A guide to controlling your airspace

Wireless security has been a worry for a long time, but In May, a team from Australia announced < ahref="http://www.techworld.com/mobility/news/index.cfm?NewsID=1551">an indefensible denial-of-service flaw in the 802.11b network protocol. This is just one of a whole list of wireless worries, described by users in our companion article, but what should you do about it?

In the far future, Frequency Selective Surface panels (widely reported as "Wi-Fi wallpaper") from the likes of BAE Systems PLC might be able to keep your wireless traffic in-house and wireless intruders out. But until this so-called stealth wallpaper - which blocks specific radio frequencies - becomes commercially available, you'll need to approach wireless security with more mundane techniques.

First off, most Wi-Fi devotees say that IT managers shouldn't fight Wi-Fi. The technology's low cost and simplicity make outright bans impossible to enforce. Therefore, developing a sound strategy to control Wi-Fi's proliferation is all the more critical for IT managers. "We knew wireless was coming. We knew it was a legitimate business need. We knew we had to do something," says Fredricksen. "But out-of-the-box wireless is absolutely contrary to the security controls we have put in place." So Fredricksen went back to the basics. "We applied the same security baselines to the wireless initiative that we apply to all of our other projects," he says.

Alternate routes
Regarding the denial-of-service flaw, Fredricksen says, "There would always be an alternate way to get the business done," whether users would have to switch to a wired connection or go to an offsite kiosk. But, he concedes, you have to ask yourself one tough question: "If you had a branch become 100 percent wireless, how devastating could (an attack) be?"

To mitigate that scenario, a thorough and well-understood wireless policy is critical. "From the IT manager perspective, you have to have the appropriate staff and technology solutions," says Ollie Whitehouse, technical director of @Stake's United Kingdom division. "You also have to have a policy and procedure to back it all up. If not, the first two are useless in the end." That policy should at the very least cover network and device management, as well as monitoring and enforcement mechanisms. IT managers also need to weigh the risks involved with placing your company's most sensitive information up on a Wi-Fi network - for example, consider the health-care, government and financial sectors. If the information is mission-critical to the business or if your company operates in a heavily regulated industry, security becomes even more paramount.

New management
IT managers need to make certain that attackers cannot get to the hardwired corporate network through a WLAN hole. "You always have to be thinking about how you can narrow the aperture of the target space without hurting your business," says Tim Keanini, chief technical officer of nCircle Network Security, a network security vendor. "You have to assume an opponent is actively trying to find your flaws." That means unauthorised access points need to be found and terminated, and authorised access points need to be situated in areas where the radio frequency footprint doesn't extend beyond your offices. Default security settings on Wi-Fi-enabled laptops and handhelds need to be cranked up to your company's standard security levels. Those devices also need to be running, at the very least, these security programs:

• For user authentication, use Media Access Control (MAC) filtering
  
• for Radius authentication and authorisation, use Kerberos or smart keys
  
• for encryption, use Wi-Fi Protected Access (WPA) or virtual private network (VPN).

Also, make sure that ad hoc or peer-to-peer Wi-Fi connections are not permitted on mobile users' laptops.

"The Wi-Fi communications medium can be made secure," says Whitehouse. "You can make the transfer of data through the air secure."

Rigid enforcement
One of the more crucial steps in ensuring Wi-Fi security is monitoring your company's airwaves. And it's also the one on which most companies trip. For those companies that say "No Wi-Fi," security experts offer a test: Scan your building for Wi-Fi access points using a sniffer tool, and most likely, you'll find some hot spots. "How do you really know (you don't have rogue Wi-Fi users) if you aren't monitoring your systems?" asks Anil Khatod president and CEO of AirDefense, a wireless security vendor. "How do you enforce the policies?" He says that around a third of the companies using AirDefense's wireless monitoring products have a policy of no WLANs; they're simply trying to enforce the policy.

AirDefense is reviewed here, and we also have reviews of similar products from AirMagnet, Red-M and Newbury Networks.

Wireless intrusion detection systems now being offered by a handful of vendors, including AirDefense, AirMagnet, AirWave and Internet Security Systems, can provide another layer of Wi-Fi security. These systems can detect attackers, rogue access points, unusual network occurrences and, as Whitehouse terms it, allow a certain level of compliance assurance. "This compliance assurance comes from such things as allowing enterprises to detect misconfigured devices that may expose the wired enterprise network to attackers," he says.

So the denial-of-service discovery lingers in the Wi-Fi world, unfixed. But many users claim that they will deal with this problem as they have dealt with other Wi-Fi vulnerabilities - with proven security practices, communication with users and hopefully a bit of luck.