Wireless networking technology has made it possible for companies to greatly extend the usability of computers by their workers—especially highly mobile employees such as those in the health care industry, on sales and manufacturing floors, and so forth. In fact, in the past this column has addressed how to implement a scalable wireless local area network (WLAN) that can be accessed by laptops, handheld computers, and computers that need to be placed in locations where it's difficult to run cable.
But the major obstacle to implementing wireless, particularly for organizations that deal with a lot of sensitive information or belong to regulated industries where laws such as HIPAA and the GLB Act mandate confidentiality of certain types of data, is the security question.
It's essential that you have a security strategy in place before deploying a WLAN, but the security measures that are adequate for a small company may not work so well in the enterprise. You need to develop your security plan with the unique needs of your organization in mind.
The wireless security problem
Because wireless transmissions travel over the open airwaves, they're even more vulnerable to interception or disruption than data on a wired network. And if your WLAN isn't properly protected, unauthorized "war drivers" or others within range may be able to:
- Steal your Internet bandwidth, getting free access while contributing to congestion that slows down your legitimate users
- Use your network as a launching point for attacks on others or illegal acts such as downloading or distributing pirated software and music or child pornography
- View, copy, change or delete files on the computers on both your wireless network and your wired network
- Infect your systems with viruses, Trojans, worms, spyware, and other malicious software
- Cause a denial of service by crashing workstations and/or servers on your network or overloading the network so that it can't be used by authorized users
Wireless security for small companies (and small budgets)
Small companies often have small budgets, which in many cases means no full time IT staff and no money to hire a security consultant to set up your wireless LAN properly. The good news is that you don't have to spend big bucks to make your WLAN a lot more secure than it is "out of the box." Proper configuration is the key.
The goal of any security plan is to deter potential intruders or attackers by slowing them down, making it more difficult for them, and/or increasing the chances they'll get caught. By putting up perimeter fences, locking gates, letting a pit pull loose in the yard, installing deadbolts on the doors and windows, and putting in an alarm system at your home or business, you don't guarantee that a burglar won't get in—in fact, a determined professional almost certainly can circumvent all of these measures—but you do make it a lot of trouble. That means the casual intruder is more likely to pass your place by and move on to one that's easier.
In general, Internet hackers like to take the easier way just as much as old-fashioned thieves. So every obstacle that you place in an intruder's way makes it more likely he'll give up and move on to an easier-to-crack network. That's especially true when there are so many wireless networks out there operating without even minimal security in place.
Some security experts will tell you that oft-recommended measures such as changing the default SSID, turning off SSID broadcasting, and enabling MAC filtering are worthless, because there are ways around each. That's a bit like saying if your door only has a cheap lock that's easy to pick, you should just not bother locking it at all. By no means should these methods be depended on as your entire security strategy, but each one slows down intruders a little and makes it a little more difficult for them, so they should be part of your security strategy.
Other low or no-cost security measures a small business can implement with a low-cost wireless access point (WAP) include:
- Using static IP addresses and turning off DHCP on the router or WAP so an unauthorized person can't easily get a valid IP address assigned
- Positioning the access point to minimize its range so that an intruder will have to go to the trouble of using a high gain antenna to pick up the signal
- Turning the WAP off if you don't need to use wireless for a while. Some small companies may need the wireless network only occasionally, such as when partners or traveling employees are at the office with their laptops
Of course, encryption is the best no-cost security measure you can take. Be sure to use Wi-fi Protected Access (WPA) rather than Wired Equivalent Privacy (WEP) encryption, as the latter is much weaker and easier to defeat. You may need to upgrade your WAP and/or wireless NICs to use WPA, but it's worth the expense. You may also need to install the WPA client if you haven't kept your operating systems up to date, but installing the latest Windows XP service pack or switching to Windows Vista (both of which have many other security benefits) will get you the WPA support.
Wireless security for larger organizations
As your organization grows, it becomes more important that you restrict the use of wireless. It's essential to establish policies prohibiting rogue access points, and to monitor for them regularly. But good policies aren't enough; you'll also need to expend some funds to enforce those policies.
Isolate your WLAN(s) with firewalls; consider placing wireless connections in a DMZ or perimeter network so if the wireless clients are compromised, intruders can't attack the wired network. Require users on the WLAN to use a VPN if they want to connect to the wired network.
Use IDS and response sensors to monitor all traffic on the wireless network. Use network access protection to manage the wireless clients and ensure that they are properly configured before they're allowed on the network.
Do penetration testing of your wireless network to identify security threats and address them.
Wireless networking can make it easier for you to do business, but it can also make it easier for intruders to do their own dirty business. It's important to create a wireless security strategy that addresses the needs of your organization, and as the company and the budget grow, to fund the addition of more sophisticated security mechanisms.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.