With wireless LANs cropping up on company grounds, network managers
need to batten down the 802.11 hatches. That means setting the stage
for wireless policies, to be implemented now as well as in the future.
Many experts think that wireless policies should start with a logical
separation between the wired enterprise network and 802.11 links.
“Employees using the wireless network should then be required to use a
VPN to gain access to the production network. That way, users will be
authenticated, so you’ll know who is connecting. Also, in-the-air
connection to the internal network, packets will be encrypted without
relying on WEP (Wireless Encryption Protocol),” says Jason Conyard,
director for wireless product management at Symantec.
“You need to protect all points of egress, or entry, on to the
network,” suggests Gregor Freund, CEO and co-founder of Zone Labs.
WLANs Embraced, But Security Concerns Dominate: Survey of IT executives shows fear, uncertainty when it comes to wireless network security.
Wireless LANs: Assessing Costs and More: Reports on figuring TCO, simplifying deployments and WLAN trends.
Return on Investment for Office WLANs: Learn whether wireless LANs can provide decent ROI when used for common desktop PCs.
Case Study: Home-Grown Corporate WLAN Breeds Success: How one business built its own 2.4 GHz wireless network from scratch.
“Companies are already protecting entry points such as e-mail and
floppy disks. Now, wireless hubs are also becoming an entry point,”
agrees Bob Hansmann, enterprise product manager for Trend Micro.
Moreover, unless network managers take the right steps, laptops
connected to wireless LANs are much more vulnerable than PCs attached
to wired nets.
If companies decide they don’t want to risk wireless VPN access to
the production network, they can set up wireless proxy servers just
for e-mail and Web services, according to Hansmann.
Companies should also keep protocols on wireless LANs down to a bare
minimum, Conyard says. “You don’t want to be introducing any features
that you’re not going to be using. IPsec and DNS ought to be enough.”
In setting up wireless access points, network administrators should
enter the addresses of approved NIC cards. “The access point has a
central database. This will tell the access point which devices are
allowed to connect,” he adds.
Viruses can raise problems on wireless LANs, too. According to
Hansmann, wireless hubs should be protected behind a “virus wall,”
along with a firewall.
“A LAN connection is a LAN connection, whether it’s wired or not. The
operating system is what’s important. There are more than 50,000
viruses out there (that runs on Windows OS), and laptops are just as
prone to them as desktop PCs,” Conyard says.
Some think that, at a certain point, companies will need to extend
policies to Palm and Windows CE devices, as well as to other types of
wireless nets, such as Bluetooth.
“There’s been a lot of hype about PDA viruses,” Conyard
admits. “Wireless connectivity does exist for PDAs, but it’s always
done as an add-on, and it’s still pretty much a gimmick
today. Most use of 802.11 LANs today is still on laptops. I believe
though, that real threats will start to emerge in the future, after
(Palm and Windows CE) OS become more commonplace. It’s just a matter
Late in the year 2000, virus writers released two trojan horses for
the Palm OS – Liberty and Vapor – plus a virus, Phage. The Palm
viruses didn’t do much damage, and viral outbreaks have yet to occur
on the Windows CE side. Microsoft, though, is reportedly considering
including macro functionality in the next edition of the OS.
Meanwhile, though, at least six anti-virus software makers have
released products for various PDA platforms, including Symantec,
McAfee, Trend Micro, F-Secure, and Computer Associates. Also,
Symantec’s desktop anti-virus package scans for nine different Palm
viruses when a Palm device is syncing up with a PC. Some other desktop
anti-virus products have introduced similar features.
“As true virus threats emerge, Symantec will also look to develop
software for other PDA platforms. I think it’s also reasonable to
assume that, as organizations begin to manage devices, we’ll start to
provide management from a single platform, the same way we already do
for desktop PCs,” says Symanetec’s Conyard.
Right now, though, purchase of wireless equipment is still being done
on an ad hoc basis in many companies. Software purchases are even more
“Lots of companies have just a hodgepodge of products. They’re
actually paying a lot for them already, though. Employees are buying
Palms, and then expensing them, for example. Few companies, however,
have given much thought to the business reasons behind these
expenses. They’ve given even less thought to what applications will be
run,” according to Conyard.
Beyond establishing wireless policies, detection and user education
are also key. In many cases, companies may not even know that wireless
networks are up and running on their premises.
“If you’re operating a ‘rogue’ wireless LAN, it’s quite feasible for
someone to either stand outside your door with a laptop PC, or use
rented office space in your building, to tap right into your corporate
network. If confidential information does leak out, the company might
not ever find out what happened,” Conyard contends.
Network managers can use sniffer technology to determine the existence
of unauthorized wireless LANs. “You also need to educate employees
that they’re not going to get the same level of security with an
(unprotected) wireless network,” he adds.
Meanwhile, it can also be a good idea to standardize on a single
vendor for wireless LAN purchases, for financial clout as well as
greater compatibility. “First, this will give you more purchasing
power. Second, there are subtle differences in wireless LAN
equipment. Although nearly everything wireless today is
802.11-compliant, vendors are interpreting 802.11 in slightly
different ways,” Conyard notes.
Editor’s note: This story first appeared on Crossnodes, an internet.com site.