Wireless networking has a unique security problem that simply doesn’t exist in cabled networks: it’s radio-based and so there’s every chance someone could sit in your car park and surf your network. Fortunately, there are plenty of things you can do to bring the security of your network back into line with that of a cabled LAN, without having to simply turn off the radios and insist everyone goes back to pieces of wire.
There must be thousands, if not hundreds of thousands of networks around the world that allow visitors to walk in, plug in their laptops and connect to the corporate network. In some, this is simply down to bad network management and the visitor can see things he shouldn’t be able to; in others, it’s a properly controlled “guest” area that allows the visitor to (say) surf the Internet to do an on-line demo to those present.
Wireless networking makes this problem far more dangerous. You therefore need to take measures to ensure that (a) you don’t just let any old computer connect to your network; and (b) you authenticate the user of any computer before allowing them in.
There are any number of ways to prevent someone using the LAN. First of all, you could set your DHCP servers to allocate addresses only to clients whose MAC (hardware) addresses are known; although this can be circumvented by the intruder setting his IP details by hand, he’ll have to make efforts to find a free IP address, figure out what default router and DNS settings to use, and so on. Second, you should implement admission control for the wireless LAN devices themselves; the majority of wireless devices have some kind of identification capability built in to enable the access point to refuse to talk to a remote adaptor card that’s not using the right service ID or password. Third, you should employ whatever standards are at your disposal for authenticating the user himself.
The most popular admission control and authentication standard among equipment vendors at present is the IEEE802.1X family. This is perhaps best described as an authentication framework that has a number of standard implementations but which is extensible if vendors want to start doing proprietary stuff (e.g. Cisco with its LEAP extensions). Despite being entitled: “Port-Based Network Access Control” it’s just as relevant to wireless networking as it is to cabled (port-based) networks because it uses user IDs/passwords in the admission decision. IEEE802.1X is supported as standard by the likes of Windows 2003 Server, and so it’s an easy addition to make to your network when you decide to take the plunge into wireless networking.
The other key aspect with wireless networking is encryption, which prevents someone sitting in the car park sniffing the packets as they waft around the air. The vast majority of wireless adaptors and access points (i.e. all but the very antique ones) support WEP, the Wired Equivalent Privacy standard, which provides 40- or 128-bit (depends on the kit you’ve bought) encryption for the traffic passing through the air.
In basic installations, you set a WEP key on the access point and the remote card, and this key is used forever (or until you decide to change it by hand). This is a problem if, say, someone has their laptop/PDA stolen, as whoever stole it can theoretically get into the LAN. If you’re running your wireless network encryption alongside an authentication mechanism such as 802.1X authentication, though, you can start to do clever things like letting the two ends of the wireless connection automatically negotiate a WEP key for each session (or you could even allow the key to change many times in a session).
The final thing one can control, albeit to a limited extent, is how far outside the world your wireless signals go. An efficiently designed wireless LAN will have minimal amounts of radio waves going out through the walls and (more predominantly) windows anyway, because you want all the radio waves you can get inside your office to service network traffic – although some degree of escape is inevitable. Either buy a WLAN analyser (Vernier do some very nice ones – check out http://www.globaltech.co.uk/products/_wireless_security.htm) or just use the built-in signal strength tools that come with most WLAN cards to see where the waves are getting out of the building, and consider resiting access points if it’s convenient to do so.
Find your next job with techworld jobs