Passing the WLAN Security Buck
Company offers outsourced wireless LAN to overcome security vulnerabilities
How many security incidents are related to operator error?
Many security observers blame poor the poor usability of security products and software for a large percentage of security incidents. When a network administrator doesn’t configure a firewall properly, for example, it can leave gaps in network defenses an attacker can exploit; when a vendor ships a product that isn’t out-of-the-box secure, or which is difficult to keep secure because of its design, it often leaves companies under-secured.
The problem is especially acute with wireless LANs (WLANs). In fact, Gartner Group says until 2006, 70 percent of successful WLAN attacks will be due to incorrectly configured WLAN access points and PC software.
To help organizations tackle WLAN security quickly and easily, Full Mesh Networks announced the first-ever managed-WLAN service. Security Strategies spoke with Full Mesh’s co-founders Steve Shippa and Bill Bullock.
Why offer a managed WLAN service?
Bullock: None of this stuff is easy enough to use. It’s very easy to make a dangerous mistake—we saw this with firewalls, and VPNs. So … the whole goal is to simplify it, and [that goal naturally] evolves … into a managed service or ASP.
How long has this been in the works?
We developed this [beginning in] May 2003 and we’ve been in development mode since [then] … We just announced the WLAN product on July 14 and then … the wireless detection service on August 10.
Shippa: We were able to capture and leverage a lot of the busted dot-coms’ [hardware], for pennies on the dollar, so we have a very large infrastructure in place.
Why outsource WLANs or WLAN detection
Bullock: The neatest application, beyond cost, is the speed of deployment. Once the AP [access point] arrives and is powered up, it’s … easy to add users—[they’ve] already been cataloged in our systems. Also, … the most amazing thing is what you can do across multiple locations … yet with centralized management. Most companies have difficulty [doing that].
Is there a strong security-related argument for WLAN outsourcing?
It seems currently to be the primary issue [companies are] concerned with. I think a lot of the folks out there are trying to do it themselves, and I think they’re going to run into what we ran into when we tried to develop the [offering]. It’s not as easy to do as it claims, the standards are confusing, and it’s hard to not make a mistake.
Speaking of standards, can you explain the 802.1 alphabet soup?
Well there’s 802.11, and inside that there are basically three different spectrums—a, b, and g. A is in the 5 GHz band, and b and g are at the 2.4 GHz band … Outside of that there are the security standards: WEP, 802.1x, WPA, and 802.11i.
To make it all worse, what happened was, originally there was WEP, then that was proved to be not very secure. So two schools of thought happened: there was the interim standard, the 802.11x, then there was the industry standard, 802.1x … That was supposed to be ratified almost a year ago; it was ratified last month. So vendors are just starting to come out with the equipment that meets 802.11i. We chose the interim spec—802.1x—and it’s just a software upgrade on the Proxim access points we use [to get to 802.11i]. But each [AP hardware] vendor offers different things, which makes it even more complicated.
Talk about your WLAN detection capabilities.
Shippa: We looked at a lot of different vendors [to get that].
Bullock: [We use] Red-M … out of the U.K. They seem to have the most comprehensive set of alerts. What we like is they actually do Bluetooth detection and … have offensive capabilities to shut down hackers. But … it’s large, and not user friendly, just like all their competitors. We took that, … integrated it with trouble ticket and monitoring services, … and that’s certainly the core component of the service. We also built … a financial model where there really is no hardware cost [for customers].
Did you have to staff up significantly to be able to offer full-time outsourcing?
Shippa: We’ve been able to automate and integrate … everything from network management and monitoring systems to ticketing systems. We’ve done a lot of integration work where, say, if an event comes in and our systems picked up a rogue AP or an ad hoc network created in the middle of the night … walking though it, the [Red-M] probe sends information to a [Red-M] Red-Detect server, which has intelligence built in and that … sends [information] to the network management system.
So it’s tracked and monitored and from there … we automatically send over and open a trouble ticket—only for the highest-level alerts—and [the customer] gets paged and also our [technician] gets paged … Now maybe it was some kind of false positive, so the agent closed [the AP or network connection], and … they can both see what the agent thought and did. Those are all things that anyone who is going to purchase a network intrusion product needs to do.
What kinds of trouble-ticket systems do you work with?
Everything is hosted at our infrastructure, so the customer gets … a view into our tickets, and we have that integrated with our network management system. If they’re using the wireless management product, it’s integrated with our portal.
Do you charge by the user?
Bullock: We charge by the access point per month, not by the users. We are networking guys, and the boxes we use are big, ugly Sun boxes, so we’re good for at least a few million users at this time. And [when adding new users] … it updates in less than five minutes.
How do users access the APs?
Shippa: You can’t get on unless you have a username and password.
How long does it take a customer to add a user?
Less than five minutes maximum … currently we have a couple of RADIUS (Remote Authentication Dial-In User Service) servers deployed [to manage users], and as we want more we’ll get them … Also for any sort of campus environments, we just added a bulk add, and a bulk delete, so we added that [for a customer], and we did 3,000 users … In one test—1,000 users in a spreadsheet—it took less than 10 seconds to process it, reject errors or duplicates, … and spit it out into the database.
Are you seeing outsourced WLAN interest from any quarters in particular?
Bullock: It’s too soon to answer with complete authority, but it appears that HIPAA requirements and Sarbanes-Oxley seem to be driving at least the urgency. It seems like hospitals and health care facilities were early adopters of wireless, and they put that up with existing security, and now they’re saying "Uh oh, time to update." Also … hotels, actually, because they were early adopters of the hotspot networks, there’s concern there [about] guests’ information … to keep that safe.
Wireless Networks Continue to Bleed Data, Study Reveals
Overcoming Wi-Fi Security Fears
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.