Spring is in the air, and so is your vital network data. The explosion of wireless networks at home and in the office using 802.11 standards has been a boon to laptop makers and users who dislike being tethered to LANs.
A trip to an airport, conference room or cafeteria confirms that wireless LANs are a common feature of the IT landscape. The trouble is, hackers are making the same trip. Dubbed “war drives,” they travel in cars armed with a laptop, antenna, free downloadable software and a little bit of knowledge, aiming to discover wireless access points.
Chris O’Ferrell, CTO at Herndon, Va.-based Netsec, recently took a drive around Capitol Hill in Washington and located more than 100 access points, including many from the government. Luckily for those IT administrators, O’Ferrell is a security expert whose company this summer is coming out with a device to detect wireless network intrusions.
But one device isn’t the complete answer to the Herculean task of securing wireless access points. You need strict policies for wireless security.
No more wireless couch-potato networks with the company’s laptop. A sweep of a bedroom community in the evening reveals how easy it is to get the Service Set Identification (SSID), which, when inserted into the wireless network card configuration, permits network log-ins. Better to turn off SSID broadcasting.
Most Dynamic Host Configuration Protocol (DHCP) servers automatically assign IP addresses for a network so consider disabling DHCP and go with static IP addresses. At the very least, according to O’Ferrell, you can then prove malicious intent, because a hacker would have had to manually configure an IP address to enter the network. Static IP addresses are a pain, but they’re more secure.
Do regular intrusion sweeps of your wireless network to see if you can hack your own network. And do them at lunch, when the executive conference rooms are used or when workers are outside with their machines. The signal strength of wireless networks varies from 300 to 2,000 ft., so don’t assume someone in the parking lot is too far away to slip inside your network.
Enable Wired Equivalent Privacy, but recognize that it isn’t activated by default you have to configure the client and the access point to make it operational.
Use Media Access Control-layer filtering, but don’t rely on it, because MAC addresses are in the open when transmitted and can be spoofed.
Don’t put the access point on an internal network, and make sure your virtual private network gateway is inside the firewall.
Finally, design a security plan before implementing a wireless network; otherwise, this spring could easily turn into a winter of discontent.
Pimm Fox is Computerworld (US)’s West Coast bureau chief. Contact him at[email protected].
