Wireless LANs can offer a number of advantages over traditional Managed Lan Services, but there are basic steps IT departments must take to minimize the risk, writes Danny Bradbury.
Wireless LANs offer many benefits, including the ability for employees to move around the office, enabling network connectivity from meeting to meeting. Listed buildings or temporary facilities particularly benefit from a wireless environment. But the move from Category 5 cable to radio is opening up security loopholes that need to be closed to reduce business risks.
"Physical security is a particular concern for WLan users," said Gunther Allmann, X-Force Security Assessment Manager at Internet Security Systems. Removing access points from windows and outside walls will help reduce the risk of being intercepted from the outside.
Alternatively, instead of buying an omnidirectional hotspot that transmits in all directions, you can purchase directional hotspots to limit the data transfer area, perhaps placing it in an outer corner to transmit in all directions. However, it is very difficult to stop data leakage outside your walls and you still have to worry about your mobile client nodes, so different protection is needed.
Determine what information will be transmitted over the network to assess the level of risk. Jeff Davis, managing director of security consultancy I-Sec, says the vendor's customer base will be particularly vulnerable to attacks due to sensitive customer information that travels over the network. The nature of the data will affect the level of security you apply.
WEP
If your data is not particularly sensitive, the Wired Equivalent Privacy (WEP) encryption protocol built into most WLan 802.11b access points may be all you need. However, you must remember that this can be solved if the attacker is given sufficient time; you just need to collect enough of the correct packages with your own WLan card.
Davis estimates the cracking time to be between five and 30 seconds, depending on the amount of traffic traveling over his network, for a hacker using one of the WEP cracking tools, such as WEPCrack, that are freely available on the Internet.
One way to deal with a WEP vulnerability is to change the encryption keys you use regularly, forcing a potential hacker to start collecting packets again.
Much will depend on the size of your organization. The problem with WEP is that it is not very scalable. The encryption keys used to encrypt WEP communications cannot be updated dynamically and therefore must be updated manually. This is not a problem for a small single-branch retailer with a small number of laptops, but for a large company with a lot of nodes, the overhead of key counterfeiting would be too high.
The alternative would be to use Cisco access points and Cisco client cards, Davis said. The way WEP is used on these cards is not subject to the same attacks as other cards. However, Davis notes that this additional security only works when using Cisco access points and client cards. With more laptops that contain their own third-party client hardware, this Cisco-specific idiosyncrasy may not be of much value to you.
No comments:
Post a Comment