Ian Kilpatrick highlights the business
continuity risks associated with wireless networking.
Wireless PCs and wireless laptops are being
increasingly used in both business and the home. The reason for
this marked trend is that wireless computers are easy to deploy,
cheap and are usually simpler to manage than standard wired connections.
the business world, smaller companies with two to two hundred and
users, find that wireless computing frees them from the conventional
restrictions of cabling. Once a wireless device has been installed,
new PCs or laptops can be added without the hassle of wiring them
Employees can still connect to the Internet,
send and receive e-mails, and do all tasks they need to do. Moreover,
they can do all this with greatly increased mobility. It's a very
For enterprises, wireless provides laptop users
with convenience and mobility. They can use their wireless laptops
in the office (often without the knowledge of management), from
home, and of course when they're on the move. When they're out of
the office, executives can work from one of the many wireless 'hot
spots' springing up in places such as Starbucks or hotel chains.
Unfortunately, in the enthusiasm with which people have adopted
the question of security has been seriously overlooked. There is
for security over wireless which is WEP 802.11b (Wireless Equivalent
Privacy). However, this standard is both flawed and weak, being
ineffective and easily broken.
It is also rarely implemented. This is because
it is easier to set up wireless with the security not enabled. Once
the wireless system is working, the security tends to remain switched
off. This has been confirmed by recent surveys in London which showed
that 67 percent of sites surveyed using wireless did not have security
enabled. The same problem potentially exists with the new security
standard WPA (Wi-Fi Protected Access).The default set-up configuration
is again with the security not operating.
Some might ask what difference WEP's insecurity
or the absence of any security at all makes. The answer is 'A lot
more than you might think'. The whole concept of wireless is about
broadcasting, which means that the information doesn't just go to
the wireless connection but is also available to anyone within broadcasting
Sadly, while you may believe that your near
neighbours or neighbouring offices may have neither the will, interest
nor technology skills to be interested in your wireless activity,
that doesn't mean you are secure. There are a whole range of individuals
and groups who have a deep and not always savoury interest in unprotected
Some groups have a very active but essentially
harmless interest in unprotected wireless, being concerned mainly
with finding and identifying wireless sites. You've probably heard
about some of these in the press Their activities have a name. 'War
driving' is driving around looking for locations where wireless
is being used and is not secured. It has many web sites devoted
to it such as www.wardriving.com.
'Warchalking' is marking up street locations
with special symbols to
identify wireless locations. Again, many web sites are devoted to
There are even details online of where to find unprotected wireless
sites in UK towns and cities.
As your wireless device broadcasts its address
(SSID), it is extremely easy for anyone to do this - it can even
be done with a PDA. If you're currently indulging in unprotected
wireless broadcasting, it is quite possible that you're already
on one or more list. In addition to these groups, there are those
with a far from innocent interest in your wireless broadcasts.
But there's not much at risk
Unfortunately, this is totally wrong, even if all you ever do with
your wireless PC is access harmless websites from home. It's not
just what you broadcast that's at risk, but everything else on your
PC or laptop. So information such as passwords, bank details and
any other personal data which you wouldn't want other people to
know, are all accessible, as is any information on your wireless
servers. And, very worryingly, if your connection is used for illegal
activity such as accessing illegal images on the Internet, you or
your business could be held responsible, even if you have no idea
who actually did it. This is because the activity will have been
carried out from your address, using your connection.
If you have staff at work to whom you have
provided wireless access, or more
commonly who have provided themselves with wireless access from
their laptops, the odds are that they haven't even enabled the weak,
cursory WEP 'security' encryption.
As they are operating outside the normal company
network and its protective measures, they are therefore not only
broadcasting any information they are handling, but have opened
up your network to anyone else who cares to look. An obviously serious
security weakness, negating all the effort you have put into making
your systems secure.
Unprotected wireless use exposes companies
and individuals to a wide range of security problems. These range
from unauthorised use of your bandwidth through to the theft of
confidential personal and company information held on your laptop,
illegal use of your connections, and in the worse cases industrial
espionage and fraud.
The Csi/FBI survey of 2003 shows once again
that there are significant levels of hacking, system penetration,
eavesdropping, sabotage, theft of proprietary information and insider
abuse of company's computer systems. Wireless looks like a very
easy way to carry out many of these activities, given the ease of
access and the low likelihood of detection.
With all of these risks and so few people protected against them,
seem that wireless protection is either desperately expensive or
incredibly difficult. However, this is not the case.
For normal landline communications, most companies
today use encrypted VPNs (virtual private networks), most commonly
to the IPSec standard. These are
used to protect communications between two points, usually between
a head office and branch office, suppliers or home workers. One
solution to the inherent insecurity of wireless is to use IPSec
encrypted VPNs for communications between the wireless user and
the wireless access point (or company network).
Encrypted VPNs will create a secure connection
between the wireless user and the VPN gateway of the company. This
connection now hides your communications. The data on your PC is
protected from prying eyes because the communication route for it
is through the VPN. This method therefore not only protects and
encrypts your wireless activity, but also prevents unauthorised
wireless access to your PC or business servers by requiring authenticated
VPNs for all wireless use.
If you are communicating with a supplier, customer
or indeed head office, you have not only protected confidential
data, you have also prevented your connections from being used to
compromise their security.
Installing and implementing VPNs is more complex
than using unprotected wireless, but is not beyond the skill set
of PC literate individuals who need the benefits of protection.
If you're looking to implement wireless VPNs, prime features you
need to look for are
- ease of installation and use,
- compliance with standards (802.11b is the one currently in widest
-capability to use a VPN. (This feature is not as obvious as it
sounds, because some "secure" wireless units have firewall
functions but do not support VPNs).
Safe rather than sorry
Wireless provides many benefits to business users, which include
low cost, greater mobility and being able to alter desk layouts
with the minimum of hassle. These benefits mean wireless is spreading
rapidly. However, security breaches occurring through wireless use
are also increasing, with consequent high costs.
It is both inexpensive and comparatively easy
to secure yourself against broadcasting your secrets to anyone who
is interested. The latest generation of wireless defence solutions
means there is no longer any reason to participate in unprotected
Ian Kilpatrick is chairman of Wick Hill
Group, a company specialising in secure infrastructure solutions
15th August 2003 •Region: UK/Worldwide •Type:
Article •Topic: ISM
•Rate this article
or make a comment - click