| It may sound strange but is true that several | | | | days. The SSID attached to the header of |
| organisations, which have adopted Wireless | | | | packets sent over a wireless Lan - is sent as |
| networking, are open to severe security | | | | unencrypted text and is vulnerable to being |
| breaches. Mostly the reasons are that | | | | sniffed by third parties. Unfortunately most |
| organisations simply plug the access points and go | | | | supplier equipment is configured to broadcast the |
| live without bothering to change the default | | | | SSID automatically, essentially giving new devices |
| factory settings. Wireless local area networks are | | | | a ticket to join the network. While this is useful |
| open to risk not because the systems are | | | | for public wireless networks in places such as |
| incapable but due to incorrect usage. The biggest | | | | airports and retail establishments - in the US for |
| problem lies with inadequate security standards | | | | example, Starbucks is offering 802.11b access in |
| and with poorly configured devices. For a start, | | | | some of its stores - it represents another |
| most of the wireless base stations sold by | | | | security loophole for corporates that do not |
| suppliers come with the in-built security Wired | | | | switch it off. Finally any MAC address can be |
| Equivalent Privacy (WEP) protocol turned off. This | | | | change!d to another (spoofed), so the use of ACL |
| means that unless you manually reconfigure your | | | | is not foolproof either. |
| wireless access points, your networks will be | | | | Active |
| broadcasting data that is unencrypted. | | | | To implement an Active type of security, you |
| In the old world of wired local area networks, the | | | | need to implement the IEEE 802.1x security |
| architecture provides some inherent security. | | | | standard. This covers two areas - network |
| Typically there is a network server and multiple | | | | access restriction through mutual authentication |
| devices with an Ethernet protocol adapter that | | | | and data integration through WEP key rotation. |
| connect to each other physically via a LAN | | | | Mutual authentication between the client station |
| backbone. If you are not physically connected, | | | | and the access points helps ensure that clients are |
| you have no access to the LAN. | | | | communicating with known networks and dynamic |
| Compare it with the new wireless LAN | | | | key rotation reduces exposure to key attacks. |
| architecture. The LAN backbone of the wired | | | | Due to weaknesses in WEP, some standard |
| world is replaced with radio access points. The | | | | alternatives to WEP have emerged. Most of the |
| Ethernet adapters in devices are replaced with a | | | | Wi-Fi manufacturers have agreed to use a |
| radio card. There are no physical connections - | | | | temporary standard for enhanced security called |
| anyone with a radio capability of sniffing can | | | | Wi-Fi Protected Access (WPA). |
| connect to the network. | | | | In WPA, the encryption key is changed after |
| What can go wrong? | | | | every frame using Temporary Key Integrity |
| Unlike the wired network, the intruder does not | | | | Protocol (TKIP). This protocol allows key changes |
| need physical access in order to pose the | | | | to occur on a frame-by-frame basis and to be |
| following security threats: | | | | automatically synchronized between the access |
| Eavesdropping. This involves attacks against the | | | | point and the wireless client. The TKIP is really the |
| confidentiality of the data that is being transmitted | | | | heart and soul of WPA security. TKIP replaces |
| across the network. In the wireless network, | | | | WEP encryption. And although WEP is optional in |
| eavesdropping is the most significant threat | | | | standard Wi-Fi, TKIP is required in WPA. The TKIP |
| because the attacker can intercept the | | | | encryption algorithm is stronger than the one |
| transmission over the air from a distance away | | | | used by WEP but works by using the same |
| from the premises of the company. | | | | hardware-based calculation mechanisms WEP uses. |
| Tampering. The attacker can modify the content | | | | Hardened |
| of the intercepted packets from the wireless | | | | There are organisations like banks, which have |
| network and this results in a loss of data integrity. | | | | very stringent security requirements. They need |
| Unauthorized access. The attacker could gain | | | | to implement the hardened type of security |
| access to privileged data and resources in the | | | | systems. These are solutions certified in |
| network by assuming the identity of a valid user. | | | | accordance with the Federal Information |
| This kind of attack is known as spoofing. To | | | | Protection Standard (FIPS 1.40). Products in this |
| overcome this attack, proper authentication and | | | | category offer point-to-point security for wireless |
| access control mechanisms need to be put up in | | | | information communication and include offerings |
| the wireless network. | | | | such as AirFortress and IPSec Virtual Private |
| Denial of Service. In this attack, the intruder | | | | Networks (VPNs). A VPN will increase the cost of |
| floods the network with either valid or invalid | | | | your network, but you can base your decision on |
| messages affecting the availability of the network | | | | whether to implement it by using the same |
| resources. | | | | course of action that you should be taking with all |
| How to protect? | | | | other parts of your infrastructure. Map the risks |
| There are 3 types of security options - basic, | | | | against the business data that you will be passing |
| active and hardened. Depending upon your | | | | over radio, and assess the financial impact of a |
| organisation needs, you can adopt any of the | | | | breach. If the data is too critical, reassess what |
| above. | | | | should be passed over the network, or use a |
| Basic | | | | VPN to enhance your protection. |
| You can achieve the basic security by | | | | Summary |
| implementing Wired Equivalent Standard 128 or | | | | The vendors are working towards implementing |
| WEP 128. The IEEE 802.11 task group has | | | | newer standards and this year we should see |
| established this standard. WEP specifies generation | | | | products implementing IEEE 802.11i that will further |
| of encryption keys. The information source and | | | | the authentication and encryption gains |
| information target uses these keys to prevent | | | | implemented by WPA. Most notably, it will add a |
| any eavesdroppers (who do not have these | | | | ground up encryption standard known as |
| keys) to get access to the data. | | | | Advanced Encryption Standard (AES) as well as |
| Network access control is implemented by using a | | | | various other enhancements. |
| Service Set Identifier (SSID - a 32 character | | | | Newer standards apart, organisations must |
| unique identifier) associated with an access point | | | | understand that achieving wireless security is |
| or a group of access points. The SSID acts as a | | | | essential and the good part is that it is easy. An |
| password for network access. | | | | organisation must define its security needs and |
| Another additional type of security is Access | | | | use the features available in the systems |
| Control List (ACL). Each wireless device has a | | | | accordingly. Choose a good vendor who can help |
| unique identifier called Media Access Control | | | | you implement your requirements through |
| address (MAC). A MAC list can be maintained at | | | | standards based solutions. A good implementation |
| an access point or a server of all access points. | | | | must be supported by a security policy, which is |
| Only those devices are allowed access to the | | | | well understood by everyone in the organisation. |
| network that have their MAC address specified. | | | | Make your employees aware that they all are |
| The above implementations are open to attack. | | | | responsible for security and share the cost of |
| Even when you do turn on WEP, there are still | | | | security breaches. Assign authority & ownership |
| problems inherent within it. The problem lies in the | | | | to few employees for the various parts in the |
| protocol's encryption key mechanism, which is | | | | security policy and make periodic reviews of their |
| implemented in such a way that the key can be | | | | performance. Most important is to monitor your |
| recovered by analysing the data flow across the | | | | systems for any possible breaches and adapt if |
| network over a period of time. This has been | | | | necessary. Never sleep well. |
| estimated at between 15 minutes and several | | | | |