Net Admins Play Wireless Whack-a-Mole
At this week's InfoSecurity Show, experts discussed wireless weakness, from poor (but improving) security protocols to $14 rogue access points popping up like mushrooms. Jacqueline Emigh reports.
Wireless security is an increasing problem for network managers. With wireless security protocols still weak, one common tactic is to attach wired and wireless devices alike to a VPN. For an extra dash of security, though, you're well advised to add application-level proxy servers, experts say. Other administrative issues revolve around finding and eliminating unauthorized "rogue" 802.11 LANs.
"WEP is a flawed protocol," pointed out Ron Wilson, senior enterprise architect, World Wide Security, for IBM's Tivoli Software, during a standing room-only session at this week's InfoSecurity Show in New York City. "That's one of the reasons why we layer."
IPsec lets administrators "treat the Internet, wireless LANs, and (even) cellular phones" as a single wide area network, maintained Steve Schall, network and security architect for Nokia Internet Communications.
Also during the 90-minute session -- entitled "Wired vs. Wireless Security" -- Wilson and Schall answered a number of questions from administrators alarmed over the ongoing eruption of rogues in their midst. One attendee reported that end users in his company are paying only about $14 apiece for rogue APs (access points) at Radio Shack. "That's what's keeping me up at night. Short of walking the building, how do you defeat that?"
Echoed a colleague in the audience: "We do a perimeter scan. We get rid of access points (we don't want). A lot of people are not installing (APs) though us."
Another audience member said he's worried over how to give cell phone users secure access to Lotus iNotes, some time down the road.
Wilson said that, for most types of devices, it's best to create a VPN using SSL tunneling over IPsec. With IPsec, "You don't have to worry about your different platforms." He admitted cell phones can't yet be supported through SSL, but some phones can be used on VPNs via WTOS tunneling instead.
"SSL isn't a piece of cake to manage," conceded Nokia's Schall. "But it is the safest."
WEP's "shared secret" encryption method is easy for a determined interloper to break, the speakers concurred. Wilson estimated that, "It takes about a week, at most, for (WEP) to crack."
When WEP does get compromised, administrators should distribute new keys to all end users immediately, according to Schall. Otherwise, you're likely to get a rash of irate phone calls to the help desk, complaining, "What can't I get on the net?'"
Wilson predicted that future protocols such as TKIP will work better than WEP. "They're a central piece of the entire puzzle," he acknowledged.
Still, though, wireless encryption addresses only a small percentage of an organization's security exposure, according to Wilson. "Are (better protocols) needed? Yes. Do they add a large value? No," he elaborated.
Meanwhile, despite WEP's weaknesses, WEP should be turned on anyway, because "It's better than nothing," the audience was told.
"No security method is foolproof," Wilson observed. For extra security behind the firewall, Wilson recommended the use of proxy servers to authenticate access to application servers. According to Wilson, organizations today are becoming more and more concerned over finegrained access rights for specific applications. "You're hearing less and less about single sign-on."
No company wants to authorize all users to "wire money to the Cayman Islands any time they want," for instance.
For routing out rogue LANs, Schall prescribed the use of packet sniffer software, downloadable from a variety of sources on the Web. For its part, according to Wilson, IBM has developed special inhouse software for "outlawing non-IBM access points" on its internal nets. Another administrator told the group that several hundred 802.11 LANs are already up and running at his company - some of them "rogue," and some of them authorized. "The problem is density," he said. "How do we determine which are ours?"
Schall suggested the use of naming conventions to help prove which of the wireless LANs are out there with IT's approval.
Technology alone may not be enough, though, according to the speakers. Policies need to spell out tough sanctions against all those who violate wireless security.