Advertisment

Plugging the Holes

author-image
CIOL Bureau
Updated On
New Update

While 'mobile workforce' and 'anytime-anywhere information access' have the

potential to bring in benefits aplenty, they have also brought in their wake a

slew of security concerns. And, even as CIOs learn to grapple with the basic

security issues concerning wireless adoption, they are up against newer security

challenges. From conventional security concerns like unsecured access points and

unauthorized devices in the network to emerging ones like mobile viruses-CIOs

today face much wider range of wireless-security issues.

Advertisment

But, the bigger question is, how are they geared up to meet these security

challenges in the wireless world? Depending on their levels of maturity of

usage, Indian enterprises are today moving up the security awareness curve.

However, there are still security apprehensions that, to some extent, mar

wireless adoption. While vendors opine that technology is evolved enough to

handle the security issues, CIOs believe that there are still some inherent

challenges that continue to make them apprehensive about the technology.

Even before the new security standards come out, businesses and individuals

can take measures to help protect themselves. Any Wi-Fi system comes with

built-in encryption, called wired equivalent privacy (WEP). But it needs to be

turned on, and many users neglect to do so. Still, WEP encryption is weak. A

determined hacker can unscramble key passwords in hours, if not minutes.

"Break-ins are as common as breathing," says Bruce Schneier, founder

of Counterpane Internet Security. For wireless safety, it's a good policy to

keep as many padlocks on corporate airwaves as possible.

Lurking Dangers



The security threats can range from the network to the applications of the

device. A breach at any one point can threaten the enterprise. Without stringent

security measures in place, installing a WLAN can be the equivalent of putting

Ethernet ports everywhere, including in the parking lot, says Arindam Bose, head

of IT at LG Electronics India. A typical security challenges, owing to the very

nature of a wireless network, is the threat of exposing critical information.

Small amounts of WLAN signals can travel significant distances, and without

sufficient security, a wireless intruder can expose the critical information.

Advertisment

Rajesh Uppal, chief general manager (IT), Maruti Udyog, says that

implementing WLANs can be a security nightmare because unlike a wired LAN, where

traffic can be controlled relatively easily, wireless transmissions usually

extend beyond a company's secure bounds, into parking lots and other public

areas. "To make matters worse, most laptop manufacturers are now including

WLAN capability with their products. Laptops equipped with Microsoft's Windows

XP automatically look to associate with any WLAN when they are turned on,"

he adds. Parag Arora, business development manager for India and SAARC, Cisco,

agrees that accessibility is slightly more open in a wireless network as

compared to the wired one: "It is a three-dimensional thing and one can

access through any of the three dimensions."

Another common threat is interception, by which an attacker can sniff and

capture legitimate traffic. According to Java Girdhar, country head, India and

SAARC, Juniper Networks, since the WLAN traffic can be sniffed literally from

the air, unsecured data traffic can reveal basically anything going on within

the network, giving intruders access to confidential corporate information, and

possibly even control of critical enterprise resources such as databases and

shared directories. There are many readily available tools to intercept

broadcasts, such as WEPCrack and AirSnort. Intruders also have ready access to

tools for cracking WEP keys, to passively monitor packets of data and then break

the WEP key that encrypts the packets.

Insertion attack also threaten wireless networks. An insertion attack is

works by placing unauthorized devices on the wireless network, without going

through a security process. However, as Uppal of Maruti Udyog points out, the

oldest kind of attack is the one that simply uses the computer and its brute

force, till it can generate the password for entry into the network. Another

common security threat is a configuration error. This arises because a many

enterprises don't turn on the basic security. They don't realize that the

default setting is off and inactive rather than on and active.

Advertisment

Next is the threat of lost or stolen devices. Even if sufficient security is

implemented in wireless virtual private networks (VPNs), the entire corporate

intranet could be threatened if lost or stolen devices weren't protected by

passwords and other user-level security measures. Also, wireless devices are

portable and more prone to theft.

Some of the other concerns are: denial of service attacks, session

highjacking, malicious hackers, malicious code, and theft of service. Malicious

hackers can access wireless network access point by eavesdropping on the

wireless communications. Malicious code involves viruses, worms, trojans, logic

bombs, or other software designed to damage files or bring down a system. Theft

of service occurs when an unauthorized user gains access to the network and

consumes network resources. According to Girdhar of Juniper Networks, wireless

networks also expose information to espionage threats due to the relative ease

with which eavesdropping can occur on radio transmissions.

Mobile viruses are an emerging threat area for the CIOs. Though not as

prevalent as the other security threats yet, they are an area of concern.

Viruses can hit mobile devices due to security holes in applications or in the

underlying operating systems. Like on a desktop PC, applications or applets

downloaded on a mobile device can spread viruses. In some of the mobile

operating systems, malformed SMSs can even crash the device. As enterprises go

for sales force automation (SFA), there is also the looming threat of email

viruses that can affect PDAs. Such viruses causes the PDA email program to send

multiple emails, interrupting normal business. There have also been instances of

spam, targeted towards wireless devices.

Advertisment

Security-What's Available



While there are a many technological solutions for the security threats, the

most critical factor for managing such threats is awareness. According to Arora

of Cisco, wireless security needs to be adopted as an evolving process, and has

to be incorporated as an integral part of the overall corporate security

strategy. Organizations, according to Uppal of Maruti Udyog, must have policies

for managing and monitoring the corporate wireless environment, such as: what

metrics, configurations, and thresholds will be used to alert network managers

about the problems.

Agreed, there are no surefire ways to keep hackers out of WLANs, but there

are safeguards that can make it difficult for them to break in. Technologically,

many advanced standards have evolved in the last two years, such as: advanced

levels of encryption and authentication techniques.

According to Girdhar of Juniper, WLAN encryption is an evolving field and new

methods to secure WLANs are being created. They may not be very secure today, as

new exploits and weaknesses are still being discovered.

Advertisment

The enterprises need to deploy several layers of defense across the network

to mitigate the threats. Additional security components can include: firewalls,

intrusion detection systems (IDSs), and virtual LANs (VLANs). According to Bose,

as with other networks, the security for WLANs focuses on access control and

privacy. WLAN access control, also called authentication, prevents unauthorized

users from communicating through access points. WLAN privacy helps ensure that

only the intended audience understands the transmitted data. The privacy of

transmitted WLAN data is considered protected when that data is encrypted with a

key that can be used only by the intended recipient of the data.

Further, high-level security is available for WLANs using features like

Internet protocol security (IPSec) and 802.11 security standards like extensible

authentication protocol (EAP) and WEP. At the very minimum, network managers

need to turn on WEP security and disable access points from broadcasting their

passwords-which need to be changed regularly. Though WEP security can be easily

overwhelmed, it is still better than having no security. According to Uppal of

Maruti Udyog, while there are many newer WLAN security protocols like EAP and

temporal key integrity protocol (TKIP), there are also associated issues like

interoperability and the degradation they can cause to the WLAN.

Authorization can be done using a VPN or VLAN, enabling a network manager to

limit a WLAN segment to only those network resources on that LAN segment. When

used in combination with a VPN gateway, wireless users have to be authorized to

use the VPN to access the protected parts of a network. Girdhar especially

advocates SSL-based VPN because of its flexibilities and robustness as compared

to IPSec-based VPNs.

Advertisment

According to Arora of Cisco, for a mid-sized organization, not having a very

extensive wireless setup and still grappling with the very basic security

issues, basic authentication and encryption technologies will do. For the larger

and more comprehensive implementations, he says, new concepts like demilitarized

zones are now emerging.

For device-level security, some of the measures are: strict access privileges

for mobile users, password-protecting all devices, encrypting sensitive

documents on the device, not using automatic scripts for VPN login, regularly

backing up PDA data to a PC to prevent damage from PDA-specific viruses and

worms, and using anti-virus for PDAs. One can also minimize access to restricted

sources using firewalls. Access control should include both hardware

device—based and application-based authorization.

There is no single solution that can provide total security. Hence,

organizations need to evolve the right mix of technologies that will work best

for them in a wireless environment. The nature of security will need to be as

dynamic as the technology itself.

tech-news