Q&A: Can Wireless Networks Be Secured?
Denial is not a legitimate wireless strategy
The history of wireless networking is rife with security problems, including flaws in the Wireless Encryption Protocol (WEP) as well as in implementations of its successor, Wi-Fi Protected Access (WPA). Just like wired networking, wireless communications are also susceptible to denial-of-service attacks and password cracking via dictionary-style attacks.
Yet a truly end-to-end security equation always relies upon layered security, and with that approach, secure wireless networking is not only feasible but possible. Even the Department of Defense (DoD)—per its 8100.2 directive—approves wireless use, providing it’s locked down.
To discuss secure wireless network creation, Security Strategies spoke with Ken Evans, vice president of product management for Tampa, Fla.-based Fortress Technologies, which makes the AirFortress Wireless Security Gateway appliance. Fortress recently secured wireless networks at 167 U.S. Department of Veterans Affairs (VA) medical centers.
Do current wireless network perceptions center around its lack of security?
Well, first there’s denial: we don’t have any. Go back a year or a year and a half, with the Secret Service walking around with their expensive Pringles cans and shutting people down.
Now while that was happening publicly, privately the Department of Defense, one of the world’s biggest logistics organizations—probably second only to Wal-Mart—had a lot of wireless for logistics … [For them] it’s just another logistics application
So the government is actually a big user of wireless networking?
There was a [wireless] scramble in the government, behind the scenes, for tactical communications, supply chain, and logistics, and then just the basic administrative applications—the general with the laptop. And let’s be clear: most generals are like executives—they don’t really need to be wireless. So clearly the proof points are there, they just aren’t [so] public.
Speaking of examples, what did you do for the VA?
The VA had a little bit of everything … They installed wireless specifically for one critical care application, then it was decided that it [lacked sufficient security] … So [we] went in, in a bulk project, and secured it all, and happened to overlay a little bit of Cisco, Intermec, and Symbol, at 167 medical centers … [The VA] didn’t want to go in and rip out all of that infrastructure.
Oftentimes there’s the security you get out of a box, then there’s the “if you really want security, you need to install this, this, or this,” and usually the attributes you install there lock you into a Cisco-only system, or a Symbol-only system … but [our products are] vendor agnostic.
Any other secure-wireless customer examples to share?
Raymond James Financial, here in Tampa, Florida. Did they need wireless? Well … [they] realized denial was not a legitimate IT strategy, took their time to determine how they were going to go with wireless and how they were going to secure it, ultimately selecting Cisco and Fortress. Or E*Trade or Gulfstream. These are all commercial entities that said, yes, wireless makes sense, but … we’re going to take our time.
What do you offer that regular wireless security specifications don’t?
Solutions today have been a mix: only access control, or only privacy, or only authentication. Well, it’s not about just the privacy, but also the access control and the authentication. On top of that, the authentication comes in a few factors. We’re authenticating the network, the user, and the device, in that order … So you’re providing a very transparent way of keeping people off your network who shouldn’t be on your network.
What’s the benefit of a device- or standards-agnostic approach?
For example, in warehouses you’ll have 802.11b or maybe even older stuff, with no compelling reason to change it to 802.11g or 802.11n or when something faster comes out. It’s usually the people in the carpeted space that want the newer [technologies]. Well, we have one solution … that allows you to not have to pull old technologies just to secure new.
[Oftentimes people are] stuck in this consumer mindset pipe about wireless adoption … It’s got to be whatever Linksys has come out with this month, when … in reality, you don’t see people replacing forklifts just because they can go two miles per hour faster—certainly not in manufacturing, or government, or IT.
How widespread is wireless use today?
Gartner will say 80 percent of organizations have wireless. The caveat is [that] the penetration of wireless is relatively small when you compare it to the number of people who actually have desktops, laptops, [and] PDAs.
Where there’s wireless is there a high volume of data moving wirelessly?
It really depends. At the VA, for example, they’re retrieving patient records, medical information … [so] they’re really just updating a database. I’m standing in front of patient A, making sure I’m administering the right medications … so if someone comes along behind me and scans this person’s medication cart, they’re going to say this person is up to date.
Most wireless is not that intense … whereas the data that is being moved on it could be. Think about a rental car company that’s checking cars in and out. Not a lot of data is moving there … but if there’s a denial-of-service [condition] and you’re not checking people in or getting people to their planes, it can have a pretty significant effect.
Are wireless denial-of-service attacks common today?
Most companies don’t know to look for them. There are the unintentional ones, then there are the malicious ones, and … keeping people off your network of the unintentional type is probably 80 percent of the problem.
So what’s ultimately required to secure wireless?
There are two points of vulnerability: the network and the device itself. So if you only protect the network, the device as a corporate or government asset is vulnerable. Because we create a trusted relationship … no one can attach to a device, or PDA, that has us installed … My laptop isn’t going to talk to anything that’s outside the system.
Do most organizations protect both the network and the device?
The industry, in general, just thinks about the network—creating a big firewall and locking everyone else out … but that’s only doing one side of a trusted relationship. We’re providing more security on wireless than most organizations, except the government, have on the wired side. Often there’s no encryption, no privacy. Some organizations may have 802.x [LAN security], but not many do …
You have to lock down both ends … [and] that’s what we mean by end-to-end security. You’ll hear this term in government all the time: a secure, mutual authentication. I know who you are, you know who I am, now let’s start talking.
Passing the WLAN Security Buck
Wireless Networks Continue to Bleed Data, Study Reveals
Securing Mobile Workers
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.