Better than 60 percent of all wireless networks for small businesses have no security controls whatsoever, according to a Small Business Technology Institute security survey released in July 2005. Ninety to 95 percent of business owners don’t understand the security risks that exist for untethered networks and the data they carry. At the same time, enterprises spend $8.3 billion annually on computer network security, according to IDC research. Is there something wrong with this picture?
While not all security incidents involve intrusions and data theft on wireless LANs, the soaring growth of mobile devices is raising new questions about wireless security and the integrity of corporate firewalls.
“Over half of the cyber crimes today are being
committed over wireless networks, and most entrepreneurs aren’t aware of this danger,” says Mike Klein, CEO of Ann Arbor, Mich.–based Interlink Networks, a producer of Wi-Fi security solutions, including LucidLink, a low-cost business solution based on IEEE wireless security standards. “The Feds are getting very concerned about cyber crime over Wi-Fi, because it’s so hard to ascertain the cyber criminal’s identity,” he continues. “For example, a hacker equipped with the right programs can ‘sniff’ your media access control (MAC) ID [over the airwaves], then become that MAC ID, join the network and launch any number of cyber crimes. If federal agents come looking for someone, the investigation [generally points to an innocent user’s] PC or someone in your network and the trail stops there. So many networks aren’t secured that it’s easy for someone to launch any number of attacks.”
The nature of those attacks can be complex. Klein breaks down wireless network assault into three major components: passive attack, active attack and cyber crime. “A passive attack is just in ‘listening’ mode; from a mile away I can listen to your wireless network, I can see all your e-mail, I can see all the instant messages, and if you’re using a POP3 e-mail account, which sends user name and password, I can then sniff your e-mails and accounts and you’ll never see me.
“In active attack, [the culprit] joins your network, accessing anything that isn’t protected,” installing, for example, a rogue AP on the Wi-Fi network. In the case of true cyber theft, however, hackers can steal data using any combination of techniques, from launching Trojans, worms and viruses to practicing air snarfing, in which the culprit creates a faux Web site to which unwitting wireless users connect within an “open” or unsecured wireless LAN. In this scenario, users believe they are securely connecting to an authentic site because the “evil twin” appears virtually identical in look and feel to the real site.
Experts are divided about the degree of escalation of serious crimes, including air snarfing. According to Paul Stamp, an analyst on the security team with Forrester Research, “the fear of wireless breaches is greater than the actual execution at the moment. But there has been a shift from attacks on the wireless infrastructure to the actual wireless clients participating in [unsecured and open] wireless networks,” he said. “Many experts report an increasing number of attacks are coming from organized gangs.”
Moreover, the number of unsecured networks is astonishing. According to InterLink’s Klein, there are 3.3 million available wireless networks in the United States today. “We did war driving with reporters last year and found that in a five-mile area in three cities—Detroit, Ann Arbor and Philadelphia—a user can access over 1,000 networks and more than 60 percent have no security whatsoever,” Klein said. While some rudimentary enterprise and home office WLANs carry a low level of protection known as WEP (Wireless Equivalency Protocol), “the code is easy to crack [by monitoring] 15 minutes’ worth of network traffic,” he asserts. “It’s not a very strong protocol.”
Extending the Castle Moat
To prevent network intrusions, many experts say a paradigm shift must take place. No longer is the enterprise or home network a “castle and moat,” complete with impenetrable firewalls. Instead, WLANs are pliable and far-flung, defined by an ethereal perimeter whose endpoints (laptops, PDAs, smartphones) move and rove constantly. Consequently, WLAN security must be directed in several ways: 1) by controlling access to the computing resources of the network through tougher authentication and tunneling protocols for endpoint computers; 2) by implementing automated (not voluntary) security policies and procedures enterprise-wide that protect mobile clients, corporate assets and users; and 3) by securing the data on mobile devices themselves to prevent theft.
“Organizations typically aren’t securing data on the move—that means the PC that’s in the office in the morning, on the road during the day and at home at night,” said Kip Meacham, director of product management at Utah-based Senforce. “These organizations have to figure out how to extend their network perimeter beyond the castle moat. This is where the biggest problem lies,” he asserts. “With mobile devices, the perimeter has to be extended around endpoint PCs.”
Senforce, among other security companies, offers software solutions to enforce strict enterprise RF LAN security. “We use a self-defending agent technology that enforces security policies, which are centrally created and distributed in an automated fashion,” Meacham says. “So what we can do is prevent endpoints from connecting to rogue access points, to stop ad hoc connections or unauthorized peer-to-peer
For example, an end user with a notebook PC on a business trip may be at an airport trying to access the corporate network; however, the public Wi-Fi hotspot in the network is unsecured. “With our Wi-Fi adapter on and our security program installed, the agent can enforce a security policy, which means you can only connect to access points using specific security encryption,” Meacham says. Senforce employs security protocols, among them the National Institute of Standards and Technology (NIST) Advanced Encryption System (AES). The software automatically enforces the use of a virtual private network (VPN) tunneling protocol to protect enterprise users “even when you’re at a naked access point at an airport with unmanaged infrastructure,” he continued. “Even though the access point is not secure, VPNs keep the pipe secure.”
Is Wi-Fi Protected Access Enough?
Many of the other advanced security solutions for WLANs on the market today use Wi-Fi Protected Access 2 (WPA2), an encryption/access control method for Wi-Fi networks based on the IEEE 802.11i standard ratified in 2004. WPA2 is considered state-of-the-art protection, asserts Frank Hanszlik, managing director of the Wi-Fi Alliance. WPA2 comes in both enterprise (with a dynamic key) and consumer versions. However, WPA2 installation is not enough to ensure air-tight security. In some cases, IT managers fail to manage the complexities of wireless security infrastructure or to plug the leaks in wireless to wireline connections with a top-down approach. For example, a wireless network may access a wired and open connection to the Internet, leaving corporate computers vulnerable.
“Our biggest focus relative to security today is getting people to implement the current generation of security technology,” Hanszlik said. “Although the WPA technology is very robust, and we see a lot of folks seeking out WPA2 for home and small business applications, we still routinely find that the latest Wi-Fi technology supports WEP, and we’re two generations past that.”
Forrester’s Stamp insists, “The issues with WPA aren’t around security. You need a lot of prerequisites, like management technologies and implementing the 802.1x protocol, which is the authentication piece of WPA. That’s more difficult than it sounds because it’s a matter of managing identities and putting in place the software and hardware infrastructure throughout the enterprise. It’s another piece of complexity in which people need to invest.”
Plugging Holes in the Corporate Firewall
The other big challenge comes with simplicity: Many security solutions are too complex for most IT managers to implement conveniently, so they don’t use them. Further, mobile devices themselves present an ongoing intrusion headache, says Jason Jaynes, director of product management for Credant Technologies in Dallas, Texas. Aside from protecting data in transit over the air, “how do you protect that data once it becomes resident on the user’s [mobile] device?” he asks. “All these holes are being poked in corporate firewalls to make end users more productive, but companies haven’t thought about how they’ll protect the data on the devices if they’re stolen or lost.”
Credant’s solution to the problem, Mobile Guardian, implements a series of lock-down controls on wireless devices that enterprise IT managers can configure according to centralized security policies. The Guardian tool, which includes an enterprise server enabling administrators to set default security protocols and lock down procedures across the organization, also provides data encryption, authentication and access control, Jaynes says. For example, a company may determine that employees can’t use digital cameras or Bluetooth connectivity features on their mobile devices. “We call this a defense-in-depth approach,” said Mary Van Zandt, Credant’s director of strategic marketing.
“We have an agent that detects mobile devices as they come onto the network. Based on the most prevalent mobile devices, IT can then make decisions on shield components that force the security local to each device. Users have to abide by the security settings, and they can’t easily remove the security application. That’s where the data encryption takes place.”
Credant reports it has just reached 1.2 million licenses for mobile devices and desktops now protected with the Guardian solution. One user, Randy Maib, senior IP consultant at Integris Health in Oklahoma City, Okla., a healthcare network consisting of 12 hospitals, 160 clinics and over 5,000 computers, is now deploying the Credant Mobile Guardian software solution to help beef-up security among the hospital’s roving wireless clients. “Our network used to be scattered in pockets of wireless and there was no standard for security,” he said. “But then we moved to standards requiring Cisco devices [for both wireless and wireline connectivity]. However, the sticking point wasn’t so much securing the wireless components to the network today but securing the data on the devices that go home with the doctors,” Maib said. “Credant came about because we had no idea what mobile devices were in our network. We didn’t have a good picture of how our PDAs were being utilized, so once we deployed [Mobile Guardian] and looked for what devices and synchronization software were out there, we dis-
covered we had 120 different types of devices synchronizing on our network.”
The Credant security not only allowed Maib to take accurate inventories of all the Dells, HPs and other wireless devices but to implement a server-based security hosting
policy, as well as software-based shields on each physician’s PDA to protect sensitive patient information. “We wanted to enforce authentication and encryption of data in case a PDA was lost or stolen,” he said. “We’ve had great success; it has become a part of the infrastructure, and we have not had any data stolen from the hospital.”
Many security vendors believe Maib’s experience suggests a future path. “Companies are appreciating the extent of how vulnerable they are,” said Credant’s Jaynes. “The dilemma is how do you get your arms around the mobile workforce and the data that goes mobile.” Simplicity is paramount—most network managers, whether from small or large enterprises, need better, more intuitive security tools with faster set-up. Moreover, “you need to learn when to ‘turn down’ the level of security to suit the user’s comfort level,” Jaynes observed. “Between phone calls and user complaints, it’s a balancing act between security and accessibility.”