Enabling wireless security

CIOL Bureau
New Update

Wireless technology is increasingly used by companies that want to enhance

their agility and increase productivity by enabling mobile, remote and flexible

working. However, BT's business continuity, security and governance practice

believes that a vast number of organisations and their users do not fully

understand the associated security implications and are leaving themselves very



To make matters worse, wireless capability is being added to more and more

devices, and the tools to locate and hack wireless networks are easy to find and

download from the Internet - so this situation can, and will, only get worse.

The first and most important step to using wireless technology securely is to

find out exactly what equipment is in use.  Ian Hughes at BT says: “In our

experience companies who believe they have 100 per cent control of all wireless

technology always have something unaccounted for.  Even businesses that believe

they don't have any wireless connectivity at all are usually wrong. These

'rogue' devices can put the entire network at risk.  It is, therefore, essential

they secure the wireless network they know they have — as well as monitor for

and identify the one(s) they don't yet know about.”

The reason there is often so little knowledge about the actual number of

wireless devices in the enterprise is that nearly all new laptops and PDAs come

with WiFi, infra-red or Bluetooth capabilities enabled and turned on as

standard, which many users are unaware of.  Individuals can also use devices

with the wireless capability deliberately turned on, or add wireless

connectivity through USB ports, which are relatively cheap, readily available

and easy to install, without fully appreciating the risks this entails. 


Ian Hughes says: “Most large organisations find they have a number of

unofficially installed pieces of equipment that are outside the control of the

IT department, which represents a major security risk.  People like wireless

because it is easy — but it's not so easy when a hacker brings down your entire

network. We have seen plenty of examples of employees taking company laptops

home and connecting to wireless broadband, and then leaving that connection open

when they return to the office, or use their laptop or PDA on the train, in a

hotel room, and even when parked in a motorway service station.  The device

continues to look for a base station or other wireless-enabled appliance to

connect to, thus advertising its presence to any scanning apparatus within a

fairly wide radius — often many hundreds of metres or more. It's then relatively

straightforward for an unscrupulous individual to intercept those connections

and hack into the device. Some products can connect directly to others, without

needing a base station, so direct device-to-device transfers can occur without

either user being aware.” 

Hughes continues, “At the very least, organisations have got to run some form

of wireless intrusion detection system (WIDS) to identify and locate rogue

devices. No security policy can be effective if there are unknown elements on

the network, so security teams need to remain on constant look out for new

devices, and ensure that users follow policies on how they should, and should

not, be used.”

Companies also need to ensure that specific measures for wireless networking

are included in the wider security policy.  Focussing on protecting the virtual

and physical boundaries of an organisation is no longer sufficient. Mobile

devices, by their very nature, have effectively broken down these borders and

created an open environment that is more vulnerable to attack. The previously

accepted “Inside/Outside” (or “Redside/Greenside”) model, relying on physical

security and firewalls to protect the network, do not work when wireless is

added. Everything becomes “Oneside” and is accessible to all within range of the

wireless signal.


Authentication and identity management are also essential — from both sides

of the connection. Hughes says: “With wired networks the onus is on the user to

prove their identity to the server — usually through a username and password. Â

The physical connection has traditionally been accepted as providing a

sufficient guarantee that the network is what it claims to be.  However, in the

wireless world, the user and the network now need to prove their mutual

identities to each other, without divulging any sensitive credentials in the


Ian Hughes concludes: “Establishing connectivity to wireless networks no

longer requires a great deal of expertise, but neither does hacking them. It is

obvious that wireless security needs to be taken seriously. The technology may

be there in terms of data encryption and user authentication, and the

development of standards such as IEEE 802.11i.  But for these to be effective,

all devices need to be fully identified and must be used in accordance with a

policy that is specifically designed for that purpose.”

© CIOL Bureau