No stopping wireless
Integrators to plan for secure access as demand grows
Like other types of IT, wireless networks offer a mix of benefits and security threats. The potential threats are enough to make security officers and their contractors cringe. But the user benefits ? those are enough to make users lay out their own cash to set up access.
Like it or not, integrators must be prepared to install and secure a wireless LAN for their customers, or people will start looking to deploy one of their own.
"You are battling the fact that people can purchase and deploy a wireless network easily," said Stan Gatewood, information security officer for the University of Georgia at Athens. "They can go downtown and buy an access point for under $50."
Then there is the matter of securing mobile devices that access a wireless LAN. Don Rhodes, a civilian IT specialist at Fort Dix, N.J., said that soldiers coming to the base for training before deploying to the Middle East expect to use their PCs for both work and e-mailing home. The choices come down either to strictly policing users' computer habits or, as Rhodes is doing, making the wireless LAN itself secure.
"Even if you tell them not to, users are going to use their personal PCs to conduct government business," Rhodes said. "We would rather have a network that has some security on it than a wide-open system like we had before."
Earlier this year, the Agriculture and Defense departments released directives on securing wireless LANs. Both documents have a good overview of the steps an integrator should take in proposing and deploying a secure wireless network.Common components
Securing a wired or wireless network involves a mix of hardware, software, policies and training. In setting up a system, however, an agency needs to consider the end-to-end network and ensure that all pieces work together.
For example, if different parts of the wireless LAN are operating on disparate encryption schemes, the network will default to the lowest standard.
If you're using an older security standard such as Wireless Protected Access or multimode security, "you are only as secure as your weakest link," said Peter Firstbrook, research director in information security and privacy for Gartner Inc. of Stamford, Conn.
Similarly, unless an agency offers client hardware to all potential users, the wireless LAN must accommodate a wide variety of connecting devices without compromising security.
"Many solutions are vendor-specific to the client device and, therefore are not protecting everything over a wide range of clients," said Sonny Gutierrez, LAN/WAN security specialist for CDW Government in Herndon, Va.
The wireless policies from the Agriculture and Defense departments take an end-to-end view of wireless networks. While the directives differ in specifics, they also address certain common areas that are applicable to securing any wireless network. These include:»
Wireless intrusion detection»
"The largest threat is misconfiguration, or taking an access point out of the box and leaving the default settings in place," said Alex Zaltsman, managing partner of Exigent Technologies LLC of Morristown, N.J. "Default administrator passwords can be obtained easily by downloading a user manual, and access points come with encryption disabled."
The client devices also must be configured to access only the official network, not some other signal that might bleed over into the office from a neighbor.
"You don't want people jumping from wireless LAN to wireless LAN. You want them to be stuck to the wireless LAN you want them to use," Gartner's Firstbrook said. "Unfortunately, most of the wireless LAN drivers are very promiscuous. Microsoft will join any wireless LAN that is available."Security principles
Although there are general guidelines to setting up a secure wireless LAN, each system must be designed to meet the business and security needs of the particular organization.
Just as in the wired world, networks vary in their degree of openness, flexibility and secrecy. When it's time for an agency to build out its wireless LAN, consider the following examples to see which most closely match the agency's requirements.Wireless LAN 1
Maximum security. The Joint Forces Command's Joint Futures Lab in Suffolk, Va., set up a wireless LAN for mobile workers and guests in the three buildings on its campus. Users can access voice, video, data, Web sites and e-mail.
The network has 130 access points and a 2-gigabit backbone supporting 802.11 a/b/g devices, and uses 802.16d wireless metropolitan area network between buildings. The network uses a five-layer, defense-in-depth architecture and an array of security technologies, including Air Fortress encryption gateways from Fortress Technologies Inc.; Bluesocket Inc. wireless gateways and firewalls; AirDefense Inc. wireless IDS; virtual private networking over IPSec from Cisco Systems Inc.; and a wireless management platform from Airwave Wireless Inc.
Planned enhancements include full disk encryption, a Layer 2 VPN, policy enforcement agents and end-point management.
One of the biggest challenges, said Jared Judy, wireless network engineer, is "getting vendors to play together for integration purposes, so administrators don't have to bounce between three, four or five different console screens to be able to monitor and manage the system."Wireless LAN 2
Public access network. Burbank, Calif., last year set up a metropolitan wireless network covering its downtown. The square-mile hot spot uses ruggedized 802.11b/g access points from M-Gravity LLC of Torrance, Calif., which connect to a Proxim Inc. MP.11a system.
A Bluesocket WG1100 wireless gateway controls bandwidth, session time limits and authentication. Internal security is tighter than with wireless LAN 1.
"Burbank uses wireless capabilities to extend the reach of the LAN to buildings not connected via fiber optics," said Perry Jarvis, the city's chief information security officer. "We run many mission-critical applications over our citywide wireless bridge network and offer free WiFi in many locations."
To protect the network, the city has multiple firewalls and intrusion detection and prevention appliances at key points.
"The city uses many common security practices, such as Media Access Control filtering, encryption, hidden service set identifiers and strong passwords to secure our wireless network," Jarvis said.Wireless LAN 3
For work and play. Don Rhodes is setting up a dual-purpose wireless network at Fort Dix. Troops training there will be able to use personal PCs for public Internet access, and base staff will be able to use it for official business.
"We are approaching the project from a security perspective as well as a business perspective, and I believe we have balanced both," Rhodes said.
The system is undergoing evaluation, testing and certification, so no official business is being conducted over it.
In the meantime, however, there are hundreds of morale, welfare and recreation users.
Both categories of users share the same access points, which cover dormitory day rooms and outside spaces and provide network access to devices in buildings not connected to the fiber network. The wireless traffic goes through an Aruba 5000 controller, where it's then routed to separate virtual LANs.
"If you don't have Federal Information Processing Standard encryption, the Common Access Card and proper authentication, it won't let you onto the government network, it will send you to the Internet," Rhodes said.
Although it has not been approved yet, Rhodes said it should meet the base's security needs. "The Aruba controller gives us confidence that the traffic coming across our wired network is secure," he said.
However a customer chooses to approach a wireless LAN, deploying the network involves balancing usability with the need to enforce security standards. It requires a complete analysis of the business needs and budget, as well as the technology to be used. With some homework and adherence to government policy, it's possible to create a wireless network that is as secure as a wired LAN.Drew Robb is a freelance technology writer in Los Angeles.