Alas, there is a downside; risks are inherent in any wireless technology. Some risks are the same or similar to those of conventional wired networks, while others are exacerbated by the nature of wireless connectivity. The most notable difference between the wired and wireless networks is the communications medium and the risks associated with that medium. Communications transmitted through the airwaves are openly available to being intercepted. Attackers have the ability to locate and communicate with wireless networks with much-less effort than invading wired ones.
Losing confidentiality, integrity, and availability are risks associated with wired networks, and they are easily achieved in wireless networks. Malicious users may gain access to company systems and information and compromise critical asset confidentiality, integrity, and availability. Following are some examples of risks associated with wireless networks:
- All vulnerabilities existing in wired networks also apply to wireless technologies.
- It is possible that unauthorized intrusions may gain access to an organization's wireless network, bypassing firewall safeguards.
- Sensitive information not encrypted before transmission is subject to being intercepted and disclosed by third parties.
- Malicious entities may steal the identity of legitimate users and use them.
- Malware including viruses, Trojan horses, and back door programs permit damage and continuing unauthorized network access, reducing availability and potentially disrupting business operations.
Organizations should not deploy wireless technologies unless they thoroughly understand and manage the accompanying risks. In light of current wireless communications protocols, most commercial products provide inadequate protection and present significant unacceptable risks to business operations. Senior managers must proactively address these risks, protecting their critical assets before wireless network deployment. Often due to apathy or a lack of understanding or education, many organizations poorly administer their wireless networks, relying on "default" installation settings, failing to control access to their access points, failing to implement factory-provided security configurations, and not developing a security policy suitable to the wireless environment. Such wireless safeguards include firewalls between wired and wireless systems, packet screens where unneeded services and ports are blocked, and implementing strong encryption such as Virtual Privacy Network (VPN), or file encryption technologies before data is transmitted.
Organizations must understand the technical and security ramifications of wireless technologies. While wireless connectivity seems like the best solution to connection-without-cables, it is an immature technology coupled with relatively poor security, potential for lax administration, and limited user awareness. In wireless environments, data is transmitted through the air without any control over the geographical limits of these broadcasts. Organizations are unable to exercise typical physical and logical controls that are employed in wired networks. In short, data transmitted over a wireless network can be captured and transactions begun by unauthorized third parties. Because of radio wave attenuation, building construction, and the capabilities of high-gain antennas, the distance for controlling wireless technologies preventing eaves-dropping can be extremely difficult to control.
Following are some suggested best practices to help address wireless network risk issues:
- Organizations must formulate and enforce compliance of applicable policies addressing the use of IEEE wireless standards of 802.11 (a, b, g, and others), Bluetooth, and other wireless technologies. These policies must be implemented before the deployment of wireless connectivity.
- Configuration management and strict change controls must be adopted ensuring that equipment has the latest software patches, including security features addressing vulnerabilities.
- Organizations will adopt configuration standards for all wireless network hardware and software, ensuring consistency of operation. These configurations will reflect steps to proactively address risks. It is noteworthy that many wireless technologies have weak user authentication. Wireless systems using Wired Equivalent Privacy (WEP) have been demonstrated as being subject to unauthorized transmission capture and intrusion, leaving this encryption method of somewhat questionable value.
However, regardless of whether WEP's protection is considered strong, medium, or weak, it is certainly better than open transmissions without encryption. If a wireless system uses 64-bit encryption, by all means use it; and if your wireless system supports 128-bit encryption, better still. In most systems, WEP is disabled at the default installation, so you must manually enable it before thinking your system is protected.
If your system allows the option of setting authentication to Shared Key, it is a wise idea to enable this feature. Change WEP keys on a regular basis, even as often as daily or weekly to help avoid data capture and network intrusions.
Service Set Identifier (SSID)
SSID is essentially the wireless network's identification. SSID helps to secure the network by ensuring the proper clients can access the system's access point. In the wireless platform, the access point is essentially a small transceiver operating on the designated frequency. For example, in an 802.11b system, the AP operates on the 2.4-GHz band with a few hundred feet of range, and in certain circumstances this can be extended to more than 500 feet. The AP is the location where the Internet and the internal network are connected, with the access point then broadcasting to any receiver capable of processing its traffic. This broadcast is received by wireless transceivers known as clients. Because the transmissions travel in all directions, they may possibly be received by intended and unintended recipients.
If WEP is disabled and the SSID is broadcast, it may be captured by anyone. Attackers may begin by compromising the network's access password. In order for clients to gain system access, they must have the SSID and the system password. If passwords are transmitted in the clear, they might be intercepted by any suitable client.
Wireless systems manufacturers usually install default SSIDs. Intruders are well aware of these default SSIDs, consequently changing the default SSID makes your network more difficult to access by someone who is not authorized.
Disabling any options for broadcasting the SSIDs is a good idea. This ensures the client SSID matches the access point SSID before any access is permitted. There is a secondary benefit of concealing the SSIDs — it hides the existence of your wireless network to the world.
Virtual Privacy Network (VPN)
Use of VPN technology between networks and clients assures strong user authentication and message privacy. VPNs are basically closed networks implemented through open-ended networks, including wireless. They allow for secure, authenticated transmissions to take place between designated points. If unauthorized persons intercept VPN-protected traffic, it is encrypted so there is little that can be done with it. Without the correct VPN technology, keys and passwords can be read. Such technology is very cost effective and secure, allowing confidentiality and message integrity over wireless networks.
Secure Sockets Layer (SSL)
Another technology worth considering in a wireless environment is the deployment of SSL technology. Simply stated, SSL provides a secure connection between a workstation's Web browser and a specific Web server. Data transmitted between the server and client is encrypted using technology called public key encryption, ensuring only the intended recipient can decrypt and read the information. In order to secure SSL, each Web site has its own unique digital certificate that defines the public and private encryption keys used during secure communications. If you leave the secure site and browse to another, the original SSL connection is closed. If you return to the SSL secured site or another SSL secured site, a new secure connection is made using a different set of encryption keys. By de facto standard, SSL is the most popular Web-based message security protocol with practically all online purchases and monetary transactions using it.
SSL effectively permits secure transmissions to take place between intended points and stifles intruder attempts to read them. SSL coupled with WEP provides an effective means to pass information over a wireless network with little fear of some unauthorized person reading your traffic.
Wireless Policies
Following are some examples of wireless network policy considerations:
- Organizations will actively sponsor administrator and user security awareness training to raise consciousness about the risks associated with wireless technologies.
- Organizations must have policies specifically addressing employees who are permitted to install wireless equipment and software.
- Organizations must have policies that describe the type of information that can be transmitted over a wireless network.
- Organizations must have policies requiring the reporting of the loss of wireless devices, fixed and mobile.
- Organizations must have policies requiring the reporting of security incidents.
- Organizations must have policies requiring network user IP addresses to be assigned dynamically via DHCP (Dynamic Host Control Protocol).
- Organizations must have policies regarding use of wireless VPN technology.
- Organizations must have policies regarding the use of SSL technology on Web sites.
- Organizations must have configuration policies regarding wireless equipment.
- Organizations must have policies regarding the implementation of WEP.
- Organizations must have policies requiring firewalls to be installed, configured properly, and maintained on all wireless network equipment.
- Organizations must have policies prohibiting the use of equipment or software that would extend the useable range of wireless network equipment.
- Organizations must have policies requiring all wireless equipment to be audited for legal, regulatory, and policy compliance.