Wireless Networks: The Next Best Thing or a Whole New Headache?
June 2001
The third generation (3G) of cellular networks
is coming to America, and many companies are foaming at the mouth for the opportunity
to jump to a wireless workforce. This article examines the two biggest hazards
of using a wireless network segment and steps that can be taken to avoid them.
by Chris
Cowger
Total Risk Management
High-speed wireless data is fast becoming a reality. In a few months many
cellular providers will be providing second generation (2G) wireless networks
in some capacity. Wireless data transfer rates will rise into the 30-40 kilobytes
per second range. The third generation (3G) of cellular networks will provide
140+ kilobytes per second transfer rates. 3G networks are already in place in
Japan and should become available in the United States and Europe around late
2002. Also for the office, wireless local area networks (LANs) are coming of
age. Many companies and universities are beginning to utilize this new standard
to allow employees or students access to resources without being tied down to
a desk or cubicle.
Wireless data has been around for a while, just not at the speeds that providers
are beginning to offer. With these upcoming enhancements rearing on the horizon,
many companies are foaming at the mouth for the opportunity to jump to a wireless
workforce. The benefits of such a system are astounding. The ability to gain
access at the click of button while on-site to mission critical data is more
than a luxury. It will become a necessity. Companies are going to need to provide
their workers in the field the capacity to access the information they require
while on site to stay competitive. The possibilities for the uses of these new
standards are virtually limitless.
This article examines wireless networks and security considerations that
need to be addressed before jumping into the new technology.
Wire Technology Risks
With the evolution of wire technology also comes a great risk. By incorporating
wireless devices into your existing network infrastructure, you become vulnerable
to a variety of attacks and exploits. They can become a veritable Pandora's
box if not implemented correctly and most importantly, securely. I'm going to
let you in on the two biggest hazards of using a wireless network segment, and
the steps you can take to keep from sliding off the road into them.
But first, before even thinking about rolling out a slew of new wireless
equipment, there are some questions you'll want to answer.
- What information will be shipped across this medium, and how important
is it to the company?
- What resources will be accessed via wireless devices?
- Is the information mission critical? Is this data of a highly sensitive
nature?
- If intercepted, would the information jeopardize current or future business
ventures?
Next you'll want to know everything you can about the vendor or service provider
you're looking at and establish parameters to judge them by.
- How far away will mobile workers be, and how many will there be?
- Is the location of mobile workers within your provider or equipment's
footprint?
- What kind of security measures does your service providers have?
- What will the condition of their systems be 2 years from now? Are they
planning any kind of upgrades? How often?
- What is the current load of traffic and number of users on their system?
- What is the maximum amount of traffic and users they can handle in your
area?
- What data rates are they capable of offering?
- How long have they been in business, and what is the quality of their
end user support?
If you know the answers to these questions before diving into wireless networking,
you'll have a better idea of the measures you'll have to take to keep data secure
and free flowing. In addition, from the answers to these questions, you can
shape a contingency plan for use in the event of a compromise in security. Doing
your homework provides you with a better understanding of just what is at stake
when you begin to transmit data wirelessly.
Hacking and Phreaking
As mentioned above, there are two big hazards of using a wireless network
segment. The first hazard to watch out for lies within the nature of wireless
communication. It's ironic actually. The greatest feature of wireless communications
is its weakest link from a security standpoint. Your information is broadcast
over the airwaves. Anyone can intercept the packets and view the contents. Police
band scanners are a great example of this. All it takes is a slightly modified
cell phone or multi-band scanner and a little know-how. If you're lacking either
one, both can be found on the Web. There are dozens of Web sites dedicated to
the latest craze in "phreaking," hacking cell phones and the networks they operate
on. Information on building a multi-band scanner or modifying a cell phone and
how to interpret the data you capture are easily attainable.
The frustrating part about this is that there is no way to know that you're
getting sniffed. For example, you've implemented a wireless LAN segment on your
network and are beginning to use it in your conference rooms and offices. Your
workers can now move their laptops back and forth without losing connectivity
to a company-wide database and their files while in meetings. If not implemented
correctly, all an attacker has to do is pull into your parking lot with a generic
wireless LAN card and begin capturing data.
Once the attacker has captured the data, he can begin to sift through it
the find the "interesting" stuff like Internet protocol (IP) addresses, user
names, password hashes, data contained within a packet, etc. Congratulations,
your network has just been compromised! And that's only where it starts. With
this information, he can begin to probe yet deeper into your network, all from
the comfort of his driver's seat.
Tracking down and prosecuting an attacker who has attacked your wireless
network is almost impossible. You can use server logs to backtrack to an IP
address, but past that, where do you take it? The attacker isn't tied down to
a physical location, and IP addresses are easily changeable and spoofable. He
doesn't even need to transmit one byte of data to capture information being
passed back and forth.
Wireless technology is a lot like using a hub instead of a switch. Unlike
switched networks where the broadcasted data is only repeated on the line that
the receiving node is on, every node on a wireless network hears every packet
sent to every other node on its frequency (within the range of the transmitter).
The information is there for the taking for those who know the frequency, and
it's easily attainable. Most wireless LANs operate in the same band, and if
you're going to use a digital cellular carrier to get that extra distance, those
frequencies are also easily attainable as well.
The only way to defeat the snooping of your data on a wireless network is
through the use of encryption. Encrypting the data payload with a strong private
key algorithm will effectively deny attackers the ability to view your transmitted
data. All they'll see is the encrypted hash, which essentially looks like a
group of random numbers and letters. The only way to make sense of it is to
know the private key used to encrypt the data. With it, they'll be able to decrypt
the payload and view the contents, so keep that key in a very safe place.
Most cellular providers use some form of encryption on their digital networks
as part of the standard package. If they don't, usually they offer it as an
added service. Wireless LAN equipment normally comes with encryption built in
as well. If the equipment does not, I would seriously recommend that you look
for another vendor or provider that does offer it.
Theft of Mobile Devices
The other main hazard to watch out for is the theft of your mobile devices.
Devices used on your wireless network are going to have to be easily transported,
lightweight, durable, reliable, and have a fairly quick processor. Laptops,
personal digital assistants (PDAs), and mobile data terminals (MDTs) are quickly
becoming commonplace in the networking world. They are also fast becoming the
devices of choice for wireless networking. The mobility achievable by these
devices is so great that they often grow legs and disappear. Theft of mobile
devices is on the rise simply because they're pretty easy to steal. They're
small, lightweight, and easily concealable.
Would you rather enter an office building, slink past an army of secretaries,
slip a big workstation under your coat, and try to find a way out? Or snatch
up a laptop or PDA while its owner is in the restroom at a trade show. A plethora
of information can be attained from such devices, especially if they are tied
to a wireless network. When stolen, these devices offer much more information
than just a few captured packets. If the device has access to your wireless
network, the thief is now walking around with essentially an open doorway to
your internal network. Steps must be taken to protect the information stored
on these devices and the access they have to your systems.
Encryption and Authentication
Yet again encryption comes into play. Through the use of encryption, your
data is secure from thieving eyes. Keeping the vital information stored on your
devices encrypted while not in use will greatly decrease the risk of having
such data out in the field.
Another point to cover is authentication into your network. Username/Password
combinations are easily bypassed. Consider going to a form of biometrics or
smartcard authentication. The use of biometrics is on the rise and is quickly
becoming recognized as one of the premier ways to securely authenticate users.
Incorporating both stored data encryption and biometric/smartcard authentication
on your mobile devices will effectively lock down the device from unwanted access.
Conclusion
So now you understand some of the basic risks involved with wireless networking.
Encryption and secure authentication methods, such as biometrics or smartcards,
greatly reduce the risk of potentially damaging data from falling into the wrong
hands and unauthorized access to your network.
Wireless networks can be a great, cost effective way to boost any kind of
mobile business there is, just as long as it's implemented in a secure manner.
Avoid the headache and make security a top priority when it comes to wireless
networking.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.