Consider too that employees desiring more flexibility in their office networking can easily go to the nearest office supply, electronics, and even major discount stores and purchase a powerful wireless access point and associated wireless network card for less than $200 to create an immediate, unsecured backdoor to the enterprise network. In addition, improperly secured WAP gateways can be used as an exploit focal point that can be leveraged to intercept wireless business transactions while they are temporarily in clear text during the gateway process of converting full-size Web applications to miniature-size applications for cell phones and PDA devices.
…And Proven Countermeasures
To maximize the huge benefits of wireless technology without putting the enterprise at serious and unnecessary risk, the following safeguards are recommended:
* Publish clear policies for use of wireless technology, including a standard product list of approved hardware and software and required baseline settings for all available security features in the wireless technology components.
* Ensure that all wireless gateways and access points are properly secured, including changing factory default "insecurity" settings. Most gateways run on general-purpose operating systems (OS) such as Windows NT/2000 or Unix, so prudent "OS hardening" would apply.
* Use network-level or session-level encryption (e.g., IPSsec- or PPTP/L2TP- based virtual private networks, Secure Shell - SSH) to protect communications from being intercepted and replayed. Although the Wired Equivalent Privacy (WEP) provided with most 802.11 products offers some basic protection, it has been recently found to be flawed and potentially vulnerable to intense key cracking attacks with freeware tools such as AirSnort and WEPCrack. WEP should not be relied on by itself to secure highly sensitive applications. Leading wireless technology vendors such as Agere, Cisco, and Symbol will likely be providing enhanced WEP security upgrades by the end of 2002 as part of the recently announced WPA (Wi-Fi Protected Access) initiative.
* Deploy wireless technology products that support enhanced user authentication interfaces such as the 802.1x security protocol specification that uses Extensible Authentication Protocol (EAP) and Remote Access Dial-In User Service (RADIUS). To fully leverage EAP security benefits, you should use tokens, smart cards and/or digital certificates to properly authenticate the wireless users.