Troubleshooting Q&A - November 3, 2005
Making a Case for Wireless Networks
Some small businesses especially those concerned with compliance, confidentiality and liability issues are still reluctant to trust wireless networks. In this week's column, we help a network manager at a small law firm go extreme with wireless security.
By Ron Pacchiano
Q. I'm the IT manager for a small law firm in New York. While the firm is small, we've been around for a long time. As such, the partners are very old school in the sense that they don't trust technology so much so, in fact, that for the longest time, we didn't even have an Internet connection. Today it's a nightmare if the connection goes down. In any event, most of the employees here use laptop computers and would like to be able to maintain access to their e-mail and Internet research while attending conferences or just moving about the office. So I suggested to the partners that we implement a wireless network. At first they shot down the idea. The reason is due primarily to the stigma of insecurity associated with wireless networking, but I've finally been able to convince them that it could be safely implemented.
However, before I actually gamble my job on my ability to back that up, I wanted to ask if you had any suggestions that the truly paranoid could implement in order to maximize security on their wireless network. I'm already intimately familiar with general techniques such as turning on data encryption, not broadcasting the SSID, enabling MAC address filtering and so on, but what I'm looking for are suggestions that might be perceived as overkill for your average wireless network user. I know this seems like a strange request, but I just want to be aware of all of my options. Thank you!
A. Asking about ways to develop a secure wireless network is never a strange request. Today the importance of establishing secure network communications is more relevant than ever. Plus in my years as a consultant, I've worked for a handful of law firms and I know how resistant to change they can be particularly if they feel that it might put them into a position of potential liability.
In any event, as you mentioned, there are some general things that you can do to help secure your wireless network. These include things like the following:
And, most importantly, enable encryption on the wireless connection. In most cases 128-bit WEP is OK, but, whenever possible, I would suggest using WiFI Protected Access (WPA). In addition to user-authentication capabilities and support for the Extensible Authentication Protocol (EAP), WPA uses enhanced data encryption technology via the Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements, including a per-packet key mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Together, these features make WPA a far stronger security solution than WEP.
This, as you said, is pretty standard stuff. In your situation, if you're really looking to for extreme protection, then I would suggest that you consider purchasing hardware that supports WPA2. WPA2 is the most secure wireless communication protocol available today and provides improved encryption for networks that use the 802.11a, 802.11b and 802.11g standards. It's based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for Federal Information Processing Standard (FIPS) 140-2 compliance.
The key difference between WPA and WPA2 is the inclusion of the Advanced Encryption Standard (AES). AES is an encryption algorithm for securing sensitive but unclassified material by U.S. Government agencies and, as a likely consequence, may eventually become the de facto encryption standard for commercial transactions in the private sector. (Encryption for the U.S. military and other classified communications is handled by separate, secret algorithms.) AES cryptography is based on the Rijndael (pronounced rain-dahl) algorithm, created by Belgian cryptographers, Joan Daemen and Vincent Rijmen. Some WPA products maybe upgraded to WPA2 via software, but due to the computationally intensive nature of WPA2's required AES encryption, a hardware change will most likely be required. For maximum wireless network protection though, WPA2 is the only way to go.
In addition to encryption, you can further enhance security by minimizing accessibility to the wireless network. You can accomplish this in a number of ways. For instance, to protect your internal network from threats coming over the wireless network, you could create a wireless DMZ or perimeter network that's isolated from the wired LAN. This means placing a firewall between the wireless network and the wired LAN. Then you can require that in order for wireless clients to access resources on the internal network, they have to first be authenticated using either a remote access server and/or a VPN.
Symantec's Security Gateway 300 series of routers offer wireless VPN support, and they are easy to setup and configure. I'm not sure if they offer WPA2 compatibility, though.
Another option is to turn off the Wireless Access Point (WAP) when it's not in use. This one may seem simplistic, but few companies or individuals do it. If you have wireless users connecting only at certain times, so there's no reason to run the wireless network all the time. That only provides intruders with an opportunity to attempt to gain access to your wireless network when no one is around to notice. If you turn off the access point when it's not in use, such as at night when everyone goes home and there is no need for anyone to connect wirelessly, there is less opportunity for someone to try and gain access.
Also, consider better wireless signal management. The typical 802.11b WAP transmits up to about 300 feet. However, this range can be extended by a more sensitive antenna. By attaching a high gain external antenna to your WAP, you can get a longer reach, but this could expose you to war drivers (people who drive by buildings looking for open WiFi connections) and others outside your building. A directional antenna will transmit the signal in a particular direction, instead of in a circle like the omni-directional antenna that usually comes built into the WAP. Thus, through antenna selection, you can control both the signal range and its direction to help protect your network from outsiders. Additionally, some WAPs allow you to adjust signal strength and direction via their settings.
Something else to consider is to try and "hide" from hackers who use the more common 802.11b/g wireless technology by going with a wireless network based on the 802.11a standards instead. Since it operates on a different frequency (the 5 GHz range, as opposed to the 2.4 GHz range in which b/g operate), NICs made for the more common wireless technologies won't pick up its signals. Sure, this is a type of "security through obscurity," but it's perfectly valid when used in conjunction with other security measures. After all, security through obscurity is exactly what we advocate when we tell people not to let others know their social security numbers and other identification information.
A drawback of 802.11a, and one of the reasons it's less popular than b/g, is that the range is shorter: about half the distance of b/g. It also has difficulty penetrating walls and obstacles. From a security standpoint, this "disadvantage" is actually an advantage, as it makes it more difficult for an outsider to intercept the signal even when using equipment designed for use with that technology.
I hope you find this information helpful and best of luck in securing that connection!
Use our feedback form to submit your questions on home or SOHO networking issues. Please be as specific as possible. We cannot guarantee to answer every question we get, but we’ll consider them all.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|