The appearance of wireless hotspots in Australian airports and other business traffic hubs has been a sign of a sea change in wireless networking.
While the number of “road warriors” already using of hotspots may still be fairly low, the advertising dollars being spent by hotspot service providers are raising awareness of wireless networking and the business benefits it can provide.
The flipside of the highly publicised wireless boom has come in the way of just as publicised breaches of wireless security. These included the infamous chalk marked “W” symbols which appeared on footpaths outside insecure buildings to indicate that unauthorised users could piggyback on their network.
But as wireless has taken off, vendors and their partners have been moving to implement tougher security, as well as complementary functionality such as access control and management.
The uptake of WLAN beyond early adopters is well and truly happening, according to Ross Chiswell, CEO of distributor Integrity Data Systems.
“We’re now seeing mainstream systems integrators [SIs] coming out with specific wireless offerings,” Chiswell said. “Some SIs have added analysis or consulting to their data security team.”
As with Internet access, activity which allows outside access will be a source of security concern. WLAN security issues still at the forefront of people’s minds include the unauthorised use of mobile devices, denial of service (DOS), eavesdropping, and impersonators.
Of course, the old bug bear about products only being as secure as the people using them still holds true. A number of WiFi security issues arise simply because the network’s security settings are not activated during implementation and the user is not instructed on how to turn on the settings.
Furthermore, many users are not aware of the risks they are exposed to even when using secure products in a mixed-mode network.
Current wireless deployments tend to feature 802.11a, 802.11b and the latest 802.11g compliant products. 802.11g offers both speed and security advantages over 802.11b, while still providing backwards compatibility.
Most 802.11g solutions have adapted Wi-Fi Protected Access (WPA) to secure wireless traffic. WPA is an improvement on the older Wired Equivalency Protocol (WEP) which was found to be susceptible to eavesdropping and cracking. WPA closes the eavesdropping loophole through the use of a temporal key which gives it resistance to interception and decryption of wireless traffic.
There had been a massive push by the industry to see organisations replace or strengthen the security of networks still using WEP, Netgear national ISP account manager, Ryan Parker, said.
“The Wi-Fi Alliance is trying everything to push WEP out,” he said. “Pretty much every product coming out, especially those targeting the business space, will have implementations of WPA.”
The ability to upgrade existing infrastructure is an issue that needs to be handled with care. One other thing to bear in mind about WPA as a solution for legacy equipment is that, while it is forward compatible with the 802.11i standard, the upgrade will probably require hardware replacement.
802.11i will include Advanced Encryption Standard (AES) as an option, which is stronger than its predecessor RC4. But AES will probably require the replacement of legacy access points due to its need for higher performing processors.
While WPA represents a significant advance in wireless security, the security it offers is obviously still far from failsafe.
“WPA certified products allow dual-mode use so they could be used on the same network as WEP-only products which would mean the temporal key integrity protocol (TKIP) used in WPA products for additional data protection would be rendered ineffective,” senior security analyst for security services company TruSecure, Stuart Johnstone, said. “The network would only be protected at the level offered by WEP products.”
Another significant security loophole that WPA has failed to sew up is protecting the network from denial of service (DOS) attacks. A more rounded security solution would be a virtual private network (VPN) solution with WPA.
Netgear has released a new FWAG ProSafe Tri-band Wireless VPN firewall product which can support 802.11a, b and g standards. It includes DOS protection and Intrusion Detection using Stateful Packet Inspection URL access and content filtering, logging, reporting and real-time alerts. The FWAG114 also features IPSec-based VPN end-point support reducing access costs by providing two 3DES-encrypted tunnels for secure WAN connections.
Organisations whose employees are using wireless hotspots to connect back to their work network need to take further steps to secure their network against the vulnerabilities they create.
“Usually hotspots are only concerned about security for the billing process that goes over wired lines. The primary concern of a hotspot is functional delivery to the customer, security typically is not addressed. So security is left to the user, such as the use of a VPN through a hotspot connection,” Johnstone said.
Nortel recently launched a WLAN Security Switch 2250 which is aimed at providing centralised security and seamless, secure roaming across public and private networks, as well as hotspot environments.
D-Link had addressed concerns about authentication and authorisation of users with its new wireless service gateway product, the DSA-3100, marketing director for D-Link Australia/NZ, Maurice Famularo, said.
The recently launched DSA-3100 is a network access control system which manages authentication, authorisation and accounting for wired and wireless users. Co-ordinating ISO Layer 2, 3 and 4 operations, it provides features such as IP plug and play, station isolation, traffic management and accounting and network policy enforcement.
“The DSA-3100 enables organisations to authenticate each user and authorise which part of the network they are allowed to access through policy enforcement,” Famularo said.
The DSA-3100 also has an accounting facility which is useful in commercial networks or public hotspots. It collects resource consumption data for the purpose of trend analysis, capacity planning, billing, auditing and cost allocation.
Apart from addressing security concerns, another focal point for new wireless products has been management.
Chiswell said that often the discussion of wireless networking was too focused on security — to the detriment of other user issues such as management.
For example universities which have a diverse range of network users — from undergraduate students to faculty staff — are now adopting access management tools, such as the new Bluesocket wireless gateway.
These gateway devices enable universities to lock down student access on weekends or other times when they weren’t supposed to have access and give organisations the ability to “turn the lights off and go home”, Chiswell said.
The Bluesocket WG-2100 wireless gateway is primarily aimed at medium-to-large organisations of up to 400 users. It operates on the 802.11b and 802.11g access points and features hardware-based encryption acceleration.
As it is independent of the access point, the Bluesocket WG-2100 is vendor-independent and can interact with a range of security standard products, including 802.11a/b/g and Bluetooth.
Therefore, while many are looking to take advantage of the flexibility and portability which wireless networking offers, they also need to remain abreast of the security risks associated with it.