Wireless Networking - Is Your Wi-Fi Network Wariness Warranted?

Support Center

Is Your Wi-Fi Network Wariness Warranted? (07/30/2004)

A wireless network in the workplace can increase productivity, mobility and vendor and customer satisfaction, but are they secure?

As workers buy laptops with built-in wireless capability and public wireless "hot spots" are popping up everywhere from coffee shops to hotel rooms, companies are installing high-speed Wi-Fi wireless networks in the office. But security fears linger.

Blame it on bad publicity. For instance, last fall, two men who were parked outside a Lowe's Cos. home-improvement store in Southfield, Mich., were able to gain access to six credit-card transactions, according to a company spokeswoman.

However, William Clark, a Wi-Fi security expert at consultancy Gartner Inc., estimates there are only "handfuls of [such] incidents every month." And "in terms of actual corporate loss to date, there have been few documented cases," he adds.

Emerging Market

Still, companies are wary of Wi-Fi.

InfoTech, a Parsippany, N.J., consulting subsidiary of PBI Media LLC, recently surveyed about 55 companies that haven't installed a wireless network yet, and found that 73.9% cited security issues as the main barrier to deployment. According to analyst Aaron Vance of Synergy Research Group Inc., Scottsdale, Ariz., security fears helped drive 2003 U.S. corporate spending on wireless down 5% from 2002 to about $486 million, while total spending on Wi-Fi gear was up 27% to about $1.3 billion in the same period.

Technology analysts and those in the industry say security fears are overblown in part because technology buyers hear about security problems yet aren't educated about possible solutions. In response to those fears, and to the increasing cost and complexity of corporate wireless deployments, a subindustry of companies selling software to manage and secure those networks has emerged. Experts say securing a Wi-Fi network adds about 15% to 20% to the installation cost.

"There's a gap between what's available and what's understood by enterprise professionals," says Ron Seide, a manager in Cisco Systems Inc.'s wireless-networking unit, which sells wireless equipment.

Recent technological advances, wireless-security experts say, mean a well-designed corporate wireless network can be as safe as a wired local-area network, or LAN. A Wi-Fi network is "as safe as the engineering company that designs it," according to Gerry Cockram, a wireless-security expert at Sprint Corp., which sells Wi-Fi networking installation and maintenance services.

Out of the Box

At the University of Wyoming, a wireless network sounded like a great idea to departments wanting to increase student productivity by giving them more places with Internet access. After a small initial deployment, though, network engineer Justin Borthwick found that the university's wireless experiment soon got out of control. Students were signing up their friends' laptops for access to the network, creating a potentially serious security problem.

"There was no way for us to control what things people were getting to," Mr. Borthwick says. "There was serious concern that people were accessing financial information." The university slowed rollout of the network until its tech staff could buy a security system that limited access and kept certain applications, like administrative services, off the network.

Using an alphabet soup of encryption and authentication schemes, companies can regulate who can use the wireless network, where and when they can, and what information they can access. Novell Inc.'s 54-acre wireless network at its Provo, Utah, campus, for example, allows guests access to only the Internet, while employees have access to a range of internal computing services through a secure portal, according to Tracy Young, global network engineer for the networking-services company.

No corporate information officer "wants anyone to do anything at any time on their network," says Greg Mesch, president and chief executive of Roving Planet Inc., a Boulder, Colo., wireless-LAN management company.

Picking and Choosing

A properly managed wireless network can tell the difference between individuals and departments within the company and grant them access accordingly. For instance, at St. Vincent's Hospital in Birmingham, Ala., physicians, nurses and nonclinical staff all have different access privileges on the wireless network that covers more than one million square feet. That's to comply with regulations in the federal Health Insurance Portability and Accountability Act mandating either user- or role-based security of information at health-care facilities, according to Tim Stettheimer, vice president and chief information officer. That prevents, for example, someone in accounting from accessing certain patient information.

And using what's known as a virtual private network, or VPN, companies can ensure that an employee at any public wireless hot spot will have encrypted access to company data, creating in effect a tunnel from the laptop through the Internet to the corporate computer system. However, Mr. Clark of Gartner warns that in some cases a sly hacker can install a separate Wi-Fi access point at a hot spot and create a bogus login screen that asks for personal and financial information and sends the information directly to the hacker.

Companies also need to create firm equipment-use policies, says Sprint's Mr. Cockram. These policies should specify what employees are allowed to do with their laptops, which applications they can access and what measures should be taken if a company laptop is lost or stolen.

These precautions shouldn't be "foreign to anyone who's been administering a wired network," says Eric Hermelee, vice president of marketing at Wavelink Corp., a Wi-Fi security and management software company in Kirkland, Wash.

Besides keeping an eye out for hackers, companies need to keep an eye on their own employees, who have several ways of inadvertently breeching their own company's wireless security. For example, employees can install their own "rogue" wireless access point, which may not be as secure as those installed and maintained by the corporate information-technology department. Employees should be prevented from choosing easily guessed network passwords. And since many Wi-Fi security plans rely on the certification of individual laptops, theft of one can compromise a whole network if the computer staff isn't notified immediately.

Then there's the "Centrino problem" -- named after the Intel Corp. chip that gives newly manufactured laptops built-in wireless capabilities right out of the box, without any hardware installation involved. The chip itself doesn't necessarily make a laptop vulnerable to security breaches. The potential breach comes with the fact that wireless-ready laptops are often sent directly from the vendor to employees, without going through the company's information-technology department, says Rich Mironov, vice president of marketing at AirMagnet Inc. in Sunnyvale, Calif. Thus, they're often improperly configured for security purposes -- with measures to prevent a PC from connecting to an unsecured wireless access point turned off or computers in the "ad hoc mode," meaning they're acting like an access point and allowing other computers to see their data.

To plug some of these security holes, AirMagnet sells sensors that can detect unsecured laptops and find and kill rogue access points through the air. When testing his product, Mr. Mironov says, potential customers often prove to be ignorant about the number of security holes in their networks: "I've seen IT directors go very pale," he says.

By Daniel Nasaw

-- Mr. Nasaw is a staff reporter in The Wall Street Journal's New York bureau.

Source: Startup Journal

(Back To Articles)