Quick Guide To Protecting Wi-Fi Networks And Users - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

08:11 AM

Quick Guide To Protecting Wi-Fi Networks And Users

As mobile networks get more convenient, they get less secure. Mobile security decreases as inconvenience increases. Here's a few things you can do to protect yourself and your enterprise.

Enterprise Wi-Fi deployments often focus on the services provided to in-building or on-site users while mostly ignoring the company's mobile workforce. Laptops, smartphones and PDAs have received significant press attention regarding virus vulnerabilities and corporate risk as a result of physical loss. Mobile device management products such as iAnywhere's Afaria and Intellisync's Systems Management do provide access security as well as operating system and application management policies, but the wireless-specific aspects of most portable devices have not been addressed.

Accidental association--inadvertently associating to an AP (access point)--is one concern. This can happen via Microsoft Window's promiscuous wireless client, which surreptitiously attempts to connect to the first AP that matches an existing profile. Or, depending on how it's configured, it can happen via any AP. Almost a year ago, the media picked up on the "Evil Twin" attack, which occurs when attackers at a hotpot replicate the identity of a good AP, and perhaps even a Web-based authentication scheme, to fool unsuspecting users into connecting to them. Minimally, attackers are able to obtain the hotspot login credentials; in the worst case, they can capture all unencrypted traffic and access any mobile device.

Another concern is bridged connections, between either two wireless networks (i.e., 3G and Wi-Fi) or a wireless and a wired network (i.e., hotel wired Ethernet connection and Wi-Fi). Bridged connections allow for the possibility of hackers to tunnel back over an insecure connection (Wi-Fi, for example) into a possibly secure connection (for example, the company VPN).

The most obvious--hopefully--concern is the use of wireless links without any kind of security. But there are also MITM (man in the middle) attacks, ad hoc connections and enforcing the use of only certain enterprise-sanctioned hotspots.

If users could be counted on to always follow best practices, many of these risks could be avoided. Since security is inversely proportional to convenience, however, it is usually the first enterprise policy to be tossed aside in users' attempts to access their e-mail or the latest sports scores.

All three leading wireless IDS vendors--AirMagnet, AirDefense and Network Chemistry--have a mobile product. In fact, that's what AirMagnet started with. Called the Laptop Analyzer, it was quickly massaged into an enterprise product. Market leader AirDefense started out with an enterprise product but stripped out the distributed features to create its Mobile version late last year. Network Chemistry late last year introduced RFProtect Mobile, which provides a mobile version of its enterprise product.

However, vendors looking to protect an enterprise's remote users realize that selling each road warrior a copy of their mobile product is not going to meet the risk/reward calculations of that user's internal information security groups. More importantly, mobile versions of wireless analysis products present details that far exceed the understanding of most mobile users, and these products apply few, if any, host-based wireless security policies. That's where agents come in.

AirDefense introduced its Personal product late last fall. The company's director of Operations, David Thomas, told me in a briefing last week that customers are very excited about the product, sharing that some of these customers have blanketed their entire mobile workforce with it. Personal Central Manager centrally manages the Personal agents and is integrated into AirDefense's Enterprise product. Personal 3.0, a new headless version of the product, will be coming out shortly. A rewrite of the agent has brought the memory footprint to 300 kilobytes. It works in real time without the use of a network shim. Approximate location capabilities are also provided based on the user's IP network. Future releases plan to address Mac OS X and, for the PDA platform, Windows Mobile.

Network Chemistry, meanwhile, upped the ante this month with the introduction of its RF Protect Endpoint. Similar to AirDefense's Personal product, this agent not only protects against Wi-Fi threats but supports Bluetooth, EVDO, HSDPA and any other variant of 2/2.5/3G technology. That expansive wireless support does not necessarily mean it will identify any cellular-based attacks, but RF Protect Endpoint can prevent bridging and require the use of VPN tunnels. It also supports central policy management, which enforces the aforementioned policies as well as dictates the use of specific, known access points (by MAC address, if desired) and disables ad hoc connections. And it integrates with Network Chemistry's distributed product by passing alarms and usage to the centralized console. Don't confuse the company's location reporting for satellite-based GPS tracking; it does nothing more than record the strengths of APs around the mobile device, which in the future may tie into Internet-based location services such as Skyhook Wireless, Navizon and Place Lab.

Both AirDefense and Network Chemistry believe that interest in mobile agents could translate into significant revenues, which makes sense. Organizations with a highly mobile workforce may have a limited physical infrastructure that requires protection with fixed wireless sensors; installing an agent on each laptop not only protects users from attacks but also enforces policy and informs network administrators of their users' wireless environment.

Where does a wireless IDS agent sit alongside the existing VPN client, host-based firewall, antivirus program, anti-spyware program, pop-up blocker and, possibly, a remote control agent? One option is integrating it into desktop security products. McAfee, which recently bought out Wireless Security Corp., has created a suite that bundles these products together, although it has not been thoroughly integrated into any existing product.

Other traditional antivirus vendors have not yet addressed the desktop-based wireless security market. On another front, NAC (network access control) vendors such as Cisco, ENDFORCE, InfoExpress, Lockdown Networks, Mirage and Symantec (which bought Sygate) have neither provided any solutions that enforce wireless-specific policies nor protected against wireless specific threats, though problems such as bridging are sometimes addressed.

The numbers among the 802.1X supplicant vendors are thinning out. Microsoft's latest OS releases have built-in supplicant support for several EAP types. Intel and Cisco, two leading suppliers of enterprise wireless cards, have relatively rich supplicants in their wireless client software. Interlink Networks recently re-formed without its LucidLink product. Funk, a well-known brand in the RADIUS space was recently purchased by Juniper. Meetinghouse is essentially the remaining independent 802.1x supplicant vendor, and the company announced in November that a future version of its SecureConnect product promises to apply security policies via its enterprise deployment tools.

The last possible group of vendors is the mobile service providers and aggregators, including iPass (which just acquired GoRemote) and Boingo. Both of these companies provide supporting wireless connection software to their customers, and adding wireless security would be a natural fit.

So how can enterprises add wireless security support without adding to the average 14 agents they have installed (according to AirDefense), and where is the most natural fit? Mobile service providers suffer from poor or nonexistent enterprise management tools, although a managed service provider model could emerge. Most of the supplicant vendors also lack a distributed management interface. NAC vendors have enough to keep them busy with the heterogeneity of wired enterprise switches, operating systems and basic system checks without adding in wireless features at this time. That leaves desktop security vendors, which have a large existing installed base among enterprises, well-developed distributed management consoles and mature feature sets among their existing offerings. Wireless security access and control could become the touted enhancement for the desktop security vendors as well as a compelling reason for enterprises to upgrade their desktop security software. The question remains whether these firms will develop the technology themselves or team up with existing wireless IDS vendors.

If your organization's IT department hasn't already considered protecting mobile users and enforcing wireless security policies, make it a New Year's promise to put it on your meeting agenda. Don't leave your users exposed on the outside.

Additional Resources:

- A Lite version of AirDefense Personal is freely downloadable after you fill out a registration form at: http://update.networkcomputing.com/cgi-bin4/DM/y/espP0GRsYM0G6v0D1xh0Gc

- Check out Network Chemistry's RFProtect Endpoint at: http://update.networkcomputing.com/cgi-bin4/DM/y/espP0GRsYM0G6v0D1xi0Gd

Frank Bulk is a contributing editor to Network Computing Magazine covering wireless and mobile technologies and works for a telecommunications company based in the Midwest. For more analysis and opinion from Frank Bulk. http://update.networkcomputing.com/cgi-bin4/DM/y/espP0GRsYM0G6v0DCse0Gm

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
AWS Summit Focuses on Smoother Integrations
Joao-Pierre S. Ruth, Senior Writer,  7/16/2019
What Does Your Management Style Say about Your Age?
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/10/2019
Expect AI Flash Mobs of Fake News
Guest Commentary, Guest Commentary,  7/22/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll