General discussion


Is network security at risk with wireless access points?

By CompHelpNJ ·
I want to install wireless 802.11g access points in our warehouse to upgrade the RF scanning equipment. Management has expressed concerns that this wireless equipment could be a dangerous weak link in our network security. As long as the access points are properly configured, is this truly a legitimate concern? If so, what can be done to calm the fears of management?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Very valid concern

by jmgarvin In reply to Is network security at ri ...

The problem with wireless is that is allows man in the middle and insertion attacks quite easily.

Now with the advent of WPA (which is a build off WEP and has carried over some of the same flaws) and cool ways to authenticate, wireless is MORE secure, but in just isn't secure at all.

Collapse -

Wireless is like an Internet connection

by stress junkie In reply to Is network security at ri ...

Unfortunately wireless LANs are here to stay. I would say that you should avoid wireless LANs whenever possible. Any wired LAN solution is more secure than a wireless LAN. Here's why.

The range of the wireless LAN is difficult or impossible to control. You cannot reach all parts of a building with the wireless signal and still keep the wireless LAN inside the building. The wireless equipment will send and recieve through most walls. Therefore having a wireless LAN is like putting a wired network connection outside your building that anyone can connect to.

As jmgarvin pointed out the encryption used by wireless access points is easy to decrypt. The new encryption is better than the older encryption but it is still not secure. This means that anyone with a notebook computer could sit in the parking lot of your building and record the encrypted packets. Then they can take that recorded network traffic home and spend whatever amount of time is required to crack the encryption. They end up with the data that was transmitted over your wireless LAN.

You should think of a wireless LAN in the same way that you think of the Internet. Here is how I would recommend setting up a wireless LAN.

First, make sure that you change the name of the service being offered by the wireless access point.

Second, make sure that the wireless access point does not broadcast the name of the service that it offers.

Third, use the best encryption availble with the equipment that you purchase.

Fourth, make sure that your wireless access point will not provide DHCP addresses to any machine that requests it. Configure the wireless access point to only provide DHCP addresses to MAC addresses that you know belong to the business.

Fifth, create a firewall between your wireless access point and your wired LAN. This step is just like putting a firewall between your local LAN and your Internet gateway. Same principle. Same methods.

Sixth, create a VPN between the approved notebook computers and your wireless LAN firewall. Again, this should work just like a VPN that you have between your local wired LAN and your Internet accessed machines such as people who work from home or from hotel rooms. Same thing.

That is probably a minimum configuration to provide the illusion of security.

One point about your post. You said that if security is a legitimate concern how can you calm the fears of management. I would say that since security is a valid concern I would not try to calm management's fears. They are correct in being concerned. I'll repeat myself here by saying that I would avoid using wireless networking if it is at all possible.

Collapse -

Excellent advice.

by sleepin'dawg In reply to Wireless is like an Inter ...

You might consider that if there is the slightest possibility that it can be done, then rest assured someone is going to try, especially if there is the remotest possibility of reward, financial or otherwise. Think about risk/reward ratios. The added security of hard wired connections should not be overlooked even though the running of wire is not always of the most convenient. Remember this; if the system becomes compromised, it will be your neck on the block.

Dawg ]:)

Collapse -

Almost every warehouse uses wireless

by CompHelpNJ In reply to Excellent advice.

Nearly every warehouse that uses RF technology is using wireless RF technology. Is this just accepted as a "standard" risk of doing business in a warehouse if wireless technology is considered so insecure?

Collapse -

Why so popular? It may be due to ignorance.

by stress junkie In reply to Almost every warehouse us ...

It's my opinion that there are a lot of incompetent technical support people. Even in cases where the technical support people are knowledgeable and highly skilled I find that managers override "best practices" and other good ideas.

jmgarvin and I already explained why wireless is bad. It's not like we made unsubstantiated accusations. Either you understand or you don't.

Collapse -

Wireless security has come a long way...

by goliath In reply to Wireless is like an Inter ...

I would have to agree with many of the points stress junkie makes except for the general comment to avoid use WLAN. WLAN services will eventually trump wired services, just do your research appropriately and of course if you want it secure, you can get it - you just have to pay for it.

If you put the proper effort into systems and training, the wireless network can be MORE secure than your wired lan. I say that because if your firewalls and access security systems to your wired network are not locked down and patched regularly then there are potentials for hacks from the internet.

When considering a WLAN really plan a few things:
-Spend time with the Wireless site survey
Enterprise wireless solutions have the ability to vary the power output to ensure you get the appropriate coverage in all areas, add/subtract APs in areas to fine tune coverage, with hold certain rates that are supported and determine where the "slop" occurs so that you can determine the risk associated.

Remember newer is better - inventory the devices you want to support and make sure they support your security policies you have planned for. Latest hardware and wireless cards will support the latest encryptions algorithms and security measures.

Use 802.11i (WPA2) for security which uses 802.1x for Authentication which uses AES for key management. For authentication you should use x509 certificates such as Radius, 802.1x or EAP-TLS - it does require work but is more secure than standard username and password management authentication which you have to factor in social engineering risks.

You should also concern yourself and have plans or technology to combat threats such as rogue APs, ad hoc connections, unauthorized client associations, misconfigured APs, MAC spoofing, Honeypot APs, DOS attacks and flood attacks. Some vendor products have rogue ap detection - some better than others.

All of the above threats can be common in wired networks as well. In fact if you have installed a wireless network you will typically have the ability to detect these threats (especially rogue APs) within your network/building. However, administrators of pure wired networks seldom have deployed measures to mitgate these threats or detect rogue wireless APs that are walked into their network - a huge risk to their private information and security of their network.

Collapse -

Wireless Network Security

by sharon In reply to Is network security at ri ...

I am not a technical person but I provide wireless network security solutions for my clients in the SE. There are two (2) players out there that I see quite often...Network Chemistry and AirDefense. AirDefense has been around longer than Network Chemistry but when demonstrating the security features of both I have found that Network Chemistry has more to offer. Especially with regard to picking up European rogue devices that have found there way into the corporate environment. The reporting functionality (for management especially) that comes out of the box with Network Chemistry seems to be more robust, as well. Check them out and feel free to contact me if you would like more information and/or client references.

Related Discussions

Related Forums