IPkey.com

information security
 monitoring & management

Information Security Bulletin

May 2003 

Feature Story:
The Myth of Wireless Security - What you need to know...

I recently attended a conference where a key topic was the poor security of  wireless 802.11b (or WiFi) that is used to complement or replace 'wired' Ethernet networks (LANs).  Wireless LANs are exploding in popularity in the SOHO (Small Office and Home Office) market  because they offer low cost, simplicity and convenience.  Who wants to mess with installing cables?  Notebook users are even bigger fans because that can work 'unplugged' in a meeting room or in another office.  There are also many public locations such as coffee shops, restaurants and airports that offer Internet access for visitors.  Sounds great!  So what's the catch?

The catch, as larger organizations know too well, is that WiFi is inherently insecure.  The design of 802.11b 'has' security in the form of WEP (Wireless Encryption Protocol), but even 168bit WEP encryption can be easily  'cracked'.  IT professionals in larger organizations have become paranoid about employees setting up rogue (unauthorized) wireless access points.  This is because the range of 802.11b can be several hundred feet and someone parked in the street can eavesdrop on your internal network traffic.  These hackers are called 'war-drivers' and even publish maps (example of San Francisco) on the Internet of 'hot-spots'  where a notebook or PDA can gain access to private networks. It's a security nightmare.

This is not the place to go into the ugly details of wireless security because it's so full of three-letter acronyms that it'll make your eyes water.  All you really need to know is that there is no official 'standard' of wireless security that works.  Companies like Cisco offer proprietary solutions, but they are expensive, complex and do not inter-operate with other equipment. What this means is that if you want to use wireless, the data must be securely encrypted before it hits the airwaves. ->

Welcome
to the  Information Security Bulletin.  This is your source for the latest practical information you can use to protect your organization's critical information and network services.
Marcus Clarke
ISB Editor
email me your opinions!

IPkey Hot Links!

     Security Solutions
          Evaluation
          Remediation
          Monitoring
          Protection
          Recovery

   Free Vulnerability Scan

-> Right now, there is only one robust standard for this - IPSec.  This encryption is the same industrial-strength method used in VPNs (Virtual Private Network) covered in the April ISB. You probably know by now that we are big fans of Sonicwall firewall/VPN products.  They just came out with a unique product called the Soho TZW which solves the wireless security problem very elegantly.  It act just like a normal firewall/VPN device, but adds two wireless networks called WLANs. The first WLAN is the 'trusted zone'  which requires that all wireless devices have an IPSec VPN Client to communicate with the private company LAN.  This would give employees the same access as if they were at a desktop and all wireless traffic is securely encrypted with IPSec.  The second WLAN is 'un-trusted' and is used for 'wireless guest services.' This is designed for people who visit your offices and just need Internet access for a demo or to work on a consulting project.  They use a login and password (that you supply) and they are good to go.  It's that simple. 

Another great use of the TZW is to create a 'hot-spot' for patrons who visit your place of business.  If you (or one of your clients) operates a retail or hospitality business, 'hot-spot' Internet access can be offered to patrons.  This can either  generate revenue, or just add value.  Contact  me if you have any ideas about this because this phenomenon is just beginning.

A Final Thought
 This year we created a unique service for our Managed Monitoring Service clients.  Every 15min, we perform a 'Network Discovery Scan' of your systems and alert you when new devices show up. This service is called Asset Control Monitoring and lets you know when unauthorized equipment is added to (or removed from!) your network.  It can also alert you when a 'war-driver'  is snooping on your private data because their computer ID will show up.  I think Asset Control Monitoring (or something like it) will soon be a requirement on of any network, especially with wireless. 


Special Offer!

Pay no setup fees now through May 31, when you order Managed Monitoring Service.
Act now and save $$$!

Check Prices


ISB Takeaway #1:
Never allow any private data to go wireless unless it's encrypted with SSL or IPSec.

ISB Takeaway #2:
 Never provide wireless guest  access without requiring authentication.

ISB Takeaway #3:
 Never underestimate the creativity of employees  to circumvent restrictive Internet use policies.

The ISB is a monthly email newsletter published by IPkey.com, your source for affordable information security monitoring and management.  IPkey.com is part of Meridian Group, a New Mexico based corporation serving the IT need of it's clients for 14 years. We encourage you to forward ISB  to your co-workers, colleagues and friends.  To subscribe or unsubscribe to the ISB newsletter, email us at isb@ipkey.com
Past issues of this newsletter are available at IPkey.com ISB Archive

I invite you to call or email me with your questions and comments.  As always we are here to assist you with your Information Security needs.

Next Month:
     Who controls your data? 

All contents copyright (C) 2003 Meridian Group Inc.