Beware the devil on your desktop


For John Smith, it was like any other Monday morning. He walked into the office of the international drinks company where he worked as IT manager. He sat down at his desk and pulled out his laptop to check his emails.

But it was at this point that he noticed something was not quite right. Instead of the laptop connecting to his company's wireless network, it was connecting to another with a name he did not recognize.

His curiosity suitably aroused, John set off in search of this rogue access point, armed with his laptop and a copy of NetStumbler. Five minutes later, he popped his head round the door of Bob Jones, finance director. Bob was not in the room, but he was at work. Sitting on Bob's desk was a silver box with green flashing lights that John immediately recognized as the wireless access point Bob had bought recently from the local computer store.

So he unplugged the access point and left Bob a note explaining why he had disconnected his new toy. As John returned to his desk, he made a mental note to update his security policy and restrict the MAC addresses able to connect to the firm's wireless switch.

This story is true, only the names have been changed, and it shows the problem now facing organizations. Wireless networking is a runaway success. The Dell'Oro group says wireless LAN market growth reached 26 percent in 2004.

Virtually every new laptop sold today has some form of wireless connectivity built in, and wireless cards are cheap enough to buy for those without.

The price of a decent wireless access point (AP) is now so low, and its installation so easy, that almost anyone can buy one and set it up in a matter of minutes. The major problem for organizations has become how low-cost, highly unofficial APs are now creating a security headache for the IT department.

These cheap APs have many security drawbacks, the most important being their lack of management functionality. Companies that implement wireless networks usually go for APs that can be managed centrally and secured in accordance with policy. They are placed in areas where employees can have access, but outsiders cannot. A rogue AP can destroy that policy and leave a company open to attack in minutes.

But, like instant messaging, wireless networks are becoming ubiquitous, and simply having a policy of not allowing wireless networking within an organization is not going to work. This "no wireless" policy is no longer viable, according to AirMagnet vice-president Richard Mironov. He urges IT departments to "create a policy that makes sense."

Rolf Leukel, product manager of Funkwerk Enterprise Communications, agrees. "If you find a rogue network and you don't have a policy, then it is time to make a policy and roll out a wireless service," he says.

But given that users are going to install non-spec APs, creating rogue networks, what can be done about the problem?

Mironov proposes that when a rogue network is found, it should be taken off the network and a managed, secure access point put in its place quickly, especially if the person who installed it is the finance director or another high-level employee. He recommends that a couple of such APs should be held in reserve for just such a scenario.

There are many ways to spot rogue access points. One solution, mentioned earlier, is to pull out a laptop or PDA and install NetStumbler or MiniStumbler, and walk round the building looking for access points you know you have not put in yourself. This is probably the easiest to get one's head around but there is a cost, both in time and shoe leather. Not only that – it has to be done on a regular basis. A sweep of the building can be made, but there are no guarantees that someone has not switched on an AP two minutes after you declare an area rogue-free.

Another way to deal with this is placing wireless sensors around the building that pick up rogue access points. Arthur Barnes, security consultant at Diagonal Security, says what is needed is something that can detect endpoints connected through these rogue devices and disconnect that part of the network.

"The smarter ones detect both rogue networks and hacking attempts," he says. "With such a system not only can you detect problems such as rogue networks and unauthorized access, but also it can help in planning the wireless network."

These sensors can work alongside authorized APs and build up a picture of what is happening in the wireless network. "You can identify performance problems. People will congregate around one access point, say in the canteen, and that information allows you to decide whether more access points are needed in that area," says Barnes.

Mironov says that having sensors on the network which can counteract rogue networks and data passing through them by temporarily jamming the radio frequency of the wireless network would enable the IT department to "stop it on the wire, stop it in the air or find out where it is and turn it off." The sensors send a request to the switch, quarantining the AP from the main network.

Bob Honour, systems marketing manager at 3Com, believes that there is a cheaper alternative, that is, use what already exists in the infrastructure – managed switches.

"Everything has a MAC address, and switches have a facility to remember these MAC addresses. These managed switches have the ability to lock MAC addresses in a table," he says. Should the finance director, or anyone else, plug an unofficial AP into the network without permission, it won't connect to the network. Their next step would be to call the helpdesk. This, says Honour, "will act as an early warning system."

He contends that this could be used as a practical first-line defense and is a good example he would recommend to anyone. "If we make it difficult to plug an access point into the network, it starts to safeguard the corporate network. If anyone can plug anything into the corporate network in the first place, then that's where the security risk starts," he comments.

Locking down a network is one part of ensuring wireless security. Gernot Radl, practice director at Unisys, believes that any internal wireless network has to be considered a hostile environment, regardless of whether this was unofficial or planned. And it is with this in mind that he stresses the importance of keeping data as safe as possible.

"You have to design a network where sensitive data is not stored on the endpoint, transmit only the data you need to send, and make sure it is all encrypted."

Encryption and authentication are the two most important aspects of wireless security. Data has to traverse a network without being snooped by outsiders, and it has to arrive at an endpoint that has been authenticated by the organization.

Widely derided Wired Equivalent Privacy (WEP) has, by and large, been replaced by standards such as Wi-FI Protected Access (WPA), which has a method of authentication and encrypts data, and 802.11i.

Michael Coci, director of corporate product marketing at Trapeze Networks, says the 802.11i standard is a suitable framework for wireless security that can be used by any organization.

"It is like a recipe – it gives guidelines, but you can change these to suit the organization," he says.

The framework allows for a wide range of authentication methods, from username/password combination to digital certificate and two-factor authentication. Many enterprise APs since mid-2003 onwards have been capable of running within the 802.11i framework.

Coci says this standard takes all the work done in security over the past few years and applies it as a standard. He adds that this should ensure a high level of security on the wireless network. Once security on wireless elements has been achieved, this extra facility can become a driver for increased wired network security. "You can have a more secure network than a typical wired network," he explains.

The gains of these standards do not only apply to mobile workers in the enterprise. Funkwerk's Leukel sees these standards, using security outlines such as 802.1x and EAP, reaching out to new audiences. "The benefits of this can be extended to all users, wired or wireless," he says.

Most people still maintain that security is a problem in wireless, but "these problems were solved two years ago," continues Leukel.

"IT either doesn't realize or doesn't recognize it. A manageable and secure wireless network is possible."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.