There has been considerable reporting and interest around the topic of wireless networks and the need to secure them. While there is reason to be concerned, it is also important to keep things in perspective. Of course, there have been some spectacular breaches of wireless networks. In every case, the root cause was demonstrated to be incomplete or inadequate wireless security implementations.
Consider this: wired networks and the Internet have been around for more than twenty years, and every day we learn more about securing them. Wireless networks have been mainstream for about five to seven years, and we know a lot more about how to secure them. In fact, there has probably been more effort placed towards securing wireless in the last few years than wired.
One factor that has led to such rapid advances in wireless network security is the openness with which the Wi-Fi community has approached the challenges. With each vulnerability identified, Wi-Fi standards forums and equipment providers quickly responded with improvements to close the holes. For example, when Wired Equivalent Privacy (WEP) was proven to be easily cracked, solutions evolved including Wi-Fi Protected Access (WPA), first released as early "patches" and later standardized by 802.11i. In fact, hacking wireless networks, or at least understanding how it may be done, is almost encouraged by the Wi-Fi community as a kind of continual self-improvement plan.
One thing that is widely overlooked when discussing wireless network security is the need for proximity. Corporate networks are regularly connected to the Internet: an always-on source of security attacks...from anywhere on the planet...at anytime...by anyone. The anonymity that the Internet provides offers an incredible Petri dish of potential launch points for attacks on corporate networks, and the nature of the Internet allows for attacks to be orchestrated from thousands of miles away. To contrast, wireless networks can only be hacked from within their direct proximity. A bank's Wi-Fi network in Kansas is not going to be hacked from Kenya, period.
So why does there continue to be reports of wireless network security breaches? Quite simply, the hacks occur on networks that have not implemented the already known best security practices. For example, a very large U.S. retailer recently had a breach of its network at its retail locations that resulted in the theft of several million credit card numbers and information. The root cause? The in-store Wi-Fi networks were secured only with WEP, a practice known to be vulnerable since 2001.
So, how do we prevent security breaches from occurring on wireless networks? It is helpful to look at wireless security from three perspectives or three vulnerability points: the client accessing the network (such as a laptop), the wireless access (essentially the over-the-air radio waves), and the wireless network itself. Following the best practices in each of these "layers" of the wireless network is essential for implementing comprehensive security measures. We will look at all three in the following sections.
An essential step in wireless security is locking down the client device used to access the wireless network. If a laptop or other endpoint is compromised, then the device can be used to gain entry into the network, regardless of other wireless security measures that may be in place. By the way, this is true whether a client is used to access the network over wireless or wired. Mobile clients, like laptops, are inherently used in some unfriendly places outside the corporate network, and can become infected with malicious software.
One way hackers have gained access to corporate wireless networks is to hack the laptop of an employee while they are sitting in an airport or coffee shop. There are a couple of well known attacks that can be launched at a wireless NIC, which can result in learning the corporate wireless security key.
Whether accessing a wired or wireless network, it is a best practice to implement host-based security on clients, including anti-virus and host intrusion protection such as Cisco Security Agent (CSA). With CSA, attempts to install software or execute harmful calls in the operating system can be intercepted and prevented.
Another important measure is to insure that clients accessing the network are "healthy," meaning that they have not been compromised, have the correct anti-virus software running, and are otherwise compliant with the company's security policy. Enforcement of all these measures can be difficult, but with Cisco Clean Access (CCA) solution, the wireless network can challenge endpoints to prove compliance and "health" before being permitted on the network.
Tune in this week for parts 2 and 3...
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
