The stupidity of companies when it comes to securing their networks seems to know no bounds.
A decade ago, when SC Magazine was just a sparkle in the publisher’s eye, remote access via modem was seen as a major problem, with many companies inadvertently allowing ‘back-door’ access to their networks via this method. A decade down the line (no pun intended) and we have the Internet, and a wealth of software to protect company IP packets from unauthorized incursions. And we also have the new century’s equivalent to a modem – Wi-Fi access to the network.
Although still in its infancy in Europe, the 802.11b wireless LAN standard has been around for several years in the U.S., mainly thanks to the ease with which W-LAN devices have received approval from the Federal Communications Commission (FCC). But, just as the first modems slipped through the standards hoop with no integrated security mechanisms, so the first 802.11b devices have also passed muster by the FCC without such technology.
Critics might say that it is not the FCC’s position to account for users’ stupidity, but it took the Clinton administration to realize that a teamwork approach was required for IT matters, as witnessed by Al Gore’s initiatives on several IT and Internet-related issues. Many of the former vice president’s teamwork approaches to IT issues have found their way into the present U.S. administration’s ideas, as well as being copied by several European governments.
But has the concept percolated through to the FCC’s hallowed walls? Not from this observation position, it hasn’t.
Although this writer has been aware of the potential of the 802.11b security loophole since late 2000, when the first W-LAN devices went on sale in Europe, it took an IT security event in London around six months ago to make the full potential of the technology hit home.
In the offices at the ISSE 2001 show just across the road from the House of Commons, the seat of the British government, several U.S. IT veterans flipped open their laptops and started accessing the Internet within seconds. There was no modem in sight, nor was there an official ‘show’ W-LAN access point. There were no less than six 802.11b networks available at the event, four of which were located on the show floor itself.
The other two? Well, I’ll leave the location of the QEII Conference Center in London’s Westminster district to speak for itself.
The problem of ‘drive-by’ hacking using 802.11b technology is a major one in the U.S., especially on the West Coast, where every pony-tailed market executive has a W-LAN PCMCIA card in their notebook. From a teenager’s point of view, W-LAN is a public Internet access medium, suitable for accessing the Net at nice high speeds from most metro locations. And forget about paying to access – why should you, when all these nice firms are proving free and unfettered access?
The IT industry is lucky that the bulk of these unauthorized accesses across company wireless networks are used only for Internet surfing and not for any illicit purposes. The bottom line is that, if most people weren’t reasonably honest, then many more U.S. companies would be accused of participating in a distributed denial-of-service attack – simply because hackers were launching attacks from across their W-LAN network.
How popular is 802.11b?
Very – GRIC Communications (www.gric.com), the Internet roaming company, has just added Wayport’s Wi-Fi and wireline range of services to its global broadband roaming network.
Broadband? Yes, that’s right – the 2-4Mbps steady streaming that is achievable at quiet times across an 802.11b network has to be used to be appreciated. For a teenager more used to 56K wireline modem, it’s a serious attraction – enough of an attraction, in fact, to spring for a coffee at Starbucks downtown, and surf the Net using a notebook, drawing power from those convenient power sockets that coffee shops the world over provide for their Net surfer coffee drinkers.
But all is not lost. There are now several companies working together on secure 802.11b technologies, not the least of which is the just-announced linkup between Columbitech (www.columbitech.com) and Diversinet (www.diversinet.com). These two firms have signed a co-development and reseller agreement to bring to market a secure wireless VPN system for mobile workers who rely on accessing critical data from remote locations.
According to Columbitech, the new PKI-enabled wireless VPN system enhances the delivery of wireless security for enterprise usage across North America, Europe and Asia. The technology, known as Passport Wireless VPN, aims to offer users access to Diversinet’s wireless PKI technology and Columbitech’s wireless VPN product, to control W-LAN access. Columbitech says its PKI-enabled wireless VPN technology supports full-strength encryption, authentication and certificate processing capabilities for secure remote access to corporate networks.
The good news is that Passport Wireless VPN will also reach beyond the 802.11b environment, into such areas as GPRS, CDPD and CDMA, the cellular data triumvirate of standards seen around the world in various iterations.
The idea behind Passport Wireless VPN is that it allows mobile users to seamlessly roam between different wireless network topologies in a single VPN session, without their having to log on again. In theory, this should allow a wireless notebook user to have VPN access to the office network using a W-LAN, and then travel home while connected on the same VPN session using a mobile phone connection. Upon arriving home, the user’s notebook would then seamlessly switch over to an 802.11b-based home broadband or dialup connection, retaining the same online session.
If this sounds interesting, it’s because it is. And, unlike standards emanating from the likes of the International Telecommunications Union or, heavens above, the FCC, it is a technology that really is appealing to end users. And if enough end users adopt seamless roaming between 802.11b and other wireless/wireline topologies, then we could see that most consumer-friendly of technologies, a de facto standard.
De facto standards, as you may have noticed, have the twin attractions of being widely accepted and low-cost, since they are free of monopolistic corporations with their proprietary and patented technologies.
Steve Gold is news editor for SC Magazine (www.scmagazine.com).