Wireless networking is unstoppable. It’s growing faster than
almost any IT technology ever has, and the lure is irresistible to
professionals and consumers alike. With this unbridled expansion comes a
pocketful of new security concerns. Can your company maintain security as your
conventional network is hybridized with wireless components?

There’s a natural impulse, given the ethereal qualities of
wireless networking, to view the extension of a conventional network into a
somewhat intangible hybrid network as two separate networks: the tried-and-true
secure network you spent so much time locking down, and the breezy interloper
that is now poking holes in it. But Mistake Number One is failing to keep the
whole thing under one roof. It’s all one network, and viewing it this way will
help you get your arms around it.

Network management pros and cons

Network management
encompasses a number of key functions: monitoring the network’s activity;
dynamically evaluating its availability; measuring its performance; and logging
its errors. These functions are more important, not less, where the wireless
portions of your network are concerned. Since the wireless zones are more
portable, more variable in usage, and subject to greater interference than the
conventional ones, performance tracking and error logging are more important
than ever if you hope to optimize the network’s efficiency.

It’s not just about
efficiency, of course. By doing this sort of management, you’re monitoring what
happens at your wireless access points, and you can spot attempts at network
intrusion. So implementing network management of your wireless network zones
is, in general, a wise move.

Now comes the tough call, however. There is plenty of network
management software out there that performs the functions above for you (HP OpenView,
Tivoli NetView), and if your wireless
hardware supports SNMP, then it can be managed in the same way as any other
network components. But you now run a new risk: If an SNMP-supporting access
point is hacked, then the intruder has access to information about your
network, through SNMP. (There’s a distributed management information base at
the heart of SNMP-based network management, to which SNMP devices read and
write, and this is what the network management software uses to do its job.)

Is this a risk you want to take?

It’s a kind of
catch-22. If you have the means to button up your access points, then you can
and should safely use SNMP-based network management; but if you’re buttoned up
well enough to do this, then by definition, you need it less. It’s a trade-off,
and you’ll have to give it some thought.

You can audit, so audit regularly

Wireless components
in your LAN do not affect your ability to audit the network as a whole; there
is nothing intrinsic to wireless workstations or access points that affects an
audit per se. You can and should continue to audit the network as you normally
do, and do so frequently.

An additional
consideration in the audit process, where wireless access points are concerned,
is that the access points themselves can generate logs. These logs record the
activity of stations connecting to them to gain network access. These logs need
to be integrated into your audit process and regularly reviewed.

Control rogue APs

Rogue access points
are one of the biggest headaches in wireless network security. Often deployed
by employees informally for personal use, they exist beyond the perimeter of
your formal procedures and deployment protocols and therefore pose a huge
security risk, often representing as much as a third of your wireless network.

That’s a great deal
of vulnerability, and it tells us that rogue APs alone are justification for
implementing stringent network management procedures. With SNMP-based network
management software in place, the network can rapidly identify any rogue APs
that employees have deployed (unless the SNMP support in the device has been
disabled, which is beyond the knowledge of most employees).

Another way to
detect rogue APs is the way hackers do it—i.e., with a WLAN scanner. A laptop
with a wireless network card and WLAN-detection software such as NetStumbler, Air Magnet, or Wave Runner can sniff out all your APs,
rogue or otherwise, which leads us to the next and final point of discussion.

Test your fences

The best way to
feel good about your company’s wireless perimeter security is to test it
yourself. Anyone with a laptop, a wireless network card, and NetStumbler can
cruise the streets around your headquarters and map your network. WLAN
intruders use these tools and various nefarious means of entry to get into the
network. (See the article “Top five don’ts in wireless network security”
for more information.)

Have some fun with
this project. Put your in-house people to work poking holes. Many are sure to
have laptops with wireless network cards, and they can easily obtain LAN-detection
software. Make it a contest, offering some incentive for anyone who can
penetrate the wireless network and write a detailed report on how they did it.

And if it sounds
like such a “contest” is throwing the door open to anarchy, then you
have just the beginning of an idea of what the world of WLAN intruders is like:
You can bet that several dozen of them started sniffing at your borders from
the street outside as soon as your WLAN went up. The fences will be tested,
whether you’re out there among the testers or not. Doesn’t it make sense to go
with that reality and use it to make your fences stronger?

More WLAN management options

Since the security
and hardware challenges of your WLAN differ from your conventional components,
you may wish to look into some wireless-specific network management utilities.
Here are a few to consider: