Plug & pray? A layered security system can help keep your wireless system safe.
On the flip side, what many wireless users don't realize is that going wireless can compromise their network's security.
The truth is, hacking into an improperly configured wireless system is a piece of cake ... like shooting fish in a barrel ... like taking candy from a baby. You get the point. Hackers roam the streets with notebook computers, wireless access cards, high-gain antennas and global positioning systems looking for unsecured access points. Known as "war driving," this new breed of hacker looks for free Internet access, access to confidential data and a new network to compromise.
A wireless network essentially provides the world a public entrance to the programs and data on your network--unless you have taken appropriate network security steps. We've all heard the saying that it's better to give than receive, but freely exposing your network resources to the outside world is going a bit too far.
You can significantly reduce your risk of being hacked by taking a few simple steps. Keep in mind, however, that no access point will ever be 100 percent secure. Rather, the steps you take hopefully will encourage would-be hackers to look for an easier, less secure network to compromise.
SEVEN STEPS TO SECURE COMPUTING IN A WIRELESS ENVIRONMENT
(1) Change the default administrator password for the access point. This should be obvious, but there are hundreds of access points for which no thought has ever been given to changing a password. Passwords should be at least 10 characters, include upper and lower case letters, numbers and special characters, such as exclamation points or the pound symbol.
(2) Change the SSID. Each access point in a wireless network is programmed with a unique identifier known as a Service Set Identifier (SSID). It's also sometimes referred to as an Extended Service Set Identifier (ESSID). Most access points come preconfigured with the manufacturer's name as the SSID. To access the network, client computers must present the correct SSID to the access point.
The SSID is a 32-character unique identifier attached to the header of packets sent over a wireless network (WLAN) that acts as a password when a mobile device tries to connect to the access point. The SSID differentiates one WLAN from another so all access points and devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the wireless network unless it can provide the unique SSID.
Because an SSID can be sniffed in plain text from a packet, it does not supply any security to the network. Changing the SSID does, however, make hacking a bit more inconvenient.
(3) Don't let the outside world know you're there. Turn off SSID broadcasting, also known as closed mode. This feature is not available on all access points, so make sure to spend the couple of extra dollars required to purchase an access point with this feature. By default, the SSID is turned on, making it easy for the casual user to join the system. Similar to changing the SSID name, turning off the SSID broadcast does not make your access point secure, but does require the hacker to jump through a couple more hoops to sniff out your network.
(4) Enable MAC address filtering. While access points are identified by SSID, client computers can be identified by the unique 12-character MAC (Media Access Control) address associated with its 802.11x network card.
Typically the address can be found on the box the card shipped in, on the card itself or obtained by running the IPCONFIG/all command from a command prompt line in Windows 2000 or XP.
To increase security, an access point can be configured with a list of the MAC addresses associated with the client computers that are allowed access to the network. This is best suited for small networks as the task of managing MAC address lists for a large network can become unruly.
Again, enabling MAC addresses alone isn't a guarantee against backing, but it provides another layer of security. Tools are easily obtained from the Internet that allow hackers to easily capture and "spoof" MAC addresses to gain access to a wireless network.
(5) Enable Wired Equivalent Privacy (WEP). Wireless transmissions are easy to intercept. To provide an additional layer of security, the current 802.11 standard specifies the WEP security protocol to provide encrypted communication between the client computer and the access point. WEP keys are 64 or 128-bit (eight or 16-character) keys used to encrypt data using a public algorithm. All client computers and access points on the network typically use the same key to encrypt and decrypt data.
WEP is generally first configured at the access point by assigning a key or allowing the access point to randomly generate a WEP key. Once the access point has been configured, the unique WEP encryption must be enabled and a key must be entered for each client computer.
WEP encryption on the client's computer is enabled by accessing the properties screen for the wireless network card. In Windows XP, this can be done by going to the Control Panel, then selecting Network Connections, double-clicking the wireless network card, clicking properties and going to the wireless tab.
WEP encryption has been proven to be vulnerable and can be cracked using some easily obtained tools and a little patience (64-bit WEP encryption can take several hours to several days to crack). For that reason, however, it is wise to change WEP keys on a regular schedule to minimize your risk.
For those willing to invest a few extra dollars, it is worth the investment to plan a wireless infrastructure that uses access points and wireless network cards capable of automatically assigning new WEP keys based on a user-defined schedule. You won't find these access points at your local discount retail stores, such as Fry's, Best Buy or Office Depot.
(6) For larger networks, implement Virtual Private Network (VPN) wireless security. A full description of the implementation of this technology is beyond this article's scope. However, network administrators well versed in implementing and configuring VPNs and firewalls can implement this security layer on their own. Those without this expertise should seek assistance from a qualified network engineer or security consultant.
To deploy this technology, the access point is generally configured with open access, no WEP encryption (access points still should be renamed with SSID broadcast disabled) and isolated from the enterprise network. This is done by either using a "demilitarized zone"--provided by the firewall--to place the access point on its own network or a VPN server running on its own network.
In either configuration, all users are required to use a VPN (either outside the network or inside the firewall) to gain access to their network. The VPN server now provides authentication and full encryption over the wireless network.
As a final precaution related to implementing a VPN, client computers making a wireless VPN connection to the network should be equipped with personal firewall protection, such as Zone Alarm, Black Ice or Norton Internet Security. While somewhat complex to implement, the VPN security model is essential for larger networks deploying wireless technology.
(7) Unplug the access point when it is not in use. The most secure access point is the one that has no power! All kidding aside, why leave your door open when no one is home?
Wireless computing has many benefits and will continue to change the way we work. But using the technology carries with it a responsibility to keep our information and that of our clients secure.
Security is applied in layers. Eliminating one layer makes it that much easier for an intruder to enter your system. When implementing a wireless system, take the time and spend the money to do it right.
Wireless computing without proper security is not a matter of plugging and playing--it's a matter of plugging and praying.
Bob Gaby, CPA, MCP is a partner at Encino-based Information Technology Group Inc, and a member of CalCPA's Technology Committee. You can reach him at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Date:||Sep 1, 2003|
|Previous Article:||What about consumers? Squeezing the CBA hurts profession, consumers.|
|Next Article:||Ethics, gen Y style.|