| It may sound strange but is true that several | | | | header of packets sent over a wireless Lan - is sent |
| organisations, which have adopted Wireless | | | | as unencrypted text and is vulnerable to being sniffed |
| networking, are open to severe security breaches. | | | | by third parties. Unfortunately most supplier equipment |
| Mostly the reasons are that organisations simply plug | | | | is configured to broadcast the SSID automatically, |
| the access points and go live without bothering to | | | | essentially giving new devices a ticket to join the |
| change the default factory settings. Wireless local | | | | network. While this is useful for public wireless |
| area networks are open to risk not because the | | | | networks in places such as airports and retail |
| systems are incapable but due to incorrect usage. The | | | | establishments - in the US for example, Starbucks is |
| biggest problem lies with inadequate security standards | | | | offering 802.11b access in some of its stores - it |
| and with poorly configured devices. For a start, most | | | | represents another security loophole for corporates |
| of the wireless base stations sold by suppliers come | | | | that do not switch it off. Finally any MAC address can |
| with the in-built security Wired Equivalent Privacy | | | | be change!d to another (spoofed), so the use of ACL |
| (WEP) protocol turned off. This means that unless you | | | | is not foolproof either. |
| manually reconfigure your wireless access points, your | | | | Active |
| networks will be broadcasting data that is unencrypted. | | | | To implement an Active type of security, you need to |
| In the old world of wired local area networks, the | | | | implement the IEEE 802.1x security standard. This |
| architecture provides some inherent security. Typically | | | | covers two areas - network access restriction |
| there is a network server and multiple devices with an | | | | through mutual authentication and data integration |
| Ethernet protocol adapter that connect to each other | | | | through WEP key rotation. Mutual authentication |
| physically via a LAN backbone. If you are not | | | | between the client station and the access points helps |
| physically connected, you have no access to the LAN. | | | | ensure that clients are communicating with known |
| Compare it with the new wireless LAN architecture. | | | | networks and dynamic key rotation reduces exposure |
| The LAN backbone of the wired world is replaced | | | | to key attacks. |
| with radio access points. The Ethernet adapters in | | | | Due to weaknesses in WEP, some standard |
| devices are replaced with a radio card. There are no | | | | alternatives to WEP have emerged. Most of the Wi-Fi |
| physical connections - anyone with a radio capability of | | | | manufacturers have agreed to use a temporary |
| sniffing can connect to the network. | | | | standard for enhanced security called Wi-Fi Protected |
| What can go wrong? | | | | Access (WPA). |
| Unlike the wired network, the intruder does not need | | | | In WPA, the encryption key is changed after every |
| physical access in order to pose the following security | | | | frame using Temporary Key Integrity Protocol (TKIP). |
| threats: | | | | This protocol allows key changes to occur on a |
| Eavesdropping. This involves attacks against the | | | | frame-by-frame basis and to be automatically |
| confidentiality of the data that is being transmitted | | | | synchronized between the access point and the |
| across the network. In the wireless network, | | | | wireless client. The TKIP is really the heart and soul of |
| eavesdropping is the most significant threat because | | | | WPA security. TKIP replaces WEP encryption. And |
| the attacker can intercept the transmission over the air | | | | although WEP is optional in standard Wi-Fi, TKIP is |
| from a distance away from the premises of the | | | | required in WPA. The TKIP encryption algorithm is |
| company. | | | | stronger than the one used by WEP but works by |
| Tampering. The attacker can modify the content of | | | | using the same hardware-based calculation |
| the intercepted packets from the wireless network | | | | mechanisms WEP uses. |
| and this results in a loss of data integrity. | | | | Hardened |
| Unauthorized access. The attacker could gain access | | | | There are organisations like banks, which have very |
| to privileged data and resources in the network by | | | | stringent security requirements. They need to |
| assuming the identity of a valid user. This kind of | | | | implement the hardened type of security systems. |
| attack is known as spoofing. To overcome this attack, | | | | These are solutions certified in accordance with the |
| proper authentication and access control mechanisms | | | | Federal Information Protection Standard (FIPS 1.40). |
| need to be put up in the wireless network. | | | | Products in this category offer point-to-point security |
| Denial of Service. In this attack, the intruder floods the | | | | for wireless information communication and include |
| network with either valid or invalid messages affecting | | | | offerings such as AirFortress and IPSec Virtual Private |
| the availability of the network resources. | | | | Networks (VPNs). A VPN will increase the cost of |
| How to protect? | | | | your network, but you can base your decision on |
| There are 3 types of security options - basic, active | | | | whether to implement it by using the same course of |
| and hardened. Depending upon your organisation | | | | action that you should be taking with all other parts of |
| needs, you can adopt any of the above. | | | | your infrastructure. Map the risks against the business |
| Basic | | | | data that you will be passing over radio, and assess |
| You can achieve the basic security by implementing | | | | the financial impact of a breach. If the data is too |
| Wired Equivalent Standard 128 or WEP 128. The IEEE | | | | critical, reassess what should be passed over the |
| 802.11 task group has established this standard. WEP | | | | network, or use a VPN to enhance your protection. |
| specifies generation of encryption keys. The | | | | Summary |
| information source and information target uses these | | | | The vendors are working towards implementing |
| keys to prevent any eavesdroppers (who do not | | | | newer standards and this year we should see |
| have these keys) to get access to the data. | | | | products implementing IEEE 802.11i that will further the |
| Network access control is implemented by using a | | | | authentication and encryption gains implemented by |
| Service Set Identifier (SSID - a 32 character unique | | | | WPA. Most notably, it will add a ground up encryption |
| identifier) associated with an access point or a group | | | | standard known as Advanced Encryption Standard |
| of access points. The SSID acts as a password for | | | | (AES) as well as various other enhancements. |
| network access. | | | | Newer standards apart, organisations must understand |
| Another additional type of security is Access Control | | | | that achieving wireless security is essential and the |
| List (ACL). Each wireless device has a unique identifier | | | | good part is that it is easy. An organisation must define |
| called Media Access Control address (MAC). A MAC | | | | its security needs and use the features available in the |
| list can be maintained at an access point or a server | | | | systems accordingly. Choose a good vendor who can |
| of all access points. Only those devices are allowed | | | | help you implement your requirements through |
| access to the network that have their MAC address | | | | standards based solutions. A good implementation |
| specified. | | | | must be supported by a security policy, which is well |
| The above implementations are open to attack. Even | | | | understood by everyone in the organisation. Make your |
| when you do turn on WEP, there are still problems | | | | employees aware that they all are responsible for |
| inherent within it. The problem lies in the protocol's | | | | security and share the cost of security breaches. |
| encryption key mechanism, which is implemented in | | | | Assign authority & ownership to few employees |
| such a way that the key can be recovered by | | | | for the various parts in the security policy and make |
| analysing the data flow across the network over a | | | | periodic reviews of their performance. Most important |
| period of time. This has been estimated at between 15 | | | | is to monitor your systems for any possible breaches |
| minutes and several days. The SSID attached to the | | | | and adapt if necessary. Never sleep well. |