Going Wireless Without Broadcasting Your Secrets
February 2003
Unsecured wireless networks expose an organisation's internal networks and data to anyone from bandwidth freeloaders looking for free, high-speed internet access, to potentially malicious hackers.Each week vnunet.com asks a different expert from the antivirus world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week Richard Kinsella, solutions marketing manager at Baltimore Technologies, warns of the inherent security dangers in wireless LANs.
Wireless local area networks (LANs), thanks to their low cost and ease of deployment, are one of the fastest growing networking technologies around.
The technology offers the ability to save money by extending networks without costly rewiring, and allowing employees to move around a building without being bound by the wires traditionally associated with Ethernet networks.
But organisations are rapidly deploying wireless LANs without taking the associated security risks into consideration.
The convenience of a wireless LAN set-up is also its biggest security weakness. Most commercial products are being shipped without the default security features enabled.
And Wired Equivalent Privacy (WEP), the default security protocol shipped with wireless LAN products, has been proven to be vulnerable to simple attacks.
A recent survey in a City of London street showed that, of the 128 wireless LANs detected, 67 per cent used no encryption at all.
Unsecured wireless networks expose an organisation's internal networks and data to anyone from bandwidth freeloaders looking for free, high-speed internet access, to potentially malicious hackers.
And while any unauthorised use of valuable bandwidth is not to be condoned, the most worrying abuse is that of hackers who can use a wireless LAN to attack a company's own, or a third-party's, networks.
An unsecured network grants easy access to valuable corporate information such as financial data, details of confidential business plans, customer data, board minutes and more.
On top of this, hackers could launch attacks from the business network, potentially leaving the host company liable for any damage caused. This would put their reputation at risk and leave a company wide open to litigation.
So how can organisations secure their wireless LANs? Although WEP is insecure, it is still better than nothing and should be enabled.
Additionally any default factory security settings should be changed to ensure that they are not common across any equipment.
But these are only precautionary measures and do not address the most critical issue for network administrators: people, systems and processes can be strongly authenticated, and communications, data and transactions can be secured.
Virtual private networks (VPNs), built using public key cryptography, secure data over insecure networks such as the internet or a wireless LAN while ensuring that network elements can be positively identified.
Through the use of integrity and encryption services, it is possible to guarantee the security of systems and information by ensuring that data is not viewed, manipulated, or redirected while it is in transit.
VPNs which use passwords for authentication require significant help-desk support, are easily compromised and do not scale easily.
Maintaining shared secrets for more than a few VPN devices will become increasingly difficult to manage, as shared secrets are typically distributed manually.
Digital certificates provide VPNs with good security in addition to providing the most cost effective means to scale.
A simple and trustworthy mechanism to deploy and manage digital certificates for its employees and authorised network users, will help an organisation overcome the security problems associated with remote access and wireless LAN deployment through a single, centrally managed solution.
Source...
