Wireless consumer-ization: User joy, IT's misery

Wi-Fi support has made its way into all kinds of consumer devices -- from smartphones to gaming consoles, cameras, DVD players and televisions -- and it is often implemented with native connection sharing capabilities. While great for consumers, this creates security and performance issues when any of these devices end up at work.

[ See also: Wireless networks and mobility quiz ]

This article looks at three of the challenges consumer-ization presents to IT administrators. Further, it identifies some best practices that enterprise teams can implement to mitigate the problems.

1. Wireless intrusion points: Before wireless commoditization, wireless intrusion points in an enterprise were mostly limited to specific hardware such as wireless bridges and NAT/routers. One had to physically connect such a device to a network to create an intrusion point (exception being "soft AP" functionality available with a few add-on Wi-Fi cards on Linux/Windows).

Things have changed dramatically with the virtual Wi-Fi feature introduced in Windows Vista and Windows 7. Now almost any innocuous wireless notebook can become a threat to your security.

With virtual Wi-Fi, it is not only easy to set up a "soft AP" using the inbuilt Intel Centrino wireless adapter, but also, it is possible to enable a simultaneous client and AP mode operation. Moreover, free tools such as Connectify enable this configuration in just a couple of clicks.

Virtual Wi-Fi creates a wireless hotspot by "bridging" communication between two wireless interfaces on a host -- one that is used for client operations and the other that is used for AP operations. Note that the AP mode operation is very similar to that of a network address translation (NAT) AP.

Further, insecure Wi-Fi configurations such as Open and WEP are also allowed while creating virtual AP profiles. Thus, unauthorized users (ghost riders) can possibly piggyback behind authorized or guest users in your enterprise. This can pose a serious threat to enterprise security.

Realize that enabling 802.1X port control on your Ethernet ports will not block this threat for the simple reason that there is no unauthorized port to block. Further, network-access control cannot block such devices as they are hidden behind the NAT functionality of your authorized wireless client.

2. Wireless extrusion points: Wireless extrusions occur when an authorized wireless endpoint connects to an unauthorized device (e.g., access point or peer client). Wireless extrusions can potentially be exploited to launch man-in-the-middle attacks to compromise the specific client/user. Whether a client is actually vulnerable to such an attack depends on the WLAN profile/configuration of the client. For example, clients probing for any default or hotspot SSIDs are definitely vulnerable.

Several recent models of smartphone devices have an ability to act as Wi-Fi hotspots. For example, Palm, Symbian and Sprint EVO already support this feature, and hacks are available on the Internet to convert an iPhone into a hotspot. Such smartphones relay data between Wi-Fi and 3G/4G interfaces. Similarly, SIMFI technology allows pretty much any phone to be converted into a Wi-Fi hotspot.

There are multiple ways to exploit capabilities such as those mentioned. First, employees can use this for communication that violates your security policy (e.g., accessing a forbidden Web site from within the enterprise, uploading sensitive data bypassing your corporate firewall). Worse, an attacker can use this feature to convert a phone into a honey pot device. Further, a mobile honey pot makes it easier to cover more ground and quickly identify vulnerable clients.

1 2 Page 1
Page 1 of 2
Shop Tech Products at Amazon