This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
Policy, education combat rogue APs
A comprehensive wireless policy is likely to sway users from installing unauthorized access points, experts say.
Few environments lend themselves to objectionable over-the-air activity like a sprawling college campus. At the University of New Hampshire's campus in Durham, striking a balance between security and usability for faculty and staff who use its WiFi network each day at its peak is a difficult proposition.
Doug Green, network manager at UNH, says even though the network provides a VPN for user authentication and data encryption, it does provide some basic services without the VPN.
"Because we do not have ubiquitous WiFi deployment, users do connect rogue access points, and therefore lower the security standard we have established," Green says. "These users are then exposed to all manner of security problems, including eavesdropping--passwords can be grabbed--man-in-the-middle, hacking, etc."
It's not uncommon for Green and the networking team to discover unauthorized APs. Rather than coming down hard on the offenders, the team emphasizes education and a willingness to meet users' needs.
"We work with clients to understand their needs and develop a reasonable, legitimate service solution," Green says. "Often, users think they are saving money by using rogue equipment. Over time, many have come to understand that the service
That pragmatic approach, combining firm policy with practical methods for helping WiFi users meet their goals, is one that's achieving results for practitioners. Lisa Phifer, vice president with network security consultancy Core Competence, says the key goal of any network security strategy is typically to safeguard the wired network and its data, and WiFi introduces a number of different ways in which the network can be penetrated.
Phifer says establishing and maintaining a WiFi security policy is essential, but so is meeting the needs of employees so they aren't compelled to search for their own connectivity solutions outside that policy.
"Users will be less likely to rig their own unsafe wireless solutions," Phifer says, "and you can take steps to provide and enforce the use of secure wireless connections for all business activity."
David Fournier, senior information security analyst for a large New England grocery chain, is charged with securing a wireless network utilized by several thousand devices. When those clients range from wireless PCs to handheld scanning devices and transmit everything from mission-critical inventory data to day-to-day Web traffic, keeping business needs aligned with the wireless security policy isn't easy.
"It's a constant battle between availability and secu-rity," Fournier says. "It's about providing the availability and convenience of a wireless network, but in a secure manner."
Fournier says that in addition to an authentication system based on Cisco Systems' proprietary LEAP protocol, his company has a policy that relies on virtual LANs and SSIDs to segment guest wireless users.
This was first published in April 2007