Above the brick sidewalks and colonial architecture of Annapolis, Md., Phillip McQuade, president of Annapolis Wireless, is building a wireless internet service that is believed to be the nation's first network operating free of charge or without extra tax.
McQuade acknowledges that their are risks with his WLAN service. "In terms of security, we force people to register with us when they log in with the service," he says. "So if anyone does anything mischievous, we know who it is."
Victor DeLeon, technical director for Annapolis Wireless, says that the Annapolis WLAN will provide encryption after a laptop's signal reaches a network access point (AP), but not before. Some degree of security responsibility to avert man-in-the-middle and other wireless attacks lies with the end-user, he says.
"With this network, the signal from the user to the AP is unencrypted. Beyond the AP it is encrypted," he says. "I wouldn't encourage any user to go to a municipal hotspot and start doing financial transactions."
Obviously, the convenience of working or surfing from anywhere comes with considerable security risks as malicious users can often access the shared files of unsuspecting users just by booting their PCs near another laptop user. WLANs are "still the Wild, Wild West of IT security," says John Masotta, senior product marketing manager for authentication products at RSA Security.
"I think that [awareness of wireless security issues] has improved a little bit. I think people are taking on basic security features," he says.
But few people realize how easy it is for laptops to connect to counterparts at convention centers, airports or other areas with many wireless users, Masotta adds.
Wireless LANs, especially when used in enterprises, have two foremost security concerns: authentication and data protection, says Masotta. However, the adoption of the Institute of Electrical and Electronics Engineers (IEEE) specifications 802.11 and 802.1x is helping increase authentication in wireless networks, he says.
"They provide the option of how users can be authenticated," says Masotta. "Then you're going to have a choice as far as letting users onto a network."
IT security professionals face another challenge from the design of Microsoft Windows operating systems, which looks for a nearby internet connection — that can be tapped by a nearby laptop user — leading to shared files being viewed by any user connected to the same source, says Dennis Tsu, vice president of marketing for AirTight, a Mountain View, Calif.-based Wi-Fi intrusion prevention system (IPS) company.
"[Windows] XP is designed to be promiscuous. It checks for a wireless network without the user doing anything," Tsu says. "And all of a sudden, the files open for file-sharing are available."
Tsu says many companies have created or refined policies on laptop use in the past five years. But even a comprehensive mobile strategy can't protect a company's wireless users if they're near other WLANs or within a municipal network.
Tsu gives the example of a company with a strict policy against using PCs for personal activity located within an office building inside a municipal WLAN. While employees are not intentionally putting confidential information at risk through their own behavior, the proximity of their laptops to an outside WLAN means employees of other companies could have equal access to the same shared files as authorized employees. Non-employees could have the same access as trusted company analysts.
Laptop users sitting in a park or coffeehouse to conduct business transactions or make personal payments may be, if unaware of the potential security risks, their own worst enemies. Municipalities and businesses with WLANs would do well to warn users of the risks of wireless networks, says John Pescatore, an analyst at Gartner.
"The average user does not understand eavesdropping and man-in-the-middle threats. More importantly, while most business users use secure VPNs to connect to their business systems and email, very few consumers use any form of secure access and are more at risk for eavesdropping," he says. "Municipal hotspots should really include much more detailed security warnings and offer downloadable software protection."
In the future, cities may take an additional step toward safe wireless networks by adding more secure hotspots to cities already blanketed in wireless coverage — as is easily done in business environments and at home, says Pescatore.
"What is needed," he says, "is secure public access points that at least work as securely as when you connect to a sensitive website. For example, if public hot spots used secure socket layer (SSL) so that all wireless transmissions to the AP were at least encrypted, much of the risk of using a public hot spot would be mitigated."
In time, the improvement of security features on wireless devices and within WLANs will be directly tied to the success of the wireless industry, as security fears are now holding some companies back from going wireless, says Masotta.
"The reality of the situation is that the security concerns are holding back the wireless industry to some extent," he says. "The application of 802.11 and 802.1x standards will help." n