Creating a wireless strategy unique to your business
Wireless networking technology has made it possible for companies to greatly extend the usability of computers by their workers — especially highly mobile employees such as those in the healthcare industry, on sales and manufacturing floors, and so on.
The major obstacle to implementing wireless — particularly for organisations that deal with a lot of sensitive information or that belong to regulated industries where laws such as HIPAA and the GLB Act mandate confidentiality of certain types of data — is the issue of security.
It’s essential that you have a security strategy in place before deploying a WLAN, but the security measures that are adequate for a small company may not work so well in the enterprise. You need to develop your security plan with the unique needs of your organisation in mind.
The wireless security problem
Because wireless transmissions travel over the open airwaves, they’re even more vulnerable to interception or disruption than data on a wired network. And if your WLAN isn’t properly protected, unauthorised “war drivers” or others within range may be able to:
Steal your internet bandwidth, getting free access while contributing to congestion that slows down your legitimate users
Use your network as a launching point for attacks on others or illegal acts such as downloading or distributing pirated software and music or child pornography
View, copy, change or delete files on the computers on both your wireless network and your wired network
Infect your systems with viruses, Trojans, worms, spyware and other malicious software
Cause a denial of service by crashing workstations and/or servers on your network or overloading the network so that it can’t be used by authorised users
Wireless security for small companies (and small budgets)
Small businesses often have small budgets, which often means no full-time IT staff and no money to hire a security consultant to set up a wireless LAN properly. The good news is that you don’t have to spend big money to make your WLAN a lot more secure than it is “out of the box”. Proper configuration is the key.
The goal of any security plan is to deter potential intruders or attackers by slowing them down, making it more difficult for them, and/or increasing the chances they’ll get caught. By putting up perimeter fences, locking gates, letting a pit bull loose in the yard, installing deadbolts on the doors and windows and putting in an alarm system at your home or business, you don’t guarantee that a burglar won’t get in — in fact, a determined professional could almost certainly circumvent all these measures — but you do make it a lot of trouble. That means the casual intruder is more likely to pass your place by and move on to one that’s easier.
In general, internet hackers like to take the easier way just as much as old-fashioned thieves. So every obstacle you place in an intruder’s way makes it more likely he’ll give up and move on to an easier-to-crack network. That’s especially true when there are so many wireless networks out there operating without even minimal security in place.
Some security experts will tell you that oft-recommended measures such as changing the default SSID, turning off SSID broadcasting and enabling MAC filtering are worthless, because there are ways around each. That’s a bit like saying if your door only has a cheap lock that’s easy to pick, you should just not bother locking it at all. By no means should these methods be depended on as your entire security strategy, but each one slows down intruders a little and makes it more difficult for them, so they should be part of your security strategy.
Other low- or no-cost security measures that can be implemented by a small business with a low-cost wireless access point (WAP) include:
Using static IP addresses and turning off DHCP on the router or WAP so an unauthorised person can’t easily get a valid IP address assigned
Positioning the access point to minimise its range so an intruder will have to go to the trouble of using a high gain antenna to pick up the signal
Turning the WAP off if you don’t need to use wireless for a while. Some small companies may need the wireless network only occasionally, such as when partners or travelling employees are at the office with their laptops
Of course, encryption is the best no-cost security measure you can take. Be sure to use Wi-Fi Protected Access (WPA) rather than Wired Equivalent Privacy (WEP) encryption, as the latter is much weaker and easier to defeat. You may need to upgrade your WAP and/or wireless NICs to use WPA, but it’s worth the expense. You may also need to install the WPA client if you haven’t kept your operating systems up to date, but installing the latest Windows XP service pack or switching to Windows Vista (both of which have many other security benefits) will get you the WPA support.
Wireless security for larger organisations
As your organisation grows, it becomes more important that you restrict the use of wireless. It’s essential to establish policies prohibiting rogue access points, and to monitor for them regularly. But good policies aren’t enough; you’ll also need to expend some funds to enforce those policies.
Isolate your WLAN(s) with firewalls; consider placing wireless connections in a DMZ or perimeter network, so if the wireless clients are compromised, intruders can’t attack the wired network. Require users on the WLAN to use a VPN if they want to connect to the wired network.
Use IDS and response sensors to monitor all traffic on the wireless network. Use network access protection to manage the wireless clients and ensure that they are properly configured before they’re allowed on the network.
Do penetration testing of your wireless network to identify security threats and address them.
Summary
Wireless networking can make it easier for you to do business, but it can also make it easier for intruders to do their own dirty business. It’s important to create a wireless security strategy that addresses the needs of your organisation and, as the company and the budget grow, to fund the addition of more sophisticated security mechanisms.