Like Chuck Conley, Edney recommends employee education as a front-line defense. "Employees can drive a dump truck through the protections [implemented by the IT staff] by installing an unauthorized wireless LAN," said Edney. For companies with lots of small branches and offices, this can be a particular problem. "All it takes is a proactive manager to go and buy an access point at the local computer store and connect it where his PC used to plug in, and you have a breach," he pointed out.
Chuck Conley likened it to "taking a cable and throwing it out the window to the sidewalk so that people can plug in." Because it's something that is almost impossible for IT departments to detect, the solution is to educate employees to the potential problem, rather than simply enforce rules.
"People tend to ignore rules because they think the IT departments are control freaks," Jon Edney observed. "But if they understand the dangers, they will cooperate."
Avoid risky wireless practices
Besides introducing unauthorized wireless technology into the corporate environment, Chuck Conley noted a couple of other highly risky business activities that catch employees unaware:
- Going into ad hoc mode automatically
- Forgetting to change network configurations when working from home and office
- Docking onto a wired LAN while the laptop's wireless card is on
The perils of ad hoc mode
According to Conley, ad hoc mode might seem a pretty innocuous and productive way for people to share from one laptop to another on a peer-to-peer network using their wireless cards outside a wireless network. While there are great advantages to sharing information without having to move a disk or a CD from machine to machine, ad hoc networks create an open port to your machines because they're emitting a signal. As he was quick to acknowledge, "That wireless card emits a signal not only to the person trying to share the information, but also to somebody who might be outside who can actually very easily hop onto that signal. The real danger is that this unauthorized user can not only get into your machine, but if you're still connected to your wired-side network, he can use your machine as a gateway to get into that wired-side network."
The danger of switching home/office network configurations
Another harmful oversight is failing to reset network configurations when making the transition from a home office to the workplace and back. Conley warned that mobile workers should make sure when they come back into the office from home that their cards aren't still seeking that home Linsys network. It's important to educate employees in the proper procedures for shutting down their machines when they leave their homes so that when they return to the office, their laptops are using the right network configuration and are looking for the right access point within the confines of the office.
The harm in simultaneously tethering and beaconing
Another example of bad business practice is one that happens on such a regular basis that even Conley catches himself doing: docking a laptop into the wired-side Ethernet cable to get Internet access while the wireless card is still on. He feels it's imperative to teach your employees to shut off their wireless cards every time they dock their laptops. If they don't, they're creating an open port for outside people to get into the corporate network. As he explained, "When your wireless network card is on, its beaconing signal can very easily be hopped onto by a hijacker or hacker, somebody who is trying to maliciously invade that network. Like when you're inadvertently in the ad hoc mode, they not only can hop onto your signal that's being emitted from your card to get into your machine, but also use your machine as an open gateway to the wired-side network that you're ultimately connected to." Conley's advice? Make sure that when you dock your laptop, your wireless network card is shut off. Either you're on a wireless network or a wired network. You should never be on both.
Wi-Fi security tools to augment safe practices
While Conley senses companies are becoming more educated about the vulnerability of wireless technology, in the last 12 months a number of tools have come onto the market to help enterprises better secure their wireless networks.
Scoping out your airspace
Traditional wireless "sniffers" can help you monitor and test your network airspace. The more you know about your layout—inside your offices, across the hallway, on the floors above and below you, as well as outside your brick and mortar—the better idea you'll have about where security breaches might occur. Then you can implement intrusion prevention measures.
Distinguishing between legitimate and rogue users
One rather maintenance-intensive way to distinguish between the good guys and the bad is to have an inventory of wireless card addresses associated with particular users. The problem arises when you have a visitor coming into your office who just wants to get onto your network to check his e-mail. If his wireless card address isn't in your system, he'll be denied access. The other way to make the distinction is through monitoring the WLAN by location and using authentication tools to determine who is operating the device and if they are doing so from an IT-sanctioned location. With today's technology, such as Newbury Networks' WiFi Watchdog product, you can actually get as tight as three to 10 feet in your location restrictions. This selective detection helps IT security staff distinguish a rogue device from a device that's simply outside the perimeter causing no harm to users or the network.
Implementing location-based perimeter security
Conley describes it as "outside in and inside out": the process of denying access to anybody from the outside trying to get in, as well as anyone from the inside who might be associating with a outside network or a device that they shouldn't. The Air Force is currently using this technology to protect aircraft on the runways—be they stationary or taxiing—from allowing their wireless networks to be compromised. For corporations, it's an important safeguard to prevent the employees in the company a few floors above you from reading your signal and popping onto your network. Or disgruntled ex-employees sitting out in the parking lot trying to hijack your signal and wreak havoc on your network.
"Products like our WiFi Watchdog," said Conley, "create a virtual location-based firewall around facilities and prevent unauthorized access from any 802.11 source attempting to hop onto the network." What makes products like this especially attractive is that they provide IT security personnel with actionable location information and the origin of attempted intrusions—everything from connection hijacking and man-in-the-middle attacks to MAC spoofing, MAC storms, and denial of service attacks.
Stay proactively cautious
It's evident that wireless technology can improve the productivity and efficiency of your organization. But vigilance is necessary to maintain the security of your network. Conley advises:
- Keep abreast of the newest WLAN technology and security tools.
- Educate yourself on WLAN vulnerabilities.
- Leverage the knowledge of experts to support your WLAN networks securely.
- Communicate with your employees. Make sure they understand how to use the wireless environment effectively without compromising security.
"If you put the right practices in place, get the right tools, and solicit advice and expertise from people who have a very good understanding of these products and standards," Conley said, "you'll be able to implement a far more secure WLAN environment."