Implementing Wireless: Have Your Cake & Eat It Too
The world of wireless connectivity is a tantalizing and frustrating one for anyone administering an enterprise network. On one hand, there is the promise of setting your workers free and making them mobile and efficient (while getting rid of those pesky cat5 cables). On the other hand, there is a cloud of poorly understood threats hovering over the whole issue: Will these solutions interoperate? What standards should I follow? Who are these “evil twins” I keep hearing about? Can anybody out in the parking lot eavesdrop on my network traffic, or hack into our network without me even realizing it?
Even though the potential benefits of wireless are obvious—and almost irresistible—structural problems with wireless security are so severe that surveys consistently show that many organizations want to deploy wireless, and may even be implementing pilots, but are hesitant to deploy wireless simply because they are too worried about security.
Fortunately, we’re now seeing the emergence of the technologies and systems needed to properly secure wireless, and to do so without sacrificing the functionality that makes it so attractive a technology in the first place. To understand what is fundamentally new about these emerging technologies, it is important to first take a snapshot of where wireless security stands today, with all its idiosyncrasies and deficiencies.
While some security solutions have been missing in the wireless space, the vendors certainly haven’t. Wireless security is an obvious bright spot in an otherwise bleak technology landscape, and in recent years, dozens of companies have offered wireless network monitoring solutions, security management tools and so on. Unfortunately, this initial opportunistic crowding of vendors didn’t produce adequate breadth of solutions, and anyone trying to put together a comprehensive wireless security solution found themselves in the frustrating position that half the time they were besieged by a crowd of vendors, and half the time they were left to fend entirely for themselves.
So which areas of wireless security are overcrowded, and why? Not surprisingly, the areas that first attracted vendor solutions were those where the technology was the least challenging to develop, while being the most visible to customers. This includes wireless monitoring and intrusion detection systems (IDS), and management of access points, wireless switches and more. These solutions typically involve one or both of the following characteristics:
- Passive monitoring of the wireless environment without offering any active response to what is discovered. This has the benefit of providing highly visible value to the customer (alerts, reporting, etc.) without requiring the significant development effort necessary to create the active measures that should follow.
- Solutions that concentrate on the back-end infrastructure of a network without doing much to engage with the actual endpoints (workstations, notebooks, etc.) that are the primary players in most wireless threat scenarios. Again, this is a natural starting point for a wireless security vendor, since the back-end infrastructure is a much more controllable and structured environment for a vendor to work in than the messy, mobile world of the notebook.
While these solutions offer real value, their limitations impose both obvious and subtle challenges on your wireless security solution. The first aspect—passive monitoring as opposed to active measures—is obviously useful but sadly incomplete, and leaves security administrators in the painful position of knowing what security policy they would like to enforce, but being unable to take that “shelfware” policy and make it real.
The second aspect—concentrating on the infrastructure rather than the endpoint—is a more subtle but more serious limitation, because so many of the security threats associated with wireless are fundamentally targeted at the endpoint, not the infrastructure. If your Centrino notebook is connecting directly to the access point in the lawyer’s office next door, all your network infrastructure is simply not involved, and every dollar you’ve spent monitoring and managing the infrastructure is simply irrelevant. The same problem applies to the security issues surrounding man-in-the-middle attacks, ad hoc networking and other serious wireless security issues. (Note that some vendors have built up solutions that leverage the back end to partially control the endpoint, but these solutions are fundamentally limited. They are better than nothing, but obviously are no use whatsoever when the notebook is at the CEO’s home, or Starbucks, or an airport departure lounge.)
In short, the problem with this world of first-generation wireless security solutions is that it offers only what the vendors find it easiest to sell, rather than what organizations need to buy. This is not an unusual situation for a still-immature technology, but that’s not much consolation.
This bleak—or at least frustrating—picture is changing with the introduction of new technologies. These solutions typically do not replace the existing first-generation wireless security solutions, but complement them and fill the gaps. Doing so makes for a far more complete and robust wireless security solution.
These new solutions fill those gaps by active enforcement of wireless security policies, rather than just passive monitoring, and by implementing wireless security on the endpoints (workstations, notebooks, etc.), rather than just in the infrastructure. Vendors have historically found it easier to impose security constraints on the back end (servers, access points, etc.) than on the messy, complicated world of endpoints.
When you add these new solutions to the first-generation range of vendor products, you finally have the necessary ingredients for a wireless security solution that provides comprehensive security without sacrificing functionality. In short, network administrators can finally have their cake and eat it too.
It is worthwhile to look more closely at these new solutions and see what specific features they offer. Although details vary across the small group of vendors who are in this space, there are a few characteristics that should be considered essential:
- The ability to completely disable wireless on the endpoint, giving administrators the power to introduce wireless where, when and how they want to, rather than having to fight a rearguard action against viral deployments by end users. Such a solution needs to include management of after-market devices, such as wireless PC cards.
- The ability to block the use of ad hoc networking and other mechanisms that can subvert the network topology of an organization.
- The ability to white-list authorized access points, making it almost impossible for end users to accidentally connect to unauthorized access points.
- The ability to automatically enforce the use of VPNs when appropriate.
- The ability to enforce minimally acceptable standards of encryption on wireless communications.
To see how these new features lower the risk profile of an organization, consider a few of the most significant threats introduced by wireless technologies:
- Ad Hoc Networking: Ad hoc, or peer-to-peer networking, allows endpoints to connect directly to other endpoints without relying on intermediate infrastructure devices, such as access points. When an administrator allows ad hoc networking, he or she surrenders some control over the topology of the network and allows data paths that circumvent infrastructure firewalls and other security measures. Next-generation wireless security measures that disable ad hoc networking directly on the endpoints in question are able to remove this threat.
- Accidental Associations: These occur when endpoints and access points ar