| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
For more on hardening your organization's network, check out TechRepublic's proven line of books and CDs. You'll find more wireless security solutions in TechRepublic's Wireless Networking Survival Guide.
Wireless networking is unstoppable. It's growing faster than almost any IT technology
ever has, and the lure is irresistible to professionals and consumers alike. With this
unbridled expansion comes a pocketful of new security concerns. Can your company maintain
security as your conventional network is hybridized with wireless components?
There's a natural impulse, given the ethereal qualities of wireless networking, to view
the extension of a conventional network into a somewhat intangible hybrid network as two
separate networks: the tried-and-true secure network you spent so much time locking down,
and the breezy interloper that is now poking holes in it. But Mistake Number One is
failing to keep the whole thing under one roof. It's all one network, and viewing it this
way will help you get your arms around it.
Network management pros and cons
Network management encompasses a number of key functions: monitoring the network's
activity; dynamically evaluating its availability; measuring its performance; and logging
its errors. These functions are more important, not less, where the wireless portions of
your network are concerned. Since the wireless zones are more portable, more variable in
usage, and subject to greater interference than the conventional ones, performance
tracking and error logging are more important than ever if you hope to optimize the
network's efficiency.
It's not just about efficiency, of course. By doing this sort of management, you're monitoring what happens at your wireless access points, and you can spot attempts at network intrusion. So implementing network management of your wireless network zones is, in general, a wise move.
Now comes the tough call, however. There is plenty of network management software out there that performs the functions above for you (HP OpenView, Tivoli NetView), and if your wireless hardware supports SNMP, then it can be managed in the same way as any other network components. But you now run a new risk: If an SNMP-supporting access point is hacked, then the intruder has access to information about your network, through SNMP. (There's a distributed management information base at the heart of SNMP-based network management, to which SNMP devices read and write, and this is what the network management software uses to do its job.)
Is this a risk you want to take?
It's a kind of catch-22. If you have the means to button up your access points, then
you can and should safely use SNMP-based network management; but if you're buttoned up
well enough to do this, then by definition, you need it less. It's a trade-off, and
you'll have to give it some thought.
You can audit, so audit regularly
Wireless components in your LAN do not affect your ability to audit the network as a
whole; there is nothing intrinsic to wireless workstations or access points that affects
an audit per se. You can and should continue to audit the network as you normally do, and
do so frequently.
An additional consideration in the audit process, where wireless access points are
concerned, is that the access points themselves can generate logs. These logs record the
activity of stations connecting to them to gain network access. These logs need to be
integrated into your audit process and regularly reviewed.
Control rogue APs
Rogue access points are one of the biggest headaches in wireless network security. Often
deployed by employees informally for personal use, they exist beyond the perimeter of
your formal procedures and deployment protocols and therefore pose a huge security risk,
often representing as much as a third of your wireless network.
That's a great deal of vulnerability, and it tells us that rogue APs alone are
justification for implementing stringent network management procedures. With SNMP-based
network management software in place, the network can rapidly identify any rogue APs that
employees have deployed (unless the SNMP support in the device has been disabled, which
is beyond the knowledge of most employees).
Another way to detect rogue APs is the way hackers do it--i.e., with a WLAN scanner. A
laptop with a wireless network card and WLAN-detection software such as NetStumbler, Air Magnet, or Wave
Runner can sniff out all your APs, rogue or otherwise, which leads us to the next and
final point of discussion.
Test your fences
The best way to feel good about your company's wireless perimeter security is to test it
yourself. Anyone with a laptop, a wireless network card, and NetStumbler can cruise the
streets around your headquarters and map your network. WLAN intruders use these tools and
various nefarious means of entry to get into the network. (See the article "Top five dont's in wireless
network security" for more information.)
Have some fun with this project. Put your in-house people to work poking holes. Many are
sure to have laptops with wireless network cards, and they can easily obtain
LAN-detection software. Make it a contest, offering some incentive for anyone who can
penetrate the wireless network and write a detailed report on how they did it.
And if it sounds like such a "contest" is throwing the door open to anarchy, then you
have just the beginning of an idea of what the world of WLAN intruders is like: You can
bet that several dozen of them started sniffing at your borders from the street outside
as soon as your WLAN went up. The fences will be tested, whether you're out there among
the testers or not. Doesn't it make sense to go with that reality and use it to make your
fences stronger?
More WLAN management options
Since the security and hardware challenges of your WLAN differ from your conventional
components, you may want to look into some wireless-specific network management
utilities. Here are a few to consider:
