Wireless security: The enemy is us

"We have met the enemy and he is us." — Pogo, 1971

In a perfect world of wireless security, no data ever lies exposed on the disks of mobile clients. There's never a possibility of rogue access points (AP) hijacking critical log-in data. All wireless datagrams are encrypted to stymie those sniffing sessions out of thin air. This perfect world evaporates with users, the weak link in wireless security.

"The biggest problem with securing mobile devices is the behavior of the end users," said Michael Disabato, vice president and service director of the Burton Group, a wireless security industry analyst company in Midvale, Utah.

IT needs to analyze wireless vulnerabilities and threats "just like any other type of security," Disabato said, starting with users and their mobile devices. IT needs to start planning for working outside the corporate firewall," he said, adding that the old "M&M security model," with a hard exterior and soft interior, "is dead and gone."

"Now we're on to the Swiss cheese model because people are opening up firewalls to accommodate new services. So network and IT managers and security people need to understand they've now got thousands of perimeters with a lot more problems, in addition to Port 80 [Web] and 443 [Secure Sockets Layer] problems," he said.

Wireless users, like users everywhere, don't care about underlying security or connections so long as they work and are unobtrusive, Disabato said. "Users will always be the critical link in the security chain," he added. "Technologists must remember that users want IT to perform an assigned task. Anything IT does that interferes with that task will get bypassed."

Hot growth market

Strong and friendly mobile-client security is a hot growth market experiencing double-digit sales jumps year over year and jockeying among a slew of established and start-up vendors for position in services, platforms and security. In April, IBM Global Services announced a suite of desktop security services, and start-up Buffalo Technology (USA) Inc., a division of Japan-based peripheral vendor Melco Holdings Inc., announced wireless security policy enforcement products.

This was followed shortly afterward by a mobile authentication system based on smart cards and subscriber identity modules from European vendors Alcatel, Gemplus International SA and Birdstep Technology ASA.

Don't look to Wi-Fi (802.11 wireless data network) service providers to secure users and the wireless links between mobile devices and APs anytime soon, according to John Barrett, director of research at Parks Associates, a Dallas-based company focused on digital consumer technologies.

"With Wi-Fi, you're introducing a link between the source device and the applications that the carrier can't control," Barrett said. "Carriers now are dealing with a new level of risk and uncertainty brought by the client Wi-Fi wireless links to applications they don't control."

Network service providers do a good job of securing end-to-end access on their Global System for Mobile Communications and Code Division Multiple Access cellular wireless networks, he said, because they exercise end-to-end control. This also applies to cellular data applications and emerging voice over IP via Wi-Fi networks.

Authenticating and authorizing users is the cornerstone of remote mobile access, said Disabato. Cellular providers were early adopters of device authentication to thwart fraud. They also have been enthusiastic backers of emerging identity management standards from standards-setting bodies such as the Organization for the Advancement of Structured Information Standards and the Liberty Alliance.

Securing users on Wi-Fi networks today beyond the control of the service provider's APs usually begins with the 802.1x secure authentication standard, which centralizes authentication for a local Wi-Fi AP with passwords entered onto a remote Radius server.

Access provided, but bring your own security

Austin-based Wayport Inc. is a privately held leader in providing Wi-Fi connectivity. According to Dan Lowden, vice president of marketing, Wayport has Wi-Fi APs in the common areas of almost 800 hotels, terminals and gates in six airports, plus wireless business centers in an additional six U.S. airports. Wayport also is planning to add thousands more APs in 13,500 McDonald's Corp. restaurants in the U.S. during the next 12 months (see story). More than 3,000 United Parcel Service Inc. stores also plan to add Wayport Wi-Fi APs.

Users need to bring their own security for the link between their mobile devices and Wayport's Wi-Fi APs, Lowden said. "We're trying to educate our customers that there's things you as a user need to do to make the connection as secure as possible. We encourage the use of personal firewalls and VPNs" after users log into Wayport's APs, he said, a policy echoed in the security policy and disclaimer on the company's Web site.

"We know a good number of our users are doing that [launching encrypted virtual private network tunnels after the AP log-in], but we don't have statistics," he said, adding that VPN usage statistics are planned for future customer surveys.

Lowden said Wayport installs a network management server at each Wi-Fi AP to monitor and control traffic and to supervise credit card authorizations.

"Our system is set up to block and adapt to attacks as they happen," Lowden said, referring to the Wayport wireline network upstream from the APs. "And if we need to do something, we can send a patch remotely to all our locations instantaneously. There's tremendous risk for abuse if we just provide the service. We need to protect users and the access point venue," he said.

Cometa Networks Inc. is a privately held Wi-Fi provider founded by IBM, AT&T Corp. and Intel Corp. Cometa also uses the 802.1x wireless secure authentication to centrally manage and secure authentication for their APs.

Jim Szafranski, Cometa's vice president of product management, said the company adds a few extra security steps to secure clients, such as encrypting all log-in data entry fields for personal information and passwords. "We do some other things to secure our APs, such as securing them so users can't see other users and their disks," he said.

Schaumberg, Ill.-based Cometa also has intrusion-detection and network defenses to thwart unauthorized usage.

"We've generally had a very well-behaved user set. People are finding value in using our Wi-Fi as a productivity tool, [so] we haven't had a lot of bad user behavior."

Szafranski added that newer technologies, such as Wireless Protected Access and the new 802.11i strong encryption standard, will give service providers the means to do end-to-end integrated security from the client.

"We don't support WEP [Wireless Equivalent Protocol] because of its weaknesses, and we absolutely will support WPA when it's practical," he said. "You'll start to see the gap widening between carrier-class Wi-Fi networks such as Cometa and generic free wireless hot spots."

Three steps for stronger WiFi security 1. Secure your access point login: Check for encrypted login fields for passwords and personal information. Minimal 802.1x authentication doesn't require encrypted fields. The more authentication, especially using methods that can't be compromised by a "man-in-the-middle," the better. 2. Secure your session: There's no substitute for a client firewall and VPN tunnel to secure your data after logging into the access point. 3. Know your service provider's security policies: How much security does your WiFi service company provide for thwarting man-in-the middle attacks or detecting rogue access points?

The Untethered Worker

Stories in this report:

• The Untethered Worker
  
• Wireless LANs Find Their Voice
  
• Choosing a Nationwide Cellular Plan
  
• Tales From Wireless Road Warriors
  
• The Almanac: Wireless
  
• Opinion: Still Worried About Wireless
  
• Wi-Fi Quiz
  
• Wireless Hacking Techniques
  
• Wireless security: The enemy is us
  
• Wireless Glossary
  
• Wireless Bookshelf