Locking out wireless intruders

The perils of ad hoc mode
According to Conley, ad hoc mode might seem a pretty innocuous and productive way for people to share from one laptop to another on a peer-to-peer network using their wireless cards outside a wireless network. While there are great advantages to sharing information without having to move a disk or a CD from machine to machine, ad hoc networks create an open port to your machines because they're emitting a signal. As he was quick to acknowledge, "that wireless card emits a signal not only to the person trying to share the information, but also to somebody who might be outside who can actually very easily hop onto that signal. The real danger is that this unauthorised user can not only get into your machine, but if you're still connected to your wired-side network, he can use your machine as a gateway to get into that wired-side network."

The danger of switching home/office network configurations
Another harmful oversight is failing to reset network configurations when making the transition from a home office to the workplace and back. Conley warned that mobile workers should make sure when they come back into the office from home that their cards aren't still seeking that home Linsys network. It's important to educate employees in the proper procedures for shutting down their machines when they leave their homes so that when they return to the office, their laptops are using the right network configuration and are looking for the right access point within the confines of the office.

The harm in simultaneously tethering and beaconing
Another example of bad business practice is one that happens on such a regular basis that even Conley catches himself doing: docking a laptop into the wired-side Ethernet cable to get Internet access while the wireless card is still on. He feels it's imperative to teach your employees to shut off their wireless cards every time they dock their laptops. If they don't, they're creating an open port for outside people to get into the corporate network. As he explained, "when your wireless network card is on, its beaconing signal can very easily be hopped onto by a hijacker or hacker: somebody who is trying to maliciously invade that network. [For example,] when you're inadvertently in the ad hoc mode, they not only can hop onto your signal that's being emitted from your card to get into your machine, but also use your machine as an open gateway to the wired-side network that you're ultimately connected to." Conley's advice? Make sure that when you dock your laptop, your wireless network card is shut off. Either you're on a wireless network or a wired network. You should never be on both.

Wi-Fi security tools to augment safe practices
While Conley senses companies are becoming more educated about the vulnerability of wireless technology, in the last 12 months a number of tools have come onto the market to help enterprises better secure their wireless networks.

Scoping out your airspace
Traditional wireless "sniffers" can help you monitor and test your network airspace. The more you know about your layout -- inside your offices, across the hallway, on the floors above and below you, as well as outside your brick and mortar -- the better idea you'll have about where security breaches might occur. Then you can implement intrusion prevention measures.

Distinguishing between legitimate and rogue users
One rather maintenance-intensive way to distinguish between the good guys and the bad is to have an inventory of wireless-card addresses associated with particular users. The problem arises when you have a visitor coming into your office who just wants to get onto your network to check his e-mail. If his wireless card address isn't in your system, he'll be denied access. The other way to make the distinction is through monitoring the WLAN by location and using authentication tools to determine who is operating the device and if they are doing so from an IT-sanctioned location. With today's technology, such as Newbury Networks' WiFi Watchdog product, you can actually get as tight as three to 10 feet in your location restrictions. This selective detection helps IT security staff distinguish a rogue device from a device that's simply outside the perimeter causing no harm to users or the network.

Implementing location-based perimeter security
Conley describes it as "outside in and inside out": the process of denying access to anybody from the outside trying to get in, as well as anyone from the inside who might be associating with a outside network or a device that they shouldn't. The Air Force is currently using this technology to protect aircraft on the runways -- be they stationary or taxiing -- from allowing their wireless networks to be compromised. For corporations, it's an important safeguard to prevent the employees in the company a few floors above you from reading your signal and popping onto your network. Or disgruntled ex-employees sitting out in the parking lot trying to hijack your signal and wreak havoc on your network.

"Products like our WiFi Watchdog," said Conley, "create a virtual location-based firewall around facilities and prevent unauthorised access from any 802.11 source attempting to hop onto the network." What makes products like this especially attractive is that they provide IT security personnel with actionable location information and the origin of attempted intrusions -- everything from connection hijacking and man-in-the-middle attacks to MAC spoofing, MAC storms, and denial of service attacks.

Stay proactively cautious
It's evident that wireless technology can improve the productivity and efficiency of your organisation. But vigilance is necessary to maintain the security of your network. Conley advises:

• Related stories

• Alerts

Be the first to comment on this article!

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials