Wireless security: Balancing act
Organisations need to weigh the convenience of wireless networking against the risks to the integrity of their IT systems. Steve Gold reports.
A quick glance around any high-street IT store will reveal that wireless networking - commonly referred to as WiFi - has taken off in a big way. It's now possible to buy a data-accelerated 802.11g WiFi-enabled broadband router for around £50.
Suddenly it's possible for an employee of even smaller firms to go out and buy a WiFi router in their lunch break. This illustrates the threat that wireless connections pose to the integrity of the IT resources of any organisation.
WiFi technology now has the potential to bypass almost all existing IT security systems and open the door to hackers, unauthorised entry and just about every other security nightmare you can think of.
Nevertheless, wireless security vendors insist that the benefits more than outweigh the disadvantages. "Nothing is unbreakable. Whether you're talking about wireless or conventional hard-wired networking, the technology can be circumvented, if you have the will and the money," said Nigel Hawthorn, EMEA vice president of marketing at Blue Coat Systems.
He argues in favour of wireless connections in the modern workplace, provided, of course, that the installation engineers know what they are doing in terms of security.
On top of this, Hawthorn adds, the organisation needs to be prepared to spend time training and educating its staff about the security issues associated with wireless connections. "There are a number of things happening to business networking at the moment, including the centralisation of data services, the outsourcing of data facilities and the need of users to have access to their data when they are out and about," he explains. "All of these factors are driving wireless use in the workplace and creating a potential security headache for the IT manager."
Consequently, IT security thinking needs to adapt to take into account the risks associated with wireless connections. "Let's say you have a fleet of users with WiFi-enabled laptops wanting access to their company IT resource, as well as the public internet, while out in the field," Hawthorn suggests. "It's illogical to backhaul all the data traffic from the laptop users to the company's headquarters, so you have to think about extending the security envelope remotely to the mobile user." To do this, IT managers need to think in terms of implementing end-point security, rather than simply protecting the central IT resource, Hawthorn argues.
"On top of this, if they're implementing authentication and encryption on a mobile basis, this is going to slow down the rate of data connection. That's why you're starting to see WiFi routers and access points with data acceleration technology on board," he adds.
Blue Coat has released its first SG client software that supports data-acceleration facilities, as well as VPN and other security facilities. "It creates a secure working environment that exists for the entire length of the user session. When the connection drops, the session drops and any data associated with the session disappears," Hawthorn explains.
He predicts that wireless end-point security will be a major security topic in the near future, as more and more workers use their laptops while out and about, and not just to access company IT resources.
"On top of this, you're likely to start seeing local and remote secure caching of information accessed," he says. "Take the example of a large PDF. Rather than download the entire file, you will see secure VPN technology that intelligently caches the file and only transfers the section the user is viewing. Once the VPN session ends, the cached element of the file is handed back to the company network and all traces of the document disappear on the remote PC."
According to Hawthorn, using this approach minimises the amount of data carried across a secure wireless connection and prevents anyone from snooping the files.
Concerns about wireless security could escalate if prices continue to drop in the UK and Europe. This is what has happened in the US, where the cost of hardware is now so low that employees really can buy a WiFi kit in their lunch hour and install it themselves, according to Simon Perry, vice-president of security and strategy for Computer Associates' EMEA region. "This could easily happen here unless companies tackle the issue of educating staff about security," he warns. And it's not always just end users who need to be more careful. "I never cease to be amazed at the number of open wireless networks I encounter at some firms," Perry adds.
The big question, of course, is how much of a security risk does wireless technology actually pose in a modern IT environment?
Perhaps surprisingly, Perry's answer is "not that much"; backing up his assertion with the claim that only ten per cent of a typical company's networking is truly wireless. "The wireless leg is the network equivalent of the last mile in telephony terms. The bulk of the network is actually wired, rather than wireless, so it's important to realise that many of the wired security systems can also protect the wireless connection as well," he says.
However, that doesn't mean IT managers should ignore the wireless security issue. "If you had a desktop on a wired network, you could be confident about your overall security. If the network were wireless and you had laptops connecting to it, you would have no idea where the laptops connecting today were 24 or 48 hours ago. That's the real reason why you need to be careful with wireless security," he points out.
Some observers think that the growing take-up of wireless connections is already changing the way IT managers are viewing their security. "People, and not just IT managers, are now becoming aware of the need for security when they are out and about and using a wireless connection," says Shaun Bligh-Wall, technical architect at consultancy Vistorm.
Bligh-Wall reports that, among his clients, he has not come across staff who are going out and buying a WiFi access point and simply connecting it up to the network. "They're not that unaware of the security risks. Their IT departments are educating employees about the need to think security, which is a good thing," he says.
"On top of that, we're also seeing companies implementing a two-tier WiFi network in their offices: an open network for general access and visitors, and a closed, secure one for staff." According to Bligh-Wall, the open networks at such sites tend to only have very limited facilities, such as surfing the web, while the closed, secure wireless network allows full access to the company's IT resources, but with very high levels of security.
"If the security of the closed network is of paramount importance, we also recommend they go down the two-factor authentication route," he explains.
However, budget may determine whether a company goes down the token authentication route, Bligh-Wall admits. "There's always trade-off between security and costs, but where costs are a major issue, we always point out the security risks to the client," he says.
But, even when a new wireless network is installed, it's also possible to make use of an existing intrusion detection system if one is available, Bligh-Wall says. "For most companies, in fact, it's all about fitting the security in with the budget."
Bligh-Wall predicts that wireless security will evolve as companies increasingly converge their voice and data services, as well as start using VoIP technology. "We're reaching the stage where it's possible to assemble a wireless office in a hotel room, so wireless security issues are going to increase in importance, especially as more and more companies have to achieve compliance with their wireless networks," he said.
Education, education, education
As with wired networks, technology alone can never give you 100 per cent protection, and the roaming nature of WiFi means user education in this area is of particular importance. Ian Kilpatrick, chairman of IT security distributor Wick-Hill, believes company users are at last becoming more aware of the need for wireless security. "There's an analogy here with physical security. Most office workers understand the need for a burglar alarm, and now they're starting to understand the basic need for wireless security," he says.
However, there is still a huge gap in many organisations between recognising the need to secure a wireless network and actually doing something about it. "I think it's more of a reticence to spend money than anything else. It's interesting to note the numbers of companies who will never consider implementing a wireless network in the office, but whose workers then access the office network using a public wireless service," he notes.
In public wireless access situations, Kilpatrick advises resellers and their customers to use authentication technology in addition to the usual SSL and VPN technology. "It's worth noting that some internet service providers are now starting to offer security services as a value-added option, especially now they are also promoting wireless as a feature," he says.
Wireless security could become a hot topic in most companies if the compliance issue comes to the fore, Kilpatrick says. "You can imagine what will happen if the auditors of a company were to threaten to qualify the accounts unless the firm address their wireless security concerns," he warns.
Although some clients are using SSL technology as a means of enabling security across wireless connections, Kilpatrick points out that the technology is not the most flexible for users. "You can't print or download using SSL, so it is quite limited in that respect." He sees wireless security as slowly progressing to the point where wireless eventually becomes as secure as a wired network, although he admits it could take a few years for this to happen. "I think the big issue at the moment is that wireless systems are often installed by non-IT department staff. That needs to change if the security is to improve," he argues.
THE FUTURE OF WIRELESS
Phil Higgins, senior partner at IT systems integrator Brookcourt Solutions
According to Higgins, wireless networking is evolving rapidly. "It now includes multiple topologies, including Bluetooth, WiFi, GPRS and 3G data," he says, adding that the future will see several wireless systems operating under one umbrella service.
In fact, several UK cellular carriers are already offering a "combi" laptop PCMCIA data card that supports WiFi, 3G and GSM/GPRS mobile data.
Higgins, whose clients include a major bank and a big petroleum chain, warns that this brave new world will need a lot more policy and controls than is seen in the market at present.
"There's also a definite need for education about wireless networking security issues," he says. "The reality is that, no matter how a hacker gains access to a company network, once they have the MAC or IP address, they're as good as in, so you have to prevent them gaining access across any medium."
"In five years, I think you're going to see the wireless networking landscape changing with the arrival of city-wide WiMAX networks, as well as a meshing of public WiFi and other wireless services to give blanket coverage in city areas," he predicts.
Against this backdrop, Higgins says it is absolutely essential that companies implement a rigorously enforced set of security safeguards and educate all staff about the requirement for security.
"We're seeing the need to connect while on the move doubling every year at the moment. People will soon come to expect mobile access as a standard facility.
"At this stage, I would expect to see the use of smart-card and token-based authentication as the main means of identifying users, both on the move when using wireless networking of all types, as well as when they are in the office," he adds.
"Users will have to move to ID management. It has to happen as the pace of networking technology is changing so quickly."
CASE STUDY DE VERE GROUP
The De Vere Group, which specialises in hotels and fitness centres, uses a number of key third-party support systems, such as reservations and property management systems.
To enable suppliers to provide online maintenance and support for these, De Vere had implemented an IPSec VPN plus dial-up remote access systems, but discovered a number of limitations with its network solutions.
The company needed an alternative secure remote access wired and wireless system with the flexibility to enable external suppliers to deliver an improved and faster service. At the same time, the solution needed to allow De Vere's own staff to work seamlessly from any location, and support any additional mobile working applications they might introduce in the future.
Since the group's corporate network was being accessed by a number of external parties, network security was a primary requirement. De Vere needed a system that would allow it to control third-party access, ensuring suppliers would only be able to connect to those applications and systems they needed. In addition, the remote access system needed to provide full, secure access to corporate applications and data across wireless connections so that De Vere's managers and staff could work effectively from any location.
Finally, the system needed to address the challenge faced by the system administrators of how to centrally control network admission and manage usage policies across all businesses in the group. The technology also needed to support both wired and wireless access to the IT resource, as well as giving De Vere granular control of application access. This makes network access for third-party suppliers, including those coming in across wireless connections, very easy to configure, control and monitor.
The network security solution developed by AppGate was a security server installed behind the company firewall. To support De Vere's own staff working remotely across both wired and wireless topologies, AppGate's Personal Firewall was installed on all laptops.
Centrally managed policies and rule sets ensure that acceptable usage policies are maintained when the laptops are used outside the office. The IT team is now equipping managers with PDAs to replace their laptops.
These devices allow secure access to the company network using the growing number of wireless hotspots that are being installed in many of the group's hotels.
"The AppGate system has addressed all our remote access and network security requirements, but we're only just beginning to tap into everything it can do," said Ryan Lynskey, IT infrastructure manager at De Vere Hotels & Resorts.