Lock up your LAN: wirelessly and securely

Best practices need to be followed

Oliver Tsai sees it every quarter. Fresh-faced medical students, new to Sunnybrook and Women’s College Health Sciences Centre, and armed with the latest wi-fi-enabled laptops, who see no reason why they shouldn’t be able to hop right onto Sunnybrook’s wireless network.

The same scenario plays out with doctors and office managers, and anyone else whose new gadget automatically sniffs the airwaves and picks up signals from Tsai’s wireless LAN. “They can see what’s available but, because of the security, they can’t access the network until the device is properly configured,” says Tsai, the director of IT at the academic health sciences centre in Toronto. It’s a look-but-don’t-touch situation that can frustrate users — but, Tsai says, it’s a necessary, if temporary, frustration.

Yet IT executives are still distrustful of wireless LANs because of perceived security nightmares, such as wireless denial-of-service attacks and network breaches.

“They are scared,” says Nick Selby, an enterprise security analyst at The 451 Group.

A Forrester Research report echoes Selby’s take: security is the number-one obstacle when acquiring wireless technologies, regardless of industry.

But some of those fears may be based on old news. “Most of the security problems that have scared away early adopters have been solved,” says Selby. New authentication and encryption schemes (such as 802.1x for user access and the 802.11i advanced encryption standard, or AES) are more vigorous. And vendors now offer intrusion-detection products and architectural schemes that make enterprise wireless networks just as safe as wired ones.

“Most of the things you’ll need to do [for security] will come from the vendor. It’s just a question of turning it on,” adds Selby. Last year, Gartner went so far as to say that wi-fi was one of the most overhyped IT security threats.

Start planning

First questions first: why do you need a WLAN? Who’s going to use it and for what purpose? And what are the necessary internal and external safeguards? By answering those questions early, CIOs can also determine just how much security their WLAN will need.

Once CIOs have an idea of what they want, the next challenge is to quantify the capital outlay and the expected benefits — but don’t expect to produce hard numbers. “We haven’t been able to quantify why these networks are worth making the investment,” says Joel Conover, a director with research firm Current Analysis. Instead, the benefits are mostly soft, such as increased productivity and efficiency because users can go anywhere (conference rooms, outdoor patios, the cafeteria) and tap into the network if there’s a wireless access point (AP) in range. And, even without hard ROI, some CIOs find adequate value. “[Our users] can stay connected to Lotus Notes and the CRM and ERP packages, and can cleanly and easily move and stay connected consistently,” says Steve McDonald, VP of IT of Optimus Solutions, a US$92 million integrator and reseller of software and hardware. McDonald has covered some 25,000 square feet of space with nine APs, using 802.11b/g networking capabilities.

But Ellen Daley, principal analyst with Forrester Research, sums up the consensus of today’s WLAN deployments. “For primary data access to every network in the enterprise, [wi-fi] is really an additive — not a replacement [for the wired network]. And it’s an additive cost.” Payback figures from WLAN vendors are a bit rosier. On a typical installation, using 802.11a, b or g, for example, Nortel claims that organisations can realise a 2% to 3% productivity improvement for users and a payback on the WLAN investment in a year’s time.

Write the book

The industrious cube dweller or visiting contractor who plugs his wireless router into an Ethernet port probably doesn’t have evil intentions. But it’s up to you to make it clear to every user how bad such behaviour is: this rogue access point now sits behind the outward-facing protection of the firewall and can’t be detected by most intrusion-detection systems, and somebody sniffing the air with a simple, inexpensive handheld device or wireless-enabled notebook could lock on to the signal and have full access to the corporate network. “You have to define the policy for your wireless LAN: when people can use it, the restrictions on use, or guest-access use for consultants and partners,” says Daley.

Next, CIOs all agree that any new wireless policy must dovetail with the existing wired policy. “You have to follow the same rules of the road for wireless that we follow in the wired environment,” says Bryon Fessler, CIO and VP of IS for the University of Portland, in Oregon. Since last year, Fessler has rolled out 50 access points in three buildings on campus, with plans for at least 25 more in the future. He takes every opportunity (face-to-face discussions, emails and other get-togethers) to ensure that the 4,500 students, faculty and university members understand the reasons behind his wireless LAN policies — why, for example, student laptops have to be quarantined, inspected for viruses and approved for use before they can connect to the WLAN.

Always authenticate

Where wireless education ends, authentication and encryption technologies step in as the enforcers of policy — they’re the teeth when all the talking stops.

Authentication is one of CIOs’ first lines of defence. Boiled down, it is the ability to ensure that the client (laptop or other device) asking to latch on to the network signal is both what it claims to be and has been given permission to use the WLAN.

Right now, the 802.1x standard for port-based authentication, which originated in the wired networking world and has been retrofitted for WLANs because of the deficiencies of the wired equivalency protocol (WEP), is one of the top tools for approving users’ credentials. The protocol behind 802.1x is called EAP (extensible authentication protocol) and it uses encrypted tunnels to exchange information (user names and passwords) between device and network. According to WLAN vendor Aruba, although an intruder can monitor the exchange over the air, data inside the encrypted tunnel cannot be intercepted. Because EAP is used on wired networks, it’s attractive to CIOs pushing a unified network strategy. Its mutual authentication ability gives users the added protection that the network they’re seeing is actually legit — and not a hacker’s fake access point (referred to as an “evil twin”). Client-based software, from vendors such as AirDefence and AirMagnet, can help as well.

Another authentication scheme that bridges the wired and wireless worlds is called NAC, or network admission control. This Cisco-led initiative is a network-based policy that ensures that devices looking to hop onto a WLAN are both trusted and free of worms, viruses and spyware. At the University of Portland, Fessler uses NAC to quarantine new devices, run diagnostics and then allow users onto both the wired and wireless LAN. His system also uses an Active Directory database to verify users in the system and grant them access to an ERP system or student database, for example.

“It applies the trust-and-verify” line of thinking, he says. This works very well in an open university environment, where students have a notion of many technological freedoms.

Encrypt well

Authentication and encryption go hand-in-hand, and both received a much-needed boost when the Wi-fi Alliance announced that WPA2 — the strongest encryption specification for 802.11 — was now mandatory on all wi-fi products. WPA2 stands for Wi-fi Protected Access 2 and is the long-awaited successor to WPA (which itself supplanted the earlier WEP standard). “WPA has some questions, but WPA2 is pretty darn good,” says The 451 Group’s Selby.

If CIOs want to dive deep into the technical schematics of WLANs and access points, they certainly can. But, thanks to the maturing vendor technologies, the encryption plan is fairly straightforward: just turn WPA2 on.

“It sounds like a very complex situation, but it’s not,” says Optimus Solutions’ McDonald.

Sniff out bad guys

A significant security mindshift during the past several years has been the change from a defensive WLAN posture to one that is more offensive. CIOs shouldn’t sit back and wait to be attacked; new technologies can detect, locate and shut down attacks before they do damage. “It’s critical that enterprise environments have the tools that allow them to police their own networks,” Tsai says.

Tsai has spread out 300 APs over three distinct campus environments in the Toronto area — two urban and one suburban campus. He uses an AP detection-scanning technology that’s built into Symbol’s WLAN products, and his experience verifies the notion that dense, urban areas are much more dangerous than suburban area.

“There are a significant number of rogue detections in the hospitals downtown [which are] surrounded by offices and apartments,” Tsai says. At the suburban campus, “we pick up very few.”

While wireless networking has come far in a short time, CIOs now need to realise that the security mechanisms have finally caught up with much of wireless’s blistering hype. “It used to be that ... [you had] to have to sacrifice some security policies and procedures to have that wireless connectivity,” Fessler says.

Join the newsletter!

Error: Please check your email address.

Tags securitywireless lanSecurity ID

More about AES EnvironmentalAirMagnetAruba Wireless NetworksCiscoCurrent AnalysisForrester ResearchGartnerLANNortelOptimus SolutionsSymbol

Show Comments

Market Place

[]