Your next wireless security problem
Just when you think you've got the network locked down ...
Recently, I've had the dry task of telling an increasing number of executives that their organizations' wireless networks are relatively well protected -- that during an assessment, it wasn't possible to attach to, or make any serious dent in the availability of, the network without exceeding the bounds of a reasonable threat model. Does this mean all's well in the wireless world? Not at all. We're merely graduating to the next level of problems.
The current focus for wireless security is on the access point. More specifically, we're concerned with the security of access points that belong to the organization and the presence of any access points ("rogues") that don't belong. Increasingly, vendors are making it easy to implement WPA2 or reasonable approximations thereof, which generally keeps access points and their wireless data a step or two ahead of all but the most diligent and determined of attackers.
Likewise, modern wireless management and security tools such as Cisco Systems Inc.'s CiscoWorks Wireless LAN Solution Engine and Symbol's Wireless Intrusion Protection System don't just configure managed access points; they leverage data to detect events of interest. This makes it relatively painless to notice and locate rogue access points or even beaconing peers without wandering the hallways toting a laptop and Yagi.
What's not commonly being addressed, however, is the increasing number of rogue clients using outside services. When an organization achieves a sustainable level of security -- one that keeps inappropriate behavior in check -- that behavior seeks another outlet. In wireless terms, it means the source of risk moves off the corporate wireless network and onto other avenues of connection.
Most commonly, mobile users intent on getting content they shouldn't have access to will take their laptops home, out to a coffee shop or within range of another unmonitored network. There they can download blocked content, send inappropriate e-mails and fire up BitTorrent in relative privacy, at least from corporate oversight. However, directory-managed user accounts and device policies can maintain a modicum of control over laptops and other devices when they're out of the office.
More opportunistic users hampered by corporate network controls may do their own informal site survey using NetStumbler.com or the much more powerful Kismet or KisMac tools and make use of unsecured wireless connectivity in neighboring offices. Depending on the office's physical location and lack of tech-savvy neighbors, all the egress filtering in the world won't help if users can simply choose not to use their organizations' networks for outbound traffic. For these probing users, system policies, access management and training, training, training are key.
The most hard-headed or determined users -- the sort with an agenda that might keep a chief information security officer up at night -- may set up their own access points outside the physical premises. Using a directional antenna and line-of-sight connection to the office from an apartment or friend's house, an employee can set up his own hard-to-detect rogue hot spot in your premises on a budget under $200. A personal laptop or handheld device might be used to keep the entire activity even further out of the organization's view.
In this case, it's particularly interesting that many modern office buildings, built with steel-reinforced slab floors but little more than a "skin" on outside walls and windows, act as an effective waveguide for laterally-transmitted radio signals. The owner of a distant rogue access point might not have to sit by a proximate window to use the signal in the building, and most wireless intrusion-detection systems would only see background noise covering a whole floor. Constant monitoring for rogue clients and peers, examination of unusual variations in background noise, and occasional mobile surveys of surrounding neighborhoods are among the options to consider.
But it's shortsighted to fixate only on the technologies the average IT setup uses or controls. Phones are becoming de facto media players and include nontrivial storage capacities. Bluetooth is pervasive, and will soon be augmented with 802.11b/g-based UMA (unlicensed mobile access) support, that some mobile phones can use to roam between traditional cellular networks and 802.11 hot spots. Soon, many data-intensive devices such as cameras and MP3 players will incorporate 802.11 or other wireless interfaces; a few such as the Nikon Coolpix P3 and SoniqCast LLC's Aireo MP3 players already have. Even some car stereos in today's parking lot are open wireless data repositories waiting for media (or sensitive files) to be dumped from nearby clients.
It's frightening to think that a future converged device such as a potential wireless iPod might be used as an electronic briefcase for sensitive data over an ad hoc connection, then automatically connecting for streaming media, data synchronization and personal messaging when it comes within range of a lunchtime hot spot. Currently, the concern over enterprise wireless security breaches or misuse is centered on a known, controlled network. What will we do when it happens between commodity personal devices, multiple 802.11 networks, Bluetooth, and GSM/EDGE or CDMA/EVDO? We're most of the way there with Sony Ericsson Mobile Communications AB's P990, and its M600 sister device even looks something like an iPod.
Not too far over the horizon are even faster speeds and farther reach of 3/4G "broadband" networks blanketing the nation, metropolitan mesh networks pervasive in urban environments, and multiplexed 802.11 transceivers or even cellular data connectivity in every interactive doodad. With cheap solid-state storage, the problem transforms from a connection-oriented or persistent problem that can be tracked down by a week of playing spy in the back of a truck into bursty, store-and forward communications that bridge disparate networks and make wireless data security breaches a fleeting event.
We're only a handful of years away from a class of inexpensive devices that won't raise an eyebrow incorporating all of these technologies and more. When that happens -- and we're seeing the precursors now -- we'd best have an eye on technologies we don't control and the associated behaviors of individuals. Focusing on the human factor is the only way we'll keep up with the increasing saturation of communications technology into everyday devices and the consolidation of everyday devices into essential personal accessories. Wireless security in the enterprise has to evolve -- or devolve -- into its proper place as just another technology in the realm of information security.
Reproduced from an article published by ComputerWorld Security
© ComputerWorld Security
The original article can be viewed here:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art...
Permalink Bookmark Digg this story
