What is your plan for dealing with threats to your wireless network? You’re just about to get to it, right? Better hurry.
Experts on best practices for wireless and mobile security are urging corporate managers to develop and implement plans for strong authentication, encryption and firewalls to protect wireless access points and, above all, formulate a plan to deal with threats. In other words—secure your wireless systems the same way you would any other network.
While this advice might seem like common sense, Bill Niester, director of security and networking consulting for VeriSign, says many companies leave themselves vulnerable because they don’t take the elementary step of formulating a security policy with respect to wireless communications.
“If you haven’t set forth what people can do with wireless, in terms of rogue access points, or what sort of data they are allowed to transmit over wireless,” notes Niester, “your employees and your partners are not going to know what is appropriate.”
Niester was joined on a recent Webinar by Michael Raggo, VeriSign’s senior security consultant. A few weeks later, XcelleNet hosted John Girard, a Gartner research VP, on a similar Webcast. All three speakers stressed the need for vigilance and planning. Warning that access points are a company’s most vulnerable portals, Girard cautions there are “barbarians” at your gates, “and personal IT devices are the gates.”
Girard adds: “Don’t assume your devices, or their operating systems, are trustworthy. Verify devices upon access and use.” He adds that the security mandate for 2004 must be device-centric. “Know what the inherent weaknesses of your devices are and how device configuration can be monitored or controlled to reduce your company’s exposure.”
Niester says that 802.11 designs have several known problems, including poor default configurations, poor network design and vulnerability to rogue access points. He termed the latter
a “huge problem,” because they are difficult and time-
consuming to identify and eradicate.
For general 802.11 security, Niester recommends disabling SSID broadcasting and enabling encryption and strong authentication. “Make sure devices are strongly authenticated to the network, and users are strongly authenticated to the application, before allowing these devices on your network.”
VeriSign’s Raggo discussed protection strategies for Bluetooth and GSM wide-area networks. He says Bluetooth vulnerabilities begin because only device authentication is available—no user authentication exists. This is an exploitable gap, because device PINs are only four digits and can easily be guessed.
“Change default PIN codes and communicate the information,” Raggo says. He also recommends avoiding unit keys and tracking access by logging Bluetooth hardware addresses.
Vulnerabilities also exist on GPRS equipment that allows Internet access via GSM. “Password protect and/or memory lock your handheld devices. Use SIM modules whenever possible,” recommends Raggo, as well as a firewall that has been created specifically to protect GPRS networks. He advised locating your WAP gateway within a secure border, and employing strong authentication, encryption, auditing and active intrusion detection and prevention.