Businesses are slowly but surely integrating wireless technology and associated components into their wired infrastructure. This article steps the reader through wireless LAN applications, Bluetooth and the IEEE 802.11 standard, as well as security risks and the need for the security implementation team to address wireless threats.
Demand for wireless access to LANs is fueled by the growth of mobile computing devices, such as laptops and personal digital assistants, and a desire by users for continual connections to the network without having to “plug in.” There will be more than a billion mobile devices by 2003, and the wireless LAN market grew to more than $2 billion in 2002, according to The Yankee Group.
Wireless applications are diverse. For example, the Microsoft campus is probably the largest 802.11b network in the world, with 15,000 people using wireless technology in 65 buildings. Offices aren’t the only places where wireless networks are proving useful—many airports, conference centers and other public spaces are installing networks that allow laptop users to get connected without cables.
Another example of the application of wireless technology is the installation at Children’s Hospital of Wisconsin. In the hospital’s ICU, nurses, doctors and therapists go from patient to patient and need to be able to place orders for medications and treatment. In the past, this was accomplished by grabbing the patient’s chart, writing the order and putting the chart where it could be retrieved at a later time. Today, the unit has more than a dozen wireless-enabled PCs.
Home networks provide yet another opportunity for the application of wireless technology. The Internet is fast becoming a mandatory utility that most professionals are provisioning for their homes and offices. It’s as important as electricity, water, gas and telephone service to the operation of families and home businesses.
Wireless Security Risks
Along with the convenience of connectivity offered by wireless and portable devices, however, come increased security risks. Wireless transmissions are susceptible to interception and tampering. Portable devices with no fixed connection offer tempting wireless access points to hackers. Portable devices also contain valuable information and credentials. This information must be protected in case of theft or loss of a device.
The wireless world presents a far greater security risk than the wired world. There are two key aspects of security that are of particular concern: access control and privacy.
Access control ensures that only authorized users can access sensitive data. Privacy ensures that transmitted data can be received and understood only by the intended audience.
Access to a wired LAN is governed by access to an Ethernet port for that LAN. Therefore, access control for a wired LAN often is viewed in terms of physical access to LAN ports. Similarly, because data transmitted on a wired LAN is directed to a particular destination, privacy cannot be compromised unless someone uses specialized equipment to intercept transmissions on their way to their destination. In short, a security breach on a wired LAN is possible only if the LAN is physically compromised.
Wireless threats include viruses. The majority of PDAs do not have anti-virus software installed on them. Further, the antivirus software on most desktop systems does not scan for viruses during the HotSync process. A survey by Information Security Magazine in January 2002 showed that 98 percent of all PDAs do not have antivirus protection. PDA virus threats have included viruses such as Phage.963, Vapor.741 and LibertyCrack.
With physicians and other business professionals increasingly having access to protected and sensitive information on wireless devices and networks, the area of wireless security cannot be overlooked.
What is essential for wireless security is a scheme that:
- Bases wireless LAN authentication on device-independent items such as user names and passwords, which users possess and use regardless of the clients on which they operate.
- Uses WEP keys that are generated dynamically upon user authentication, not static keys that are physically associated with a client.
In 1999, the Institute of Electrical and Electronics Engineers (IEEE) ratified an extension to a previous standard. Called IEEE 802.11b, it defines the standard for wireless LAN products that operate at an Ethernet-like data rate of 11 Mbps, a speed that makes wireless LAN technology viable in enterprises and other large organizations.
Interoperability of wireless LAN products from different vendors is ensured by an independent organization called the Wireless Ethernet Compatibility Alliance (WECA), www.wi-fi.com, which brands compliant products as “Wi-Fi.” Dozens of vendors market Wi-Fi products, and organizations of every size and type are deploying wireless LANs.
Bluetooth is vying to be the de facto standard for the exploding wireless revolution. Bluetooth networks are created whenever two devices come within that 30-foot range. Bluetooth uses the radio waves located in the frequency band of 2.4 GHz (2400 to 2483.5 MHz), an increasingly popular (and crowded) slice of the spectrum. In this band, Bluetooth transmits voice and data at flows lower than 1 megabit per second.
Although it has been around for just a couple of years, Bluetooth is steeped in history. According to the Gartner Group, Bluetooth will play a vital role in uniting the 70 percent of new cell phones and 40 percent of new PDAs accessing the Web by 2004.
Bluetooth has backing from wireless giants Ericsson, Motorola and Nokia, along with Intel, Microsoft, 3Com, Lucent, IBM, Toshiba and another 2,000 companies. With Bluetooth, devices need not be in line-of-sight. Up to eight devices are supported by one Personal Area Network (PAN). By overlapping networks, up to 80 items can be linked.
Wireless LAN Security
The IEEE 802.11b standard includes components for ensuring access control and privacy, but these components must be deployed on every device in a wireless LAN. An organization with hundreds or thousands of wireless LAN users needs a solid security solution that can be managed effectively from a central point of control. Some cite the lack of centralized security as the primary reason why wireless LAN deployments have been limited to relatively small workgroups and specialized applications.
A client cannot participate in a wireless LAN until that client is authenticated. The IEEE 802.11b standard defines two types of authentication methods: open and shared key.
The authentication method must be set on each client, and the setting should match that of the access point with which the client wants to associate.
The IEEE 802.11b standard defines two mechanisms for providing access control and privacy on wireless LANs: service set identifiers (SSIDs) and wired equivalent privacy (WEP).
Another mechanism to ensure privacy through encryption is to use a virtual private network (VPN) that runs transparently over a wireless LAN.
You need to consider a number of factors before deploying wireless LAN technology. For example:
- Consider your data security needs before you deploy. The default settings might not be adequate for companies that handle confidential information.
- Don’t install access points without investigating whether they are properly placed. Plan on extensive testing.
- Don’t assume your IT staff is knowledgeable about wireless networking. Make sure that the people who install and manage your networks are aware of wireless networking’s unique configuration issues. Training to cover wireless networks and security may be required for system and network administrators.