THE WIRELESS INTERNET-FRIEND OR FOE?

THE WIRELESS INTERNET—FRIEND OR FOE?

The wireless networking engineer was working her way through the information warfare test range when she stopped and looked at her computer screen. Another unsecured access point, she noted. She was actually testing the roaming capabilities of 802.11b network devices; but as she moved their portable computers through the areas covered by the devices, other access points popped up.

This isn’t surprising, because one of the nice things about wireless Internet is the ability to install the products quickly and easily, with a minimum amount of configuration. Clearly, some people around her test site (which is being kept nameless to protect the guilty) took advantage of the ease of installation but never got around to protecting their internetworks.

If Internetwork managers don’t pay attention to the fact that the default condition of wireless access points is to let anyone into the network, then they may be doing just that. Those people who constitute “anyone” can include people across the street, your competitors parked outside, and malcontents who want to use your network to shield their activities. It’s like installing a network port on the lamppost outside your building and asking anyone who walks by to plug in.

Fortunately, if you plan accordingly, securing your wireless Internet isn’t very difficult. It just requires network administrators to take a few simple steps.

First, turn off the broadcasting of your access point’s extended service set identification, which lets anyone with a wireless Internet card know the address of your wireless Internet access point. Having that ID makes logging-in even easier than it already is.

Second, turn on encryption. All 802.11b access points support the wireless encryption protocol (WEP), which can handle 40- and 128-bit encryption.

Third, turn on your ability to use access control lists, available in some access points. This allows you to keep a list of acceptable users according to the MAC address of their network card.

These steps will keep most wireless networks reasonably secure. It’s convenient that these capabilities are built into most wireless Internet access points—the only exception being some early Apple AirPorts, which can be upgraded.

You must also deal with the fact that wireless access points are inexpensive, and that getting them running is a no-brainer. This means that pretty much anyone on your network can pick up a wireless access point at Best Buy, plug it into the corporate network, and use it. You’d then have an entry point into your network that’s open to anyone with a wireless Internet card. Fortunately, if you already have a wireless Internet, you probably also have the management software that lets you locate all access points, including those that aren’t authorized, and can either take them off the network or secure them.

Another problem is that, without limits on what users are allowed to do and where they’re allowed to go, you lose control. So even more security is needed.

One solution is to move to a third-party provider of wireless security products, such as WRQ, whose NetMotion product requires a log-in that’s authenticated through Windows NT. It uses much better encryption than is available under WEP, and it offers some security management features, such as the ability to remotely disable a wireless Internet card’s connection to the network. Such capabilities require a bit more attention from managers, but the result can be a wireless Internet that’s more secure than the wired one it’s attached to.

Stories abound of employees who bought their own wireless access points, installed them, and claimed they were “just testing” when they were discovered. Meanwhile, these employees opened their companies’ networks to anyone (friend, foe, hacker, or spy) who cared to enter.

So how do you find these people who would expose your network? Oddly enough, the easiest way is for your company to start using wireless Internetworking—in an organized fashion. That eliminates the need for employees to buy their own access points, and it gives the IT department the tools it needs to detect and eliminate them.