,
Wireless security vendors are trying to create a market where none exists. As always, the key to better wireless security is better practice, not new products.
Recently, I received an invitation to speak at a plenary session for an upcoming conference on wireless security. While the conference venue was first-rate and they were covering all my expenses, I had to be honest with the conference coordinators and decline the invitation.The reason? If I went on-stage and delivered my views on wireless networking and its security implications, the vendors exhibiting at the event would have chased me from the dais and lynched me.
Simply put, I don’t buy into the hype and hoopla surrounding wireless networking. Sure, it has its advantages in certain areas, but I don’t see the need for a whole new industry to provide all manner of ‘wireless security’ solutions. I would have alienated most of the vendors by calling their products and ‘wireless security solutions’ useless and irrelevant – in a word, snake oil.
You see, when it comes to wireless security, what I see are security vendors trying to capitalize on emergent technologies by creating Fear, Uncertainty, and Doubt (FUD) amongst corporate America.
We must remember that wireless networks are simply a means of exchanging information over extended distances without the use of cables. They are not a means of storing or processing information but a medium for the transmission of information, just like a phone line or piece of Cat-5 Ethernet, and not much different from either.
I agree with those who believe that protecting wireless networks is essentially the same as protecting wired networks and cables. Granted, one doesn’t need to be physically inside a facility to exploit a wireless environment (as evidenced by the much-publicized ‘drive by hacking’ concept); but beyond that, what’s the difference between wireless and wired security? Whether it’s a Palm Pilot, laptop, or cable-free desktop, the mode of communicating is the same.
Let’s think for a minute on some of the ways we protect information in transit over Ethernet today. We (hopefully) build a network with effective controls at the physical layer (e.g., securing data centers and switch rooms). We then incorporate logical controls, such as router access lists, to direct information on that network to and from authorized parties. For sensitive information, we may chose to encrypt a file or message from our desktop computer and then send it elsewhere on the local network. We may even have established ‘secure’ links via Virtual Private Networks that tunnel network traffic inside encrypted tunnels. Mail servers, firewalls, and content filters help ensure that this information stays inside this ‘authorized enclave’, relatively free from prying eyes.
Now, suppose we drop in a wireless router somewhere to provide ‘walkabout’ capabilities for a specific department in our firm. Do we really need to completely redesign our security mindset and spend tons of money to secure information in its’ cable-free transmission environment?
I say no. Protecting information exchanged in the wireless environment is no different than protecting it in the Ethernet realm we’re all accustomed to.
But what’s that you say? What about the threat of drive-by hacking or wireless sniffing? What about protecting your sensitive information that’s being passed over the wireless environment at your facility? What about the visitor who may surreptitiously attempt to connect his laptop to a wireless network during a business meeting and scan for proprietary files or passwords? Surely, these threats require new commercial security products and services specially ‘optimized’ for the wireless environment, right?
Wrong. Such gloom-and-doom claims are largely the result of security vendors scrambling to generate interest for new products and services for this invisible, wireless network environment. Fortunately, securing wireless environments doesn’t always require new products or services, but simply the ability to extend traditional information security programs to this new transmission medium, like going from an ISDN line to a T-1 connection.
Want to guard against drive-by hacking or sniffing of wireless traffic? Establish a VPN or other encrypted link that allows communication only between authorized devices on the network, and rejects all other connection attempts. Consider the Ethernet version of Cisco’s VLAN Membership Policy Server (VMPS), which maps hardware MAC addresses to physical and logical access control lists. If your laptop or desktop isn’t registered in VMPS, or you don’t have the correct credentials or permissions, you can’t access the network. Your adversaries probably won’t, either.
When planning and building a wireless environment, why not make sure your wireless networks are designed to minimize signal ‘leakage’ to prevent someone from sitting in the parking lot with a sniffer? Better yet, why not improve physical security to keep unauthorized vehicles and persons out of range in the first place?
How about only deploying wireless networking only where it’s necessary and sensible, not simply because it’s the ‘next best thing’ or a ‘really cool’ technology? Proper network and business process planning – including security considerations – will go a long way in reducing the chances of wireless security problems.
Wireless has its uses in our enterprises, and we should certainly be exploring how to best use this medium effectively and securely. But we need to remember that when it comes to securing our wireless environments, common sense and the application of traditional security ‘best practices’ will be just as effective as any commercial solution, particularly those that are now allegedly ‘optimized’ for the wireless environment. We too often forget that security - whether wireless or otherwise - is a process, not a snazzily packaged, well-marketed product.