Wireless security is an increasing problem for network
managers. With wireless security protocols still weak, one common tactic is to
attach wired and wireless devices alike to a VPN. For an extra dash of
security, though, you’re well advised to add application-level proxy
servers, experts say. Other administrative issues revolve around finding
and eliminating unauthorized “rogue” 802.11 LANs.
“WEP is a flawed protocol,” pointed out Ron Wilson, senior enterprise
architect, World Wide Security, for IBM’s Tivoli Software, during a
standing room-only session at this week’s InfoSecurity Show in New York
City. “That’s one of the reasons why we layer.”
IPsec lets administrators “treat the Internet, wireless LANs, and (even)
cellular phones” as a single wide area network, maintained Steve Schall,
network and security architect for Nokia Internet Communications.
Also during the 90-minute session — entitled “Wired vs. Wireless Security”
— Wilson and Schall answered a number of questions from administrators
alarmed over the ongoing eruption of rogues in their midst. One attendee reported that end users in his company are paying only about
$14 apiece for rogue APs (access points) at Radio Shack. “That’s what’s
keeping me up at night. Short of walking the building, how do you defeat
that?”
Echoed a colleague in the audience: “We do a perimeter scan. We get rid of
access points (we don’t want). A lot of people are not installing (APs)
though us.”
Another audience member said he’s worried over how to give cell phone users
secure access to Lotus iNotes, some time down the road.
Wilson said that, for most types of devices, it’s best to create a VPN
using SSL tunneling over IPsec. With IPsec, “You don’t have to worry about
your different platforms.” He admitted cell phones can’t yet be supported through SSL, but some
phones can be used on VPNs via WTOS tunneling instead.
“SSL isn’t a piece of cake to manage,” conceded Nokia’s Schall. “But it is
the safest.”
WEP’s “shared secret” encryption method is easy for a determined interloper
to break, the speakers concurred. Wilson estimated that, “It takes about a
week, at most, for (WEP) to crack.”
When WEP does get compromised, administrators should distribute new keys to
all end users immediately, according to Schall. Otherwise, you’re likely to
get a rash of irate phone calls to the help desk, complaining, “What can’t
I get on the net?'”
Wilson predicted that future protocols such as TKIP will work better than
WEP. “They’re a central piece of the entire puzzle,” he acknowledged.
Still, though, wireless encryption addresses only a small percentage of an
organization’s security exposure, according to Wilson. “Are (better
protocols) needed? Yes. Do they add a large value? No,” he elaborated.
Meanwhile, despite WEP’s weaknesses, WEP should be turned on anyway,
because “It’s better than nothing,” the audience was told.
“No security method is foolproof,” Wilson observed. For extra security
behind the firewall, Wilson recommended the use of proxy servers to
authenticate access to application servers. According to Wilson, organizations today are becoming more and more
concerned over finegrained access rights for specific applications. “You’re
hearing less and less about single sign-on.”
No company wants to authorize all users to “wire money to the Cayman
Islands any time they want,” for instance.
For routing out rogue LANs, Schall prescribed the use of packet sniffer
software, downloadable from a variety of sources on the Web.
For its part, according to Wilson, IBM has developed special inhouse
software for “outlawing non-IBM access points” on its internal nets.
Another administrator told the group that several hundred 802.11 LANs are
already up and running at his company – some of them “rogue,” and some of
them authorized. “The problem is density,” he said. “How do we determine
which are ours?”
Schall suggested the use of naming conventions to help prove which of the
wireless LANs are out there with IT’s approval.
Technology alone may not be enough, though, according to the speakers.
Policies need to spell out tough sanctions against all those who violate
wireless security.