Limiting Risks in Corporate Wireless Networks
With wireless hubs an entry point for enterprise security risks, it's imperative to adopt policies and security measures that limit the chances your network will be compromised.
Many experts think that wireless policies should start with a logical separation between the wired enterprise network and 802.11 links.
"Employees using the wireless network should then be required to use a VPN to gain access to the production network. That way, users will be authenticated, so you'll know who is connecting. Also, in-the-air connection to the internal network, packets will be encrypted without relying on WEP (Wireless Encryption Protocol)," says Jason Conyard, director for wireless product management at Symantec.
"You need to protect all points of egress, or entry, on to the network," suggests Gregor Freund, CEO and co-founder of Zone Labs.
|WLANs Embraced, But Security Concerns Dominate: Survey of IT executives shows fear, uncertainty when it comes to wireless network security. Wireless LANs: Assessing Costs and More: Reports on figuring TCO, simplifying deployments and WLAN trends. Return on Investment for Office WLANs: Learn whether wireless LANs can provide decent ROI when used for common desktop PCs. Case Study: Home-Grown Corporate WLAN Breeds Success: How one business built its own 2.4 GHz wireless network from scratch.|
"Companies are already protecting entry points such as e-mail and floppy disks. Now, wireless hubs are also becoming an entry point," agrees Bob Hansmann, enterprise product manager for Trend Micro.
Moreover, unless network managers take the right steps, laptops connected to wireless LANs are much more vulnerable than PCs attached to wired nets.
If companies decide they don't want to risk wireless VPN access to the production network, they can set up wireless proxy servers just for e-mail and Web services, according to Hansmann.
Companies should also keep protocols on wireless LANs down to a bare minimum, Conyard says. "You don't want to be introducing any features that you're not going to be using. IPsec and DNS ought to be enough."
In setting up wireless access points, network administrators should enter the addresses of approved NIC cards. "The access point has a central database. This will tell the access point which devices are allowed to connect," he adds.
Viruses can raise problems on wireless LANs, too. According to Hansmann, wireless hubs should be protected behind a "virus wall," along with a firewall.
"A LAN connection is a LAN connection, whether it's wired or not. The operating system is what's important. There are more than 50,000 viruses out there (that runs on Windows OS), and laptops are just as prone to them as desktop PCs," Conyard says.
Some think that, at a certain point, companies will need to extend policies to Palm and Windows CE devices, as well as to other types of wireless nets, such as Bluetooth.
"There's been a lot of hype about PDA viruses," Conyard admits. "Wireless connectivity does exist for PDAs, but it's always done as an add-on, and it's still pretty much a gimmick today. Most use of 802.11 LANs today is still on laptops. I believe though, that real threats will start to emerge in the future, after (Palm and Windows CE) OS become more commonplace. It's just a matter of time."
Late in the year 2000, virus writers released two trojan horses for the Palm OS - Liberty and Vapor - plus a virus, Phage. The Palm viruses didn't do much damage, and viral outbreaks have yet to occur on the Windows CE side. Microsoft, though, is reportedly considering including macro functionality in the next edition of the OS.
Meanwhile, though, at least six anti-virus software makers have released products for various PDA platforms, including Symantec, McAfee, Trend Micro, F-Secure, and Computer Associates. Also, Symantec's desktop anti-virus package scans for nine different Palm viruses when a Palm device is syncing up with a PC. Some other desktop anti-virus products have introduced similar features.
"As true virus threats emerge, Symantec will also look to develop software for other PDA platforms. I think it's also reasonable to assume that, as organizations begin to manage devices, we'll start to provide management from a single platform, the same way we already do for desktop PCs," says Symanetec's Conyard.
Right now, though, purchase of wireless equipment is still being done on an ad hoc basis in many companies. Software purchases are even more random.
"Lots of companies have just a hodgepodge of products. They're actually paying a lot for them already, though. Employees are buying Palms, and then expensing them, for example. Few companies, however, have given much thought to the business reasons behind these expenses. They've given even less thought to what applications will be run," according to Conyard.
Beyond establishing wireless policies, detection and user education are also key. In many cases, companies may not even know that wireless networks are up and running on their premises.
"If you're operating a 'rogue' wireless LAN, it's quite feasible for someone to either stand outside your door with a laptop PC, or use rented office space in your building, to tap right into your corporate network. If confidential information does leak out, the company might not ever find out what happened," Conyard contends.
Network managers can use sniffer technology to determine the existence of unauthorized wireless LANs. "You also need to educate employees that they're not going to get the same level of security with an (unprotected) wireless network," he adds.
Meanwhile, it can also be a good idea to standardize on a single vendor for wireless LAN purchases, for financial clout as well as greater compatibility. "First, this will give you more purchasing power. Second, there are subtle differences in wireless LAN equipment. Although nearly everything wireless today is 802.11-compliant, vendors are interpreting 802.11 in slightly different ways," Conyard notes.
Editor's note: This story first appeared on Crossnodes, an internet.com site.