Wireless security: Placing it to work (Part 2)
Managing access
The idea of managing wireless access points wirelessly is attractive but this facility should never be enabled and management should be by cable to avoid handing control over routers or switches to a successful attacker.
The typical figure given for 802.11b/g range is 100 meters (around 60 meters for 802.11a) but in practice this range varies enormously and attackers may well track signals from a mile or more.
Access points should be sited towards the centre of buildings, away from windows and where appropriate should use focusing antennae rather than omnidirectional ones. In particularly critical situations RF shielding could be used. “Something which particularly concerns me is the threat from user-installed equipment buying something from a local computer store, plugging it into the network and making you completely insecure”, says Grey.
“We’ve addressed that in terms of policy by saying that you cannot connect anything not approved by GNER but we also check for rogue access points as part of our regular audits.”
Many wireless gateways already have status screens showing identified connections and others provide additional tools but Carrier would like to see this become more general, saying: “It would be good if vendors integrated such facilities.”
A number of programs can help find wireless points within range and these can be mapped against what is known to be authorized. Periodic physical checks of network points are also desirable.
Hidden Threats
And remember that eve the company which resists wireless may be at risk. An Intel laptop with Windows Vista will by default connect to any wireless network it can find, perhaps across the street.
And if the user has authenticated LAN access but no restriction on wireless connectivity then the network is immediately opened. This will allow data to flow out unhindered and, equally, allow malware to flow in, both unnoticed by any perimeter defenses.
For users working remotely, additional considerations apply. Public hotspots are necessarily unsecured and used by a wide range of unknown computers and it is essential that laptops and the like use properly hardened operating systems and configurations and deploy personal firewalls and up-to-date anti-virus protection.
Insecure remote wireless devices can easily allow attackers access through to secure and trusted paths.
It may sound obvious, but companies should ensure they are connected to a legitimate access point rather than what has come up automatically nearby.
TNT’s IT manager, Jim Flood, explains that although TNT uses remote working sparingly at the management level, “I could plug in my laptop after it’s gone through a security check and the local IT people are happy with it.”
McDonald’s, with 100 per cent of corporate sites wireless enabled, is well ahead in using wi-fi but is still careful about allowing home workers access. “It’s an opportunity for us but not something that we’ve yet fully investigated”, says Griffin.
“GNER’s not a big adopter”, says Grey, “and we’re still assessing the business benefits, the risks, the costs. But it’s the same approach we take for any new piece of technology and we’re not treating wireless LAN’s any differently. Provided the benefits outweigh the risks you do it.”
Key advantage
“The key corporate benefit for McDonald’s”, explains Griffin, “is greater productivity and less support time. Users aren’t tied to their desks, and it facilitates collaborative working.”
And although TNT’s Carrier is aware of the security issues he takes a pragmatic approach.
“Wireless goes hand in hand with security,” he says. “It’s about following best practice and suitable guidelines, about managing the risks and ensuring that you have control over the technology.”