A wireless network can be very appealing because it’s less expensive to install than traditional cabling. However there are also plenty of drawbacks to mobile computing technology as well, especially relating to security. For example 802.11 x can connect a hacker completely off company property to the internal network! It is usually is slightly slower (50 mbps) than wired cabling (usually 1,000 or 100 mbps). This connectivity can be very desirable to mobile laptop users who may want to use it throughout the building without needing to connect a cable. Even with encryption, wireless networking should be considered a higher risk technology and should be segregated with firewalls. In the end the decision is essentially if the convenience offered is worth the security risks it creates.
The reason that a wireless network is such a security risk is that it allows anybody with a laptop and a standard wireless card to effectively get a connection. While there are steps that can be taken for protection even just being able to get a signal gives a hacker the chance to attempt to gain entry to the wireless network. This can be from the parking lot, or even completely off company property. With wired networks the attacker must physically enter the building meaning they must get past the security guard and any locked doors. The attacker must also find an available jack in a location they can work without drawing attention. Inside the building is the domain of the security guard who can detain him for questioning or have the police do this for him. If a security incident occurs it is more effective to identify it as a specific jack than merely the access point the attacker connected to. Once the hacker has gotten on the wireless network he/she now is able to view the traffic of other users which is not normally possible with the wired network. Additionally it provides connectivity for attacks on vulnerable internal servers.
The internal network at most businesses is fairly insecure. Many applications are configured to send passwords with no encryption. For example many businesses have the e-mail client configured to send a password in clear text. Many web applications do not use ssl when receiving logon information. Administrators tend to have many protocols and services activated that would not normally be available to an attacker outside a firewall. Once on the wireless network a hacker can sniff all of this information or attack many things he wouldn’t normally be able to. The most important security precaution is encryption on the wireless network. Most wireless equipment comes with standard encryption support. Not only is all the traffic that flows across it encrypted but the encryption key is changed every few minutes. The new key is redistributed under the protection of a single key used to distribute the changing keys. This protects the network because an unauthorized user must decrypt any intercepted traffic from the wireless network before it can be read and no connection to the network can be made. This would mean that the attacker must break the encryption before being able to sniff anything useful.
All the encryption keys are freely available to anybody who can provide the service set identifier (SSID). It is essentially a network password. The WEP, WPA, or WPA2 key is usually configured on the laptops of authorized users meaning that randomly generated long keys can and should be used. Please note that this means changing the keys requires a change on all laptops and during the change those not using the same key as the access points cannot access the network. This means that changing an SSID key is not usually done on larger networks. 802.11 x vendors are notorious for having WEP encryption with the default SSID advertised for all to access in clear text by the equipment. A WEP key that is not advertised can be attacked much like any other password is attacked. It is also worth noting that WEP encryption has serious encryption flaws and WPA or WPA2 should be used instead which are intended as a replacement to WEP.
Because of the risk of traffic being sniffed by an unauthorized intruder, wireless networks should receive special handling. Anybody who is able to break or obtain the SSID or encryption keys is capable of capturing a great deal of traffic. This traffic should be segregated off of the internal network with a firewall in addition to being being firewalled from the internet as well. Some firms require all wireless users to form a VPN connection to the internal network. The same 802.11 connection can be used to provide guest access to vendors or whoever may be at the facility and desires an internet connection. Some wireless networks restrict access to a specific list of MAC addresses. This means that only that list of authorized devices identified by MAC address can access it and all traffic from any other devices is simply discarded. However the MAC address can be forged fairly easily and the MAC address of any authorized device would be usable for any attacker. This tactic increases the difficultly of what the attacker must do to get on. The disadvantage is that this must be managed and any new devices (including hardware replacements) must manually be added to the list.
Wireless networks are less expensive to install than the wired counter parts. However few businesses have chosen to implement this instead of wired connectivity for desktops and printers. Servers should never be connected with a wireless connection. While it is cheaper to install, the speed is much slower than the upgrade to wired connectivity would bring. Granted the speed is adequate for most purposes and is easier to upgrade when the next faster speed is available. The major consideration against wireless is always security and desktops do not gain the convenience of wireless.
Wireless networks are prone to the very serious risk of allowing the internal network to be attacked from physical locations the business cannot control. There is nothing that can be done to make wireless networking completely secure at any given location; it will always be a higher risk. Yet, with proper steps the risks can be reduced. For many the convenience is worth the risks as a segregated portion of the network for mobile laptops.
Please procede to: Wireless network remote access.