Print Icon  Printable Page
Print Icon  Web Page

August 2002

The Real Deal on Wireless

Sure, WLANs are scary. But since you're stuck with them, you might as well try to secure them.

BY Fred Avolio

You've heard about the problems with wireless networks (WLANs). You've read about how the main security protocol--Wired Equivalent Privacy (WEP)--is flawed. You know that the best thing is never allowing WLANs on your network.

But WLANs remain tempting. For less than $200, you get to carry your computer around the building while remaining connected to the network or the Internet. Security always loses to cool, desirable technology. Given these realities, there are some practical measures to take to permit wireless usage while providing "better than nothing" security. Some of us might even achieve "good enough" security.

When deploying a WLAN, the first thing you should do is identify probable threats. Who is most likely to attack your enterprise? If you have a proper security policy, you've already accomplished this. If you're concerned about attacks from business competitors looking for trade secrets, or agents of foreign governments looking for defense secrets, consider your task completed: There is no way you should allow WLANs.

Those who don't fall in these two categories should add a "WLAN Acceptable Use Policy" to your security policy, only allowing wireless usage under certain conditions.

These may include:

  • All wireless access points (APs) must be under control of IT or the security department. As you do in other security policies, state the penalty for violations.
  • Each AP must be outside a firewall. Since we can't keep the WLAN perimeter within our physical spaces (well, not easily anyway), we must treat all WLAN connections as outside connections. This isn't that hard. Don't think in terms of moving all the APs to the network control room. Put a firewall between each AP and the trusted network. These don't have to be heavyweight-type firewalls, like the ones guarding your Internet gateway. Because they're guarding against fewer threats, AP firewalls can be smaller, cheaper and handle fewer connections. Products in this space include small- to medium-sized office firewalls in WatchGuard's SOHO line, low-end NetScreen and SonicWall firewalls, Global Technology Associates' Gnat Box, Novell's Border-Manager and SnapGear's SOHO+.
  • If you already use VPN clients for remote access, by all means require them here for locally connected WLAN connections.

    As with every network firewall, it's important to configure each WLAN-related firewall to allow only required network services. That may mean, for example, permitting access to e-mail and the Web only.

    Next, configure the AP itself. You should never trust default settings on your systems, right? So, change the defaults as follows:

  • Change each AP's administrator password.
  • Enable WEP, using 128-bit keys. WEP doesn't have standard key management, but some proprietary solutions provide this function. If you have it, use it.
  • Change the Service Set Identifier (SSID) of each AP. Use a name that doesn't identify your organization or the AP type you're using, which will make it less likely that unauthorized parties will be automatically connected to your network. If your AP allows, simply turn off SSID broadcasting.
  • Set your AP's MAC address filters to either allow or deny certain addresses. This requires users to register to use wireless in your organization.

Finally, you need to verify these security measures. Plug in a wireless card and use the utility that came with it to search for APs. Or use products such as AirMagnet on a PocketPC, Network Associates' Sniffer Wireless, NetStumbler or WildPackets' AiroPeek to locate and catalog APs on your network.

Yes, wireless networks are difficult to secure. They're also very enticing to the end user. Since you probably can't prevent them from appearing on your network, take control of them, imposing the best possible service while protecting the network. Put the APs outside the firewall; allow only "VPN'd" packets through. Secure the APs as best you can: disable broadcast probe responses, change default values, giving the APs non-descriptive names, and only talk to registered MAC addresses. And make sure that as the security options for WLAN improve, you upgrade.

Columnist FRED AVOLIO (fred@avolio.com) is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.

Copyright 2002 TechTarget