Despite its many exciting possibilities for new business opportunities, cost-savings, and user freedom, wireless technology presents serious challenges to information security. Any form of wireless communications that is not properly encrypted can be intercepted with the right equipment–in some cases nothing more than a low-end notebook computer armed with a $100 wireless network card and specialized freeware packet sniffing and discovery software. Frequent reports of war driving (using just these interception tools while driving down the street) in major cities have identified numerous wireless access points via factory default security settings in insecure mode just waiting to be exploited by the use of default access passwords and simple attack methods.
Consider too that employees desiring more flexibility in their office networking can easily go to the nearest office supply, electronics, and even major discount stores and purchase a powerful wireless access point and associated wireless network card for less than $200 to create an immediate, unsecured backdoor to the enterprise network. In addition, improperly secured WAP gateways can be used as an exploit focal point that can be leveraged to intercept wireless business transactions while they are temporarily in clear text during the gateway process of converting full-size Web applications to miniature-size applications for cell phones and PDA devices.
-Â¦And Proven Countermeasures
To maximize the huge benefits of wireless technology without putting the enterprise at serious and unnecessary risk, the following safeguards are recommended:
* Publish clear policies for use of wireless technology, including a standard product list of approved hardware and software and required baseline settings for all available security features in the wireless technology components.
* Ensure that all wireless gateways and access points are properly secured, including changing factory default “insecurity” settings. Most gateways run on general-purpose operating systems (OS) such as Windows NT/2000 or Unix, so prudent “OS hardening” would apply.
* Use network-level or session-level encryption (e.g., IPSsec- or PPTP/L2TP- based virtual private networks, Secure Shell – SSH) to protect communications from being intercepted and replayed. Although the Wired Equivalent Privacy (WEP) provided with most 802.11 products offers some basic protection, it has been recently found to be flawed and potentially vulnerable to intense key cracking attacks with freeware tools such as AirSnort and WEPCrack. WEP should not be relied on by itself to secure highly sensitive applications. Leading wireless technology vendors such as Agere, Cisco, and Symbol will likely be providing enhanced WEP security upgrades by the end of 2002 as part of the recently announced WPA (Wi-Fi Protected Access) initiative.
* Deploy wireless technology products that support enhanced user authentication interfaces such as the 802.1x security protocol specification that uses Extensible Authentication Protocol (EAP) and Remote Access Dial-In User Service (RADIUS). To fully leverage EAP security benefits, you should use tokens, smart cards and/or digital certificates to properly authenticate the wireless users.
* Perform periodic audits, including traditional physical security and technical vulnerability tests of wireless gateways and access points, and employ discovery audits using tools such as the freeware Netstumbler and Kismet in addition to commercial products such as WildPackets AiroPeek, AirMagnet Wireless Analyzers, and ISS Wireless Network Scanner. A growing number of commercial and freeware wireless LAN detection and testing tools are now being used on highly portable handheld computers such as the Sharp Zaurus and the Compaq Ipaq. Prominent network vulnerability testing tools such as the Internet Security Systems Internet Scanner have also recently added tests to locate and probe the security of known and unknown wireless network components.
Reprinted with permission from MIS Training Institute’s TransMISsion Online. For a complete list of information security seminars and conferences available from MIS, go to: www.misti.com.