Making a Case for Wireless Networks

I’m the IT manager for a small law firm in New York. While the firm is small, we’ve been around for a long time. As such, the partners are very old school in the sense that they don’t trust technology &#151 so much so, in fact, that for the longest time, we didn’t even have an Internet connection. Today it’s a nightmare if the connection goes down. In any event, most of the employees here use laptop computers and would like to be able to maintain access to their e-mail and Internet research while attending conferences or just moving about the office.

I suggested to the partners that we implement a wireless network. At first they shot down the idea. The reason is due primarily to the stigma of insecurity associated with wireless networking, but I’ve finally been able to convince them that it could be safely implemented.

However, before I actually gamble my job on my ability to back that up, I wanted to ask if you had any suggestions that the truly paranoid could implement in order to maximize security on their wireless network. I’m already intimately familiar with general techniques such as turning on data encryption, not broadcasting the SSID, enabling MAC address filtering and so on, but what I’m looking for are suggestions that might be perceived as overkill for your average wireless network. I know this seems like a strange request, but I just want to be aware of all of my options.

Asking about ways to develop a secure wireless network is never a strange request. Establishing a secure network communications is more important today than ever. I’ve consulted for a handful of law firms, and I know how resistant to change they can be &#151 particularly if they feel that it might put them in a position where liability is an issue.

In any event, as you mentioned, there are some general steps that you can take to help secure your wireless network. For example:

• Change the access points’ default administrator password
  
• Turn off SSID broadcasting
  
• Change the default SSID name
  
• Enable MACfiltering

And, most importantly, enable encryption on the wireless connection. In most cases 128-bit WEP is OK, but, whenever possible, I would suggest using Wi-FI Protected Access (WPA). In addition to user-authentication capabilities and support for the Extensible
Authentication Protocol (EAP), WPA uses enhanced data encryption technology via the Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements, including a per-packet key-mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules and a re-keying mechanism. Together, these features make WPA a far stronger security solution than WEP.

This, as you said, is pretty standard stuff. In your situation, if you’re really looking for extreme protection, then I suggest that you consider purchasing hardware that supports WPA2. WPA2 is the most secure wireless communication protocol available today and provides improved encryption for networks that use the 802.11a, 802.11b and 802.11g standards. It’s based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for Federal Information Processing Standard (FIPS) 140-2 compliance.

The key difference between WPA and WPA2 is the inclusion of the
Advanced Encryption Standard (AES). AES is an encryption algorithm for securing sensitive but unclassified material by U.S. government agencies and, as a likely consequence, may eventually become the de facto encryption standard for commercial transactions in the private sector. (Separate, secret encryption algorithms protect the U.S. military and other classified communications.)

AES cryptography is based on the Rijndael (pronounced rain-dahl) algorithm, created by Belgian cryptographers Joan Daemen and Vincent Rijmen. Some WPA products maybe upgraded to WPA2 via software, but due to the computationally intensive nature of WPA2’s required AES encryption, a hardware change will most likely be required. For maximum wireless network protection though, WPA2 is the only way to go.

In addition to encryption, you can further enhance security by minimizing accessibility to the wireless network. You can accomplish this in a number of ways. For instance, to protect your internal network from threats coming over the wireless network, you could create a wireless DMZ or perimeter network that’s isolated from the wired LAN. This means placing a firewall between the wireless network and the wired LAN. Then you can require that in order for wireless clients to access resources on the internal network, they have to first be authenticated using either a remote access server and/or a
VPN.

Symantec’s Security Gateway 300 series of routers offer wireless VPN support, and they are easy to setup and configure. I’m not sure if they offer WPA2 compatibility, though.

Another option is to turn off the Wireless Access Point (WAP) when it’s not in use. This one may seem simplistic, but few companies or individuals do it. If you have wireless users connecting only at certain times, there’s no reason to run the wireless network all the time. That only lets intruders try to gain access to your wireless network when no one is around to notice. However, if your company has employees accessing the network at all hours of the day and night, this option isn’t practical.

Also, consider better wireless signal management. The typical 802.11b WAP transmits up to about 300 feet. However, a more sensitive antenna can extend this range. By attaching a high gain external antenna to your WAP, you can get a longer reach, but this could expose you to war drivers (people who drive by buildings looking for open Wi-Fi connections) and others outside your building.

A directional antenna will transmit the signal in a particular direction, instead of in a circle like the omni-directional antenna that usually comes built into the WAP. Thus, through antenna selection, you can control both the signal range and its direction to help protect your network from outsiders. Additionally, some WAPs allow you to adjust signal strength and direction via their settings.

Something else to consider is to try and “hide” from hackers who use the more common 802.11b/g wireless technology by going with a wireless network based on the 802.11a standards instead. Since it operates on a different frequency (the 5 GHz range, as opposed to the 2.4 GHz range in which b/g operates), NICs made for the more common wireless technologies won’t pick up its signals. Sure, this is a type of “security through obscurity,” but it’s perfectly valid when used in conjunction with other security measures. After all, security through obscurity is exactly what we advocate when we tell people not to let others know their social security numbers and other identification information.

A drawback of 802.11a, and one of the reasons it’s less popular than b/g, is that the range is shorter: about half the distance of b/g. It also has difficulty penetrating walls and obstacles. From a security standpoint, this “disadvantage” is actually an advantage, as it makes it more difficult for an outsider to intercept the signal even when using equipment designed for use with that technology.

I hope you find this information helpful and best of luck in securing that connection.

Adapted from PracticallyNetworked.com, part of the EarthWeb.com Network.