While 'mobile workforce' and 'anytime-anywhere information access' have the
potential to bring in benefits aplenty, they have also brought in their wake a
slew of security concerns. And, even as CIOs learn to grapple with the basic
security issues concerning wireless adoption, they are up against newer security
challenges. From conventional security concerns like unsecured access points and
unauthorized devices in the network to emerging ones like mobile viruses-CIOs
today face much wider range of wireless-security issues.
But, the bigger question is, how are they geared up to meet these security
challenges in the wireless world? Depending on their levels of maturity of
usage, Indian enterprises are today moving up the security awareness curve.
However, there are still security apprehensions that, to some extent, mar
wireless adoption. While vendors opine that technology is evolved enough to
handle the security issues, CIOs believe that there are still some inherent
challenges that continue to make them apprehensive about the technology.
Even before the new security standards come out, businesses and individuals
can take measures to help protect themselves. Any Wi-Fi system comes with
built-in encryption, called wired equivalent privacy (WEP). But it needs to be
turned on, and many users neglect to do so. Still, WEP encryption is weak. A
determined hacker can unscramble key passwords in hours, if not minutes.
"Break-ins are as common as breathing," says Bruce Schneier, founder
of Counterpane Internet Security. For wireless safety, it's a good policy to
keep as many padlocks on corporate airwaves as possible.
Lurking Dangers
The security threats can range from the network to the applications of the
device. A breach at any one point can threaten the enterprise. Without stringent
security measures in place, installing a WLAN can be the equivalent of putting
Ethernet ports everywhere, including in the parking lot, says Arindam Bose, head
of IT at LG Electronics India. A typical security challenges, owing to the very
nature of a wireless network, is the threat of exposing critical information.
Small amounts of WLAN signals can travel significant distances, and without
sufficient security, a wireless intruder can expose the critical information.
Rajesh Uppal, chief general manager (IT), Maruti Udyog, says that
implementing WLANs can be a security nightmare because unlike a wired LAN, where
traffic can be controlled relatively easily, wireless transmissions usually
extend beyond a company's secure bounds, into parking lots and other public
areas. "To make matters worse, most laptop manufacturers are now including
WLAN capability with their products. Laptops equipped with Microsoft's Windows
XP automatically look to associate with any WLAN when they are turned on,"
he adds. Parag Arora, business development manager for India and SAARC, Cisco,
agrees that accessibility is slightly more open in a wireless network as
compared to the wired one: "It is a three-dimensional thing and one can
access through any of the three dimensions."
Another common threat is interception, by which an attacker can sniff and
capture legitimate traffic. According to Java Girdhar, country head, India and
SAARC, Juniper Networks, since the WLAN traffic can be sniffed literally from
the air, unsecured data traffic can reveal basically anything going on within
the network, giving intruders access to confidential corporate information, and
possibly even control of critical enterprise resources such as databases and
shared directories. There are many readily available tools to intercept
broadcasts, such as WEPCrack and AirSnort. Intruders also have ready access to
tools for cracking WEP keys, to passively monitor packets of data and then break
the WEP key that encrypts the packets.
Insertion attack also threaten wireless networks. An insertion attack is
works by placing unauthorized devices on the wireless network, without going
through a security process. However, as Uppal of Maruti Udyog points out, the
oldest kind of attack is the one that simply uses the computer and its brute
force, till it can generate the password for entry into the network. Another
common security threat is a configuration error. This arises because a many
enterprises don't turn on the basic security. They don't realize that the
default setting is off and inactive rather than on and active.
Next is the threat of lost or stolen devices. Even if sufficient security is
implemented in wireless virtual private networks (VPNs), the entire corporate
intranet could be threatened if lost or stolen devices weren't protected by
passwords and other user-level security measures. Also, wireless devices are
portable and more prone to theft.
Some of the other concerns are: denial of service attacks, session
highjacking, malicious hackers, malicious code, and theft of service. Malicious
hackers can access wireless network access point by eavesdropping on the
wireless communications. Malicious code involves viruses, worms, trojans, logic
bombs, or other software designed to damage files or bring down a system. Theft
of service occurs when an unauthorized user gains access to the network and
consumes network resources. According to Girdhar of Juniper Networks, wireless
networks also expose information to espionage threats due to the relative ease
with which eavesdropping can occur on radio transmissions.
Mobile viruses are an emerging threat area for the CIOs. Though not as
prevalent as the other security threats yet, they are an area of concern.
Viruses can hit mobile devices due to security holes in applications or in the
underlying operating systems. Like on a desktop PC, applications or applets
downloaded on a mobile device can spread viruses. In some of the mobile
operating systems, malformed SMSs can even crash the device. As enterprises go
for sales force automation (SFA), there is also the looming threat of email
viruses that can affect PDAs. Such viruses causes the PDA email program to send
multiple emails, interrupting normal business. There have also been instances of
spam, targeted towards wireless devices.
Security-What's Available
While there are a many technological solutions for the security threats, the
most critical factor for managing such threats is awareness. According to Arora
of Cisco, wireless security needs to be adopted as an evolving process, and has
to be incorporated as an integral part of the overall corporate security
strategy. Organizations, according to Uppal of Maruti Udyog, must have policies
for managing and monitoring the corporate wireless environment, such as: what
metrics, configurations, and thresholds will be used to alert network managers
about the problems.
Agreed, there are no surefire ways to keep hackers out of WLANs, but there
are safeguards that can make it difficult for them to break in. Technologically,
many advanced standards have evolved in the last two years, such as: advanced
levels of encryption and authentication techniques.
According to Girdhar of Juniper, WLAN encryption is an evolving field and new
methods to secure WLANs are being created. They may not be very secure today, as
new exploits and weaknesses are still being discovered.
The enterprises need to deploy several layers of defense across the network
to mitigate the threats. Additional security components can include: firewalls,
intrusion detection systems (IDSs), and virtual LANs (VLANs). According to Bose,
as with other networks, the security for WLANs focuses on access control and
privacy. WLAN access control, also called authentication, prevents unauthorized
users from communicating through access points. WLAN privacy helps ensure that
only the intended audience understands the transmitted data. The privacy of
transmitted WLAN data is considered protected when that data is encrypted with a
key that can be used only by the intended recipient of the data.
Further, high-level security is available for WLANs using features like
Internet protocol security (IPSec) and 802.11 security standards like extensible
authentication protocol (EAP) and WEP. At the very minimum, network managers
need to turn on WEP security and disable access points from broadcasting their
passwords-which need to be changed regularly. Though WEP security can be easily
overwhelmed, it is still better than having no security. According to Uppal of
Maruti Udyog, while there are many newer WLAN security protocols like EAP and
temporal key integrity protocol (TKIP), there are also associated issues like
interoperability and the degradation they can cause to the WLAN.
Authorization can be done using a VPN or VLAN, enabling a network manager to
limit a WLAN segment to only those network resources on that LAN segment. When
used in combination with a VPN gateway, wireless users have to be authorized to
use the VPN to access the protected parts of a network. Girdhar especially
advocates SSL-based VPN because of its flexibilities and robustness as compared
to IPSec-based VPNs.
According to Arora of Cisco, for a mid-sized organization, not having a very
extensive wireless setup and still grappling with the very basic security
issues, basic authentication and encryption technologies will do. For the larger
and more comprehensive implementations, he says, new concepts like demilitarized
zones are now emerging.
For device-level security, some of the measures are: strict access privileges
for mobile users, password-protecting all devices, encrypting sensitive
documents on the device, not using automatic scripts for VPN login, regularly
backing up PDA data to a PC to prevent damage from PDA-specific viruses and
worms, and using anti-virus for PDAs. One can also minimize access to restricted
sources using firewalls. Access control should include both hardware
device—based and application-based authorization.
There is no single solution that can provide total security. Hence,
organizations need to evolve the right mix of technologies that will work best
for them in a wireless environment. The nature of security will need to be as
dynamic as the technology itself.