Giants offer WLAN security tips

A new wireless safety guide should calm security fears

Dave Bailey, IT Week 28 Apr 2005

Concerns that the perceived security problems of wireless networks of all sizes could cause companies to delay deployment has prompted three industry giants - BT, Cisco and Intel - to issue Wireless Security Guidelines for organisations.

The guidelines are designed for enterprise wireless networks, home wireless networks and public wireless networks.

Commenting on wireless security at the Royal Mail, David Lacey, board member and working group leader of the Jericho Forum, an international IT customer and vendor group, said, "Unfortunately, at the minute we have to add software to provide our workers with secure access since our stand- ard is over and above 'out of the box' security."

Massimo Migliuolo, Cisco vice-president for worldwide mobile operations, said, "We're issuing some guidelines to organisations that are in our opinion best practices. But the work does not stop here - it's a multi-layered approach and we have an ongoing programme to deal with this."

The guidelines fill two pages and include advice on how firms can "implement security standards best-suited to [their] business needs", "implement vigilant security policies" and "make the user your partner in security".

Analyst firm Gartner has reported that firms invested just over $1bn on wireless LANs in 2004.

The US has the lead in WLAN investment, but Europe is a growing market and analyst company Datamonitor predicts 71 percent of large European enterprises will have a WLAN by 2007.

The advice to make end-users "partners" in wireless security may be controversial since some security experts insist that it is unrealistic to assume that end-users can be persuaded to accept responsibility for network security.

And some firms may be unhappy about the fact that the guidelines include a section giving advice to users on setting up wireless networks at home. Some experts warn that such home WLANs could introduce new weak points in corporate security. However, others argue that home wireless access will spread, so in the long term more education will be needed for home users.

The guidelines follow below:

Wireless Security Guidelines for organisations

An increasing number of organisations are realising the benefits of installing enterprise wireless network and giving employees the ability to access information without being tied to a desk.

For business critical applications that potentially involve sensitive data, organisations need to have an enterprise wireless network security strategy that integrates with the corporate network security policy. This will help ensure only authenticated and authorised devices and users can access data.

To ensure you protect critical business assets and manage security challenges, BT, Cisco and Intel have produced the following joint guidelines to improve wireless security and help you achieve full confidence in the security of your enterprise wireless network.

Implement Security Standards Best-Suited to Your Business Needs

To protect your network from security breaches, begin by selecting the appropriate user authentication and data encryption mechanisms best suited to your business needs, budget, and resources. Start by assessing your organisation's enterprise wireless network security needs. For example, a small business may not need to or have the resources to deploy and manage an enterprise-class security solution.
Next, select a security standard best suited to your business needs. Security standards are based on IEEE 802.11 and range in levels of security encryption. You should choose a standard that carries a level of encryption that is most appropriate for what you need to protect.

Implement Vigilant Security Policies

Without a policy requiring regularly scheduled security checks, you're putting your network at risk for future security breaches.

Develop enterprise wireless network security policies and establish quarterly performance objectives based on these policies.
Regularly scan for or deploy network management systems that detect rogue or unknown access points.
Change default management passwords and Secure Set Identifier (SSIDs) on access points.
Implement the appropriate IEEE security specifications.

Make the User Your Partner in Security

IT professionals have enough to worry about. By educating users to be security partners, you can help further manage challenges.

Advise employees of their shared responsibility to security.
Explain to employees the risk of setting up access points without the knowledge or consent of the network administrator (called rogue access points). When setting up rogue access points, employees often fail to address security settings, incorrectly assuming they are turned on.
Implement a system where users know the names of the access points, and stress the importance of connecting only to known and approved access points.
Educate users about the security risks of connecting wirelessly using peer-to-peer networks.
Ensure users understand they should only access the corporate network from public or shared wireless networks via a secure VPN (Virtual Private Network).
Show users how to check security mechanisms on their device and enable the appropriate functions.

Wireless Security Guidelines for end users

Wireless networks are convenient and easy to install and home owners with high-speed internet access are adopting them at a rapid pace. There are also 63,500 wireless hotspots globally which allow people to send emails, surf the net and log onto their corporate networks from locations that range from the local coffee shop to the North Pole.

To ensure you protect your personal data and minimise any security risks, there are several steps you can take to improve wireless security both at home and when using a public wireless hotspot.

BT, Cisco and Intel have produced the following joint guidelines to help you enjoy the freedom of wireless networking while managing security challenges.

Install a personal firewall
Firewalls can help prevent unwanted users from accessing your device when you use wireless access to the internet. Some more sophisticated products will even alert you when an attempt is being made. By installing a personal firewall it reduces the ability of attackers to gain access to resources on your computer by allowing only traffic which is authorised by the intended user. Some operating systems include a personal firewall as standard, but it is important to check that the firewall is enabled. Free trial firewalls can be downloaded from the internet before a user decides to purchase a full security firewall.

Look into consumer VPN services
Although Virtual Private Networks (VPN) are generally used by company networks to provide strong authentication and encryption for hotspot communications (as well as GPRS, dial up and broadband), there are also inexpensive consumer VPN services that give you many of the protection measures that a corporate VPN would offer.

Automatic log on
Ensure your Laptop/PDA cannot automatically log-on because you have configured it to remember passwords. This should be turned off (often an Internet Explorer browser setting).

Secure personal details
Only input bank and other personal details when SSL or HTTPS sessions are in progress (look for the padlock icon in your browser and click on it to confirm that the security certificate is valid). Turn off file and print sharing on your computer. This will help prevent anyone from accessing your hard drive and looking at your files. To do this using Windows XP, go to your Control Panel, click on Network and Dial-Up Connections, find your wireless card, click on the Properties button, and uncheck the File and Print Sharing box to turn it off.

Change the default Service Set Identifier (SSID)
Your wireless devices may have a default SSID set by the factory. The SSID is the name of your wireless network, and it can be anything you wish. Hackers know these defaults and can try them to join your network.

Change the network's SSID to something unique, and make sure it doesn't refer to the networking products you use.

As an added precaution, be sure to change the SSID on a regular basis, so any hacker who may have figured out your network's SSID in the past will have to figure out the SSID again and again. This will deter future intrusion attempts.

Disable SSID broadcast
By default, most wireless networking devices are set to broadcast the SSID, so anyone can easily join the wireless network. But hackers will also be able to connect, so unless you're running a public hotspot, it's best to disable SSID broadcast.

Change the default password needed to access a wireless device
For wireless products such as access points and routers, you will be asked for a password when you want to change their settings. These devices have a default password set by the factory. Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customise the device's password so it will be hard to guess.

Enable MAC address filtering
If your wireless products-such as access points and routers-offer it, enable MAC address filtering. The MAC address is a unique series of numbers and letters assigned to every networking device. With MAC address filtering enabled, wireless network access is provided solely for wireless devices with specific MAC addresses. This makes it harder for a hacker to access your network using a random MAC address.

See also: