The first step to securing wireless local area networks (WLANs) is creating an effective policy for wireless devices...
and then testing the policy for infractions.
Now, this isn't anything new. Effective policy construction is the first step in securing any new technology, and wireless local area networks are no exception.
To many security professionals, wireless is one word they don't want to hear. Securing wireless access points can difficult, and some pros find it easier to deny them until technology has improved.
Wireless, however, is a reality. Everyone from CEOs to lower-level professionals love the ease and flexibility of the technology. For just that reason, proper policy planning is important.
Ignoring the technology could be unwise as it can save companies money. Additionally, a lot of laptops are coming with wireless cards so employees will be tempted to try them.
By saying "no" to wireless technology, IT departments may force people to be sneaky, said Dave Juitt, CTO and the chief security architect of Burlington, Mass.-based Bluesocket, which specializes in securing wireless local area networks.
"An employee may have one at home and decide to swing by Wal-Mart to buy one for work," Juitt said.
In developing a wireless policy, companies need to regard their WLAN the same way they do their wired network.
"Companies need to think of wireless networks as hostile networks, much like they think of the Internet," said Dave Pollino of consultancy AtStake.
Like wired networks, enterprises need to employ similar strategies with WLANs, namely, using virtual private networks (VPNs) or other methods to encrypt the data being transmitted and to have controls in place for authentication.
Many of these issues aren't alien to companies that have remote workers or branch offices.
"There's no need to reinvent the wheel. Often similar security policies are already in place," Pollino said.
Wireless networks, however, do require a slight change of thinking. Traditional wired networks can be physically secured. For example, locked doors would keep many from accessing the network.
Wireless networks, however, don't respect the boundaries of an office. Often, someone can walk up to a building and access an unsecured wireless network. An analogous situation would be slapping an Ethernet plug on the side of your building, said Amer Deeba, vice president of marketing for Qualys, a company offering a scanning tool for finding network vulnerabilities, including wireless ones.
What you are protecting against?
A host of bad things can happen if a wireless network isn't secured. Some are similar to what can happen in traditional networks that aren't secure. Others are unique to the wireless world.
The biggest threat is someone can sniff your data. With wireless networks, one couldn't tell if such data is being intercepted," Pollino said. "People don't realize the personal information that is transmitted."
Other threats include the possibility of people stealing bandwidth on the network. With this type of threat, the least damaging result is someone eating up bandwidth while surfing the Web. At worse, a virus writer could introduce malicious code to the network. From the outside, it would appear the virus came from inside the company.
One of the problems is that wireless devices come with a lot of default settings that allow people to access them. These settings make them easier to use but hurt security significantly.
Currently, wireless systems authenticate based on the connecting system, not the actual user, Deeba said.
"The standards need to progress so such devices will have the ability to do user-based authentication," he said.
Testing, testing, testing
The key to any security policy is making sure it's enforced. In the case of wireless security, testing is imperative.
Searching for "rogue" or unapproved wireless access points is a major component of safe wireless networking. Unknown points are often insecure. The next step is checking access points to see if they're properly configured.
The most obvious way to check for rogue or insecure access points is by walking around the perimeter with a wireless sniffer device. For larger companies, such an approach may be difficult. Network-based scanners (such as the one produced by Qualys) can centrally search networks for such devices.
Pollino recommends doing a walk through with a sniffer device on a quarterly basis. The first search may take a while, but such searches become easier over time.
"You can even have an intern walk or drive around with a laptop and GPS device; then you can go through the data," he added.