Solving wireless (in)security

The risks associated with wireless networks are diverse. And whether you’ve prohibited wireless access at your company, or have chosen to enable encrypted wireless access, you still have a significant wireless security problem. How so? Just about every portable device shipped in the past few years comes with wireless access enabled – smart phones, PDAs, notebooks, MP3 players, portable storage devices and even printers – while WiFi access points the size of a USB-thumb drive are coming to market in increasing numbers. Also, financial institutions, and all enterprises for that matter, which believe they can avoid the risks associated with wireless networks through encryption or policy alone are mistaken – and they’re placing their wired LANs at significant risk as a result.

While the enterprise has made significant strides in network security, there’s been no shortage of security troubles, from lax security policies at leading brokerage houses to lost or stolen laptops containing millions of customer records to hackers gaining access to financial networks for identity theft. Not all these breaches are wireless of course, but wireless is fast becoming the vector of choice for criminals. Wireless access, if not handled properly, makes it all that much easier for these types of criminal attacks as well as the careless loss of data.

Consider the highly publicized breach of a retailer’s network whose systems were accessed for somewhere between 18 months to two years, as a result of an unsecured wireless access point. The breach resulted in the compromise of at least 45 million credit and debit cards, and reportedly will cost more than $1 billion by the time the incident is fully resolved. Such attacks are made possible, because until recently, there’s been a general lack of understanding, or in some cases outright denial, when it comes to wireless security. Many organizations felt that if they waited long enough, and forbade wireless connections on their networks, most wireless security risks would remedy themselves. Such a lackadaisical attitude is risky enough for any company, but especially so for financial institutions that hold so much sensitive information about their customers. Too much is at risk to let the perils associated with wireless access slip down the TO DO list on the security plan.

Encryption and wireless security policy are not enough: even when you don’t have a wireless Lan
The challenge is that wireless access has become as ubiquitous as the number of wireless devices available. And the clear reality is that many of these connections remain unencrypted and fully accessible. So, what does this have to do with the security of financial networks? Plenty! All it takes is a single wireless-enabled device within your office to connect (either initiated by the end user, or by default because of the settings of the device) with any nearby wireless networks while it’s connected, or is about to connect, to your wired network – and now you have a gaping security hole that jeopardizes all of the security precautions you’ve taken to keep your network safe.

That’s why encryption and policy are not enough. Institutions need to be just as proactive when it comes to layers 1 and 2 of wireless networks as they are with their wired networks. And this includes wireless networks whose signal extends from surrounding buildings and offices to your office. But what we, at Airtight, see when we visit most organizations is that they’re totally, or significantly, exposed, and don’t even realize it.

The real risks associated with wireless connectivity
One of the biggest hurdles to ensuring that such incidents don’t happen to your company is the sheer convenience and ease of wireless access. There are dozens of reasons why a department or individual may want to set up an ad hoc (read: rogue) wireless access point. And there are even more reasons why someone would want to connect a cell phone to a notebook (which just so happens to be connected to your wired network). Many notebooks today come shipped from the manufacturer with the default set to connect automatically to wireless networks, so it’s very easy for these devices to instantly and accidentally connect to what just happens to be the wireless network across the street run by the local coffee shop. Most end users don’t think about, or even realize, how this setup could possibly jeopardize the security of the network

But what if it is not accidental
So far we’ve discussed the risks caused by accidental, unintentional, and wireless connections made without any malicious intent. But the reality is that such connections can be set up through malicious APs, such as those employed for Evil Twin attacks; or an insider easily could establish a wireless connection accessible from the parking lot, transfer data in a matter of minutes, and promptly shut it down. Such attacks could prove forensically difficult to identify.

What is needed is a way to automatically and persistently identify what wireless networks are accessible within your offices, and enforce what connections – if any – can be made. In some areas, the financial sector has done a better job than other private sector verticals at recognizing wireless security risks –perhaps because when it comes to protecting sensitive customer information and financial data you can’t leave any connection uncontrolled. After all, trust is the first commandment for a bank.

There’s no reason, except in the most extreme cases, to deny wireless access to employees and even guests – but you must have a wireless policy and be able to enforce such a policy and make sure that no networked and/or wireless-enabled devices are connecting to nearby, and uncontrolled, networks.

Many organizations have made the mistake of trying to ferret out ad hoc internal networks and identify local foreign networks by conducting periodic walk-throughs with tools such as Netstumbler. While this may identify the occasional rogue AP established in the office, it doesn’t help protect your clients from connecting to nearby unauthorized access points, and it doesn’t do anything to spot ad hoc networks established nearby. The handheld audit gives you nothing but a moment in time. What’s happening with all of those wireless-enabled devices and networks the other 99.99 percent of the time they’re going unmonitored? This approach is akin to running intrusion detection systems on Friday afternoons, and turning the sensors off for the rest of the week.

The need for wireless intrusion prevention systems
The tribulations associated with securing WiFi networks, while they’ve been known for years, are continuing to grow ever more challenging. More organizations are turning to wireless intrusion prevention systems, or WIPS, to keep their office campuses secured. And WIPS are proving to be a powerful ally in the defense of wireless and wired-line networks alike. These systems work by continuously monitoring the surrounding wireless spectrum through carefully placed wireless sensors. These sensors monitor all 2.4 and 5 Ghz channels to identify all nearby wireless traffic. The results are transmitted to a server where they’re correlated and analyzed and some products will pinpoint the location of wireless devices, as well as what networks they access and what actions they take. Not only does this alert you to potential wireless threats, it also itemizes inventories of surrounding WiFi networks along with location maps and an historical report for in-house and regulatory auditing.

Most importantly, these systems provide you with very granular control over all wireless activity within your offices. They can control what access points client systems can access (if any), and even prevent the access to surrounding wireless networks not under your direct control. And the technology makes it possible to identify new access points as they surface, quarantine rogue APs, and immediately block WiFi transmissions. When examining WIPS, it’s important to find systems that do this automatically and continuously, so that all unauthorized wireless connections are stopped and all legitimate and potentially unauthorized access is logged and auditable.

And the time is now to put in place the proper policies, automatically and technologically enforced. The trends are clear: Wireless has become a business utility and the question is not ‘How do I keep wireless out?’ but ‘How do I reap its benefits and efficiencies while managing wireless vulnerabilities?’ In upcoming years, more devices will be wireless enabled. There will be more wireless ad-hoc connections and standards that will provide for even more ubiquitous high-speed wireless access, which means it’ll never be easier than the present to get enforceable policies in place. These policies need to be technologically enforceable, automated, and provide for an audit trail and address networks located on, and off, your office campus. In short, you have to treat wireless security – whether you have wireless installed or not – as an integral component of your wired network security.

About David King, Chairman and CEO, AirTight Networks
David was formerly the Chairman, President and CEO of Proxim, Inc. He joined Proxim in December 1992 as VP of Marketing, was appointed President and CEO in July 1993 and took the company public in December 1993, making Proxim the first publicly traded WLAN company. He grew Proxim from $4 million to over $100 million in annual revenues.

Before Proxim, David was VP of Marketing and Customer Services at Vitalink Communications Corporation, a pioneer in wide area data networking, where he served in various executive capacities from 1990 to 1992. From 1985 to 1990, he was a senior manager in the San Francisco office of McKinsey, where he was a leader in the firm's high technology and health care practices.

David holds an A.B. in Economics, as well as J.D. and M.B.A. degrees, all from Harvard University.