Quick Guide To Protecting Wi-Fi Networks And Users
As mobile networks get more convenient, they get less secure. Mobile security decreases as inconvenience increases. Here's a few things you can do to protect yourself and your enterprise.
Enterprise Wi-Fi deployments often focus on the services provided to in-building or on-site users while mostly ignoring the company's mobile workforce. Laptops, smartphones and PDAs have received significant press attention regarding virus vulnerabilities and corporate risk as a result of physical loss. Mobile device management products such as iAnywhere's Afaria and Intellisync's Systems Management do provide access security as well as operating system and application management policies, but the wireless-specific aspects of most portable devices have not been addressed.
Accidental association--inadvertently associating to an AP (access point)--is one concern. This can happen via Microsoft Window's promiscuous wireless client, which surreptitiously attempts to connect to the first AP that matches an existing profile. Or, depending on how it's configured, it can happen via any AP. Almost a year ago, the media picked up on the "Evil Twin" attack, which occurs when attackers at a hotpot replicate the identity of a good AP, and perhaps even a Web-based authentication scheme, to fool unsuspecting users into connecting to them. Minimally, attackers are able to obtain the hotspot login credentials; in the worst case, they can capture all unencrypted traffic and access any mobile device.
Another concern is bridged connections, between either two wireless networks (i.e., 3G and Wi-Fi) or a wireless and a wired network (i.e., hotel wired Ethernet connection and Wi-Fi). Bridged connections allow for the possibility of hackers to tunnel back over an insecure connection (Wi-Fi, for example) into a possibly secure connection (for example, the company VPN).
The most obvious--hopefully--concern is the use of wireless links without any kind of security. But there are also MITM (man in the middle) attacks, ad hoc connections and enforcing the use of only certain enterprise-sanctioned hotspots.
If users could be counted on to always follow best practices, many of these risks could be avoided. Since security is inversely proportional to convenience, however, it is usually the first enterprise policy to be tossed aside in users' attempts to access their e-mail or the latest sports scores.
All three leading wireless IDS vendors--AirMagnet, AirDefense and Network Chemistry--have a mobile product. In fact, that's what AirMagnet started with.
Called the Laptop Analyzer, it was quickly massaged into an enterprise product. Market leader AirDefense started out with an enterprise product but stripped out the distributed features to create its Mobile version late last year.
Network Chemistry late last year introduced RFProtect Mobile, which provides a mobile version of its enterprise product.
However, vendors looking to protect an enterprise's remote users realize that selling each road warrior a copy of their mobile product is not going to meet the risk/reward calculations of that user's internal information security groups. More importantly, mobile versions of wireless analysis products present details that far exceed the understanding of most mobile users, and these products apply few, if any, host-based wireless security policies. That's where agents come in.
AirDefense introduced its Personal product late last fall. The company's director of Operations, David Thomas, told me in a briefing last week that customers are very excited about the product, sharing that some of these customers have blanketed their entire mobile workforce with it. Personal Central Manager centrally manages the Personal agents and is integrated into AirDefense's Enterprise product. Personal 3.0, a new headless version of the product, will be coming out shortly. A rewrite of the agent has brought the memory footprint to 300 kilobytes. It works in real time without the use of a network shim. Approximate location capabilities are also provided based on the user's IP network. Future releases plan to address Mac OS X and, for the PDA platform, Windows Mobile.
Network Chemistry, meanwhile, upped the ante this month with the introduction of its RF Protect Endpoint. Similar to AirDefense's Personal product, this agent not only protects against Wi-Fi threats but supports Bluetooth, EVDO, HSDPA and any other variant of 2/2.5/3G technology. That expansive wireless support does not necessarily mean it will identify any cellular-based attacks, but RF Protect Endpoint can prevent bridging and require the use of VPN tunnels. It also supports central policy management, which enforces the aforementioned policies as well as dictates the use of specific, known access points (by MAC address, if desired) and disables ad hoc connections. And it integrates with Network Chemistry's distributed product by passing alarms and usage to the centralized console. Don't confuse the company's location reporting for satellite-based GPS tracking; it does nothing more than record the strengths of APs around the mobile device, which in the future may tie into Internet-based location services such as Skyhook Wireless, Navizon and Place Lab.
Both AirDefense and Network Chemistry believe that interest in mobile agents could translate into significant revenues, which makes sense. Organizations with a highly mobile workforce may have a limited physical infrastructure that requires protection with fixed wireless sensors; installing an agent on each laptop not only protects users from attacks but also enforces policy and informs network administrators of their users' wireless environment.
Where does a wireless IDS agent sit alongside the existing VPN client, host-based firewall, antivirus program, anti-spyware program, pop-up blocker and, possibly, a remote control agent? One option is integrating it into desktop security products. McAfee, which recently bought out Wireless Security Corp., has created a suite that bundles these products together, although it has not been thoroughly integrated into any existing product.
Other traditional antivirus vendors have not yet addressed the desktop-based wireless security market. On another front, NAC (network access control) vendors such as Cisco, ENDFORCE, InfoExpress, Lockdown Networks, Mirage and Symantec (which bought Sygate) have neither provided any solutions that enforce wireless-specific policies nor protected against wireless specific threats, though problems such as bridging are sometimes addressed.
The numbers among the 802.1X supplicant vendors are thinning out.
Microsoft's latest OS releases have built-in supplicant support for several EAP types. Intel and Cisco, two leading suppliers of enterprise wireless cards, have relatively rich supplicants in their wireless client software. Interlink Networks recently re-formed without its LucidLink product. Funk, a well-known brand in the RADIUS space was recently purchased by Juniper. Meetinghouse is essentially the remaining independent 802.1x supplicant vendor, and the company announced in November that a future version of its SecureConnect product promises to apply security policies via its enterprise deployment tools.
The last possible group of vendors is the mobile service providers and aggregators, including iPass (which just acquired GoRemote) and Boingo. Both of these companies provide supporting wireless connection software to their customers, and adding wireless security would be a natural fit.
So how can enterprises add wireless security support without adding to the average 14 agents they have installed (according to AirDefense), and where is the most natural fit? Mobile service providers suffer from poor or nonexistent enterprise management tools, although a managed service provider model could emerge. Most of the supplicant vendors also lack a distributed management interface. NAC vendors have enough to keep them busy with the heterogeneity of wired enterprise switches, operating systems and basic system checks without adding in wireless features at this time. That leaves desktop security vendors, which have a large existing installed base among enterprises, well-developed distributed management consoles and mature feature sets among their existing offerings. Wireless security access and control could become the touted enhancement for the desktop security vendors as well as a compelling reason for enterprises to upgrade their desktop security software. The question remains whether these firms will develop the technology themselves or team up with existing wireless IDS vendors.
If your organization's IT department hasn't already considered protecting mobile users and enforcing wireless security policies, make it a New Year's promise to put it on your meeting agenda. Don't leave your users exposed on the outside.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.