Playing it safe on the World Wireless Web

March 6, 2009

At nearly every presentation we give, there is always at least one or two people that ask us about wireless security.  So we thought we’d write about it.

Wireless is a GREAT convenience and with a few basic steps, you can ensure that it is reasonably secure from hackers and / or bandwidth thieves.  I’d like to address two different aspects of wireless communications in this post: business and home.  Both have their unique requirements and should be configured differently – unless of course, your home is also your business.

When planning to implement wireless for your business, you need to consider several key security concepts.  For financial institutions, all of these are important to keeping your customer / member information secure.

1.       Encryption – Your wireless communications, including authentication should be encrypted.  There are two basic types of encryption available on most wireless implementations: WEP and WPA (including WPA2).  WEP can be easily cracked and we don’t recommend it for a business environment.  WPA2 is much more difficult to crack and requires significant amounts of time, unless of course, your authentication key is a weak password, which makes it trivial to break.

2.       Authentication – For a business wireless network, you might want to implement some form of multi-factor authentication for your wireless network.  Most wireless access points – even those that you can purchase at Best-Buy – will support enterprise class authentication mechanisms.  You might consider certificate authentication in lieu of a commercial off-the-shelf product.  It works well and certificates can be centrally revoked if necessary (i.e. stolen laptop, disgruntled employee, etc.).

3.       Configuration – Several things can be done to secure your wireless network from the “casual” miscreant.

a.       Turn of SSID broadcasting

b.      Enable MAC address filtering

c.       Change the default password for your access point(s) – you’d be surprised how many times we find this…

The first two can be defeated with a little bit of knowledge and the right (free) tools, but at least your wireless network won’t be broadcasting to every wireless device that it’s available.

4.       Network Architecture – Consider the placement of your wireless network in your overall network architecture.  If you are installing wireless as a convenience to the plethora of regulators and consultants that are seemingly a fixture in your environment, then place your wireless infrastructure outside of your secure, wired network, either outside your firewall or in a DMZ that only has access to the Internet.

Conversely, if your wireless infrastructure is for use by internal employees, then you’ll want to implement the tightest controls and monitoring infrastructure to ensure that the security of your customer / member information as well as your corporate information is not jeopardized.

5.       Wireless Devices – Consider the types of devices that you are going to allow on your wireless network.  This list will certainly include laptops and may include PDAs and other portable devices as well.  Whichever devices you allow, ensure that your encryption and authentication mechanisms are compatible.  I have Sony PSP (Play Station Portable) that has a built in wireless card, but it does not work with WPA2 so my PSP doesn’t get to connect to my wireless network.

6.       Laptop Security – Undoubtedly, laptops will be connecting to your wireless network.  Unfortunately, they may also be connected to your wired network – or worse, they could be connected to someone else’s wireless network and your wired network.  This creates a problem, depending on your configuration, because a bridge may be created from the wireless network to your wired network and possibly bypassing security devices such as firewalls.

Ensure that wireless cards are disabled when plugged into the wired network.  There are a few ways to do this. We’ve seen a program called Wireless Auto-Switch used at a number of our clients that is pretty reasonably priced and it works well.  This can also be done through the use of profiles (docked and undocked) and I’m sure there are other methods.

As a side note, we have tools that can act as a fake wireless access point.  I’ll let you draw your own conclusions regarding the things we can do when you connect to our fake access point.

Implementing wireless for your home is a bit simpler, but some of the same principles apply.

1.       Consider the area in which you live – If you live in a densely populated area such as an apartment building, condo, a neighborhood where the houses are very close together, or you are close to the street, your security requirements might be a little different than if there are relatively few houses around you and you are away from the road.

I live down a fairly long driveway and I know my wireless network is not reachable without specialized equipment (directional, hi-powered antennae).  I also know that my neighbors are not technically capable of hijacking my wireless network.  Nevertheless, I use WPA2 encryption with a strong pass-phrase and have disabled SSID broadcasting.

2.       Access Point Configuration – Minimally, you should do the following:

a.       Change the default SSID of your access point.

b.      Change the default password for administrative access to your access point.

c.       Turn off SSID Broadcasting.  Consult the manual for your particular device for instructions on how to do this.

d.      Enable at least WPA encryption, preferably WPA2, and configure it with a strong password.

These two basic things will keep most unwanted wireless traffic off of your home wireless network.  At least the bad guys will likely choose an easier target.

Finally, one last note about wireless security.  When you’re using a public hotspot or untrusted wireless network, always assume that somebody is listening to what you’re broadcasting.  Make sure that your firewall is turned on and that your anti-virus software is up-to-date.  If you have a POP3 email account, you might not want to check it because the credentials are sent in plain text and anyone can capture them off the wireless network and possibly gain access to your email.

– TrustCC


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: