Debunking wireless security-isms

What's a threat and what's not?

Industry analysis by expert Joanie Wexler, plus links to the day's wireless news headlines

This week's RSA 2010 security conference is a reminder that tackling the many dimensions of information security can feel like a never-ending game of Whac-a-Mole. One ongoing debate is about whether completely nailing security in the wired network eliminates the need to scan the Wi-Fi networks that attach to it for unauthorized activity.

Top 10 RSA Conference security innovators

Over the years, I've heard a number of comments to this effect. I'll address three briefly here:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

This week's RSA 2010 security conference is a reminder that tackling the many dimensions of information security can feel like a never-ending game of Whac-a-Mole. One ongoing debate is about whether completely nailing security in the wired network eliminates the need to scan the Wi-Fi networks that attach to it for unauthorized activity.

Top 10 RSA Conference security innovators

Over the years, I've heard a number of comments to this effect. I'll address three briefly here:

1. "If my wired network is battened down tight, wireless intruders can't get into it."

It might seem logical that wired security done right should be enough to protect your wired data center resources. However, there are some holes in this philosophy.

First, it is fairly simple for a hacker to lure your Wi-Fi users to associate with his own unauthorized AP, scrape that user's credentials and log into your wired network later without ever first touching that wired network.

Second, most laptops and smartphones have Wi-Fi connections and hard disk storage. Confidential information is transmitted to and from these devices and is stored in them. So there are data in the Wi-Fi airspace and in Wi-Fi devices -- not on your wired network at all -- also beckoning to intruders.

Finally, addressing only wired network security doesn't account for threats from internal employees and contractors. The easiest way to bypass traditional wired firewalls, AAA servers and security gateways is to connect to a neighboring Wi-Fi hotspot and send unauthorized information via that connection.

2. "Not that many people are likely to bring their own Wi-Fi access points to work to cause a risk."

This seems like wishful thinking. The increasing consumerization of IT implies the contrary. Users -- particularly the younger users accustomed to using IT in everyday life since babyhood -- will do what it takes to make their work lives simpler. You can have a "no wireless" policy in your organization, but anyone can plug a low-end AP into the Ethernet jack at his/her desk and, voila! You won't know about the connection unless you scan the airwaves and find the AP.

3. "The concept of 'rogue' Wi-Fi devices has been dreamed up by the Wi-Fi security companies just to get us to buy products we don't need."

Methinks thou doth protest too much with this one. It's true that now, as always, every organization must balance its security investments and efforts with the potential costs, hard and soft, of a data breach. But unauthorized devices that become connected to your wired network or information in your wireless network are, indeed, rogues (risks, "bad seeds," dangers, whatever you want to call them) that probably shouldn't fall under the "it couldn't happen to me" category.

Feel like debating these issues further? Continue the discussion with several wireless security experts and me here. 

Read more about wireless & mobile in Network World's Wireless & Mobile section.

Joanie Wexler is an independent networking technology writer/editor in Silicon Valley.