WLAN chip sets open a new door to insecurity

Intel Corp.'s recent Centrino announcement marks a new phase in mobile computing, including a strong emphasis on the 802.11 wireless LAN standard for enterprises.

Embedding WLAN chip sets into Microsoft XP-based machines that detect 802.11 networks will dramatically change the way workers use corporate networks. But it will also change the way users can access someone else's wireless networks.

Thus, rapid WLAN adoption presents serious security challenges for enterprise IT professionals. In a traditional wired network, every laptop accesses the network through a designated port. With a WLAN, it's impossible to determine where the user or network equipment actually resides.

In a WLAN environment, it's possible for unauthorized clients or devices to access the network because any compliant 802.11 network interface card can associate with the network. Furthermore, network access can be broadcast to anyone within range of the signal without the systems administrator's knowledge. This is accomplished through the use of any off-the-shelf access point or router attached to an open network port. And although network bandwidth and performance is saturated, administrators may not be able to identify who is downloading large audio or video files.

Here are some common -- yet unpredictable -- security breaches that can occur in a corporate campus setting:

  • Rogue access point: A user plugs an off-the-shelf access point into a wired network port, thus broadcasting corporate network access to anyone with an 802.11-based device.

  • Ad hoc mode: A user turns the wireless access from his network card in a laptop into ad hoc mode -- purposely or mistakenly. In both cases, the user is authenticated for network access and creates a gateway to his system as well as to the network he's connected to.

  • Connection hijacking: A hijacker plugs an access point into his laptop. The access point has Dynamic Host Configuration Protocol bridging but no Wired Equivalent Privacy capabilities turned on. Users on the wired network connect wirelessly to this access point, thus giving the hijacker access to their systems as well as to the wired network to which they're connected.

  • Neighborhood nuisance: A user plugs into a wired network jack and uses a standard bridging command to gain both wired and wireless access. His wireless connection associates with a neighboring access point, allowing that neighbor access to the user's computer and network.

These security issues aren't insurmountable. One of the ways they can be remedied is by using a location-enabled network (LEN) system to help beef up corporate network access security. This access can be restricted to offices and cubicle work areas while enabling access in public spaces to the Internet, e-mail and instant messaging. LENs can also provide secure access to external networks in conference rooms and monitor external areas for network activity for security and informational purposes.

This is accomplished by determining the location of any 802.11 device on the network. Based on that information, LENs may grant or deny network access, provide perimeter security to ensure no one gets on the network, provide pinpoint location of hackers before they get on a network and put a "dead stop" to the 802.11 signal.

WLAN adoption presents serious security challenges for today's enterprise IT professionals. But by using LENs, organizations can help protect themselves against unauthorized access to networks.

Michael Maggio is president and CEO of Newbury Networks Inc., a supplier of location-enabled networks in Boston.

Special Report

Tips From Security Experts

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon