Guarding the hot spot

Hot spots are all the rage right now, with vendors keen to talk up the benefits of going wireless. But what's the downside from doing away with a few cables? Windows Middle East takes a look at the security implications of WLAN technology

  • E-Mail
By  Peter Branton Published  June 1, 2003

Introduction|~||~||~|It’s not true that in space no one can hear you scream: if you’re sending stuff over radio waves then it just may be that anyone can listen in on them. The simple fact is radio waves know no boundaries, which was knowledge to Guglielmo Marconi in the nineteenth century, so its not exactly surprising now.

However, it is threatening to dampen enthusiasm for what is arguably this year’s ‘hottest’ technology area: wireless local area networks (WLAN). Hot spots, areas where users can access a WLAN, have caught the public’s imagination, with companies across the Middle East beginning to deploy them in number. Hotels across the region now boast of having provided them as an additional service for guests, office staff are enjoying the benefits of being able to take their work with them on a laptop from meeting to meeting, even home users now want to be able to surf the Net while watching TV or whatever.

However, while the wireless vendors are quite happy to see us all sending data constantly over the airwaves, users are starting to get a little anxious about the security implications. Its all well and good throwing your network open to access, but who’s taking advantage?
Research house Gartner recently tipped WLAN security as the second biggest security headache facing organisations today (the first was Web services security), pointing out that firms need to be fully aware of the security implications before they deploy a WLAN.

In the US and Europe this anxiety has been strengthened by reports of “wardriving” and “warchalking” : would-be hackers and their ilk roaming the streets with scanning equipment searching out unsecured wireless LAN access points and then chalking identification marks so that other miscreants can use them to gain access to a company’s network. One study conducted by a – presumably – white hat hacker found that 70 % of WLANs in the City of London, London’s main financial centre, were vulnerable to such a practice.

The security implications are fairly apparent, your network would be vulnerable to anybody walking outside, allowing them access to company information, as well as being able to use your computer for their own activities. Worse, what’s to stop somebody from grabbing hold of your bandwidth and hitching an internet ride – on your budget.
With analysts such as IDC predicting that there will be more than 118,000 hot spots worldwide – there were less than 5,000 last year – then the warchalkers and wardrivers are surely in for a free ride, able to grab bandwidth and company secrets wherever they go.

||**||Extent of threat|~||~||~|Or maybe not. Such practices may be common in countries in the West but does the Middle East suffer from such a threat? “It would depend very much on the country I would guess,” says Johan De Donder, product manager for Wireless Technologies for Cisco EMEA. However what I would say is that in any area where you have a couple of universities , then yes you’re going to find its quite likely to happen, people will do stuff like this to see if they can. As to whether any harm is being done, well that’s another matter altogether. The bottom line is if you don’t protect yourself against it, then you are vulnerable. Its like leaving the door of your office unlocked, you may be lucky and not have people walk in, but would you want to take the chance?”

Others are more skeptical however. “Warchalking just isn’t happening in the Middle East as far as I know, I certainly haven’t seen any instances of it, although it may be some people are doing it,” Rifaat Al Karmi, regional data specialist for Avaya, Middle East and North Africa.

Which is not to say that Karmi is advocating that people should not take security seriously, just that he thinks people over-estimate the dangers of a wireless environment, while under-estimating the dangers of a wired one. “Everybody’s first concern with wireless is security, with everything being transmitted across the airwaves. The reality is that every form of network, wired or wireless, can be secure or insecure depending on what you do with it.”

Which would seem to be a point agreed upon by just about everybody in the industry. Indeed, there is a case for saying that the additional concerns over security in a wireless environment could prove beneficial to users. After all, how many security systems in a wired environment are let down by too casual use of procedures?

“The security system you have in place may feature the most sophisticated technology available, but it isn’t going to be much good if you don’t turn it on,” says Tony Field, product manager for networking vendor US Robotics Europe, Middle East and Africa.
Field thinks the concern over security issues is largely overrated, with most people not needing to take much more than rudimentary security measures to protect their own peace of mind. “Let’s face it, most of us just don’t have that much stuff on our home PCs that other people are going to want to be interested in,” he points out.

Having said that, he believes there are some rudimentary precautions that all people should take. “Just changing the default settings on your equipment would be a good starting point,” he says. “Most people just leave their settings at what they get out of the box, so of course its easy to find out what they are.”

||**||Industry counter-measures|~||~||~|Its also not as if the industry has been sitting around waiting for hackers to drive by and pick up any information they want to get. The industry’s first stab at WLAN security was the Wired Equivalent Privacy (WEP) standard, which for 802.11b WLANS provided a basic 40-bit encryption to protect the data portion of each packet, or block of data. Later versions provided support for 128-bit encryption.

WEP was, as its name suggests, intended to provide wireless environments with the same level of security as their wired counterparts, and was widely regarded as being pretty much bullet-proof. Unfortunately WEP’s invulnerability swiftly proved illusory, and there are now tools available on the internet which allow people to hack its encryption levels. WEP also suffers from a static-key architecture, making it difficult to protect them or update them on a regular basis.

Since then industry body the Wi-Ffi Alliance has approved a new security standard, the Wi-Fi Protected Access (WPA) standard. WPA features stronger encryption, the ability to generate keys automatically, and authentication of each user attempting to access the wireless network. WPA allows the system to change keys every time a packet of information is sent. For small to medium businesses (SMBs) it also allows for a single password system, which is cheaper.

As well as privacy, WLAN security also entails authentification and authorization issues. Basically that person walking outside your office, perhaps with chalk in hand, will get into your network if you can’t identify and verify who is accessing it.

The level of security you need to install will depend very much on the importance of the information you wish to protect. For instance, an executive for a large corporation about to close a major deal is going to want a much greater level of security than a student telling his friends about a band he saw last night.

“As a home user I can use my network at home for personal use, then I will go into the office and connect to the network there to do work on a corporate project. Later I might want to go to a hot spot to have a coffee and relax while using the Web. Each of these uses will have different security implications,” says Stanislas de Boisset, network consultant for 3Com Middle East.

For most users, even Small Office Home Office (SoHO) users, WEP is not completely discredited. Most vendors say that WEP can provide enough protection for normal use. However for more serious corporate usage, where it will matter if your information is captured by somebody else, then you will either need to look at solutions based on the WPA standard, or you will have to invest in some form of Virtual Private Network (VPN.).

||**||Intel action|~||~||~|One of the main advocates of wireless technology is Intel, which has recently launched its Centrino platform: a range of processors, chipsets and 802.11b wireless connection cards designed to make notebooks lighter, more power-efficient, and with improved WLAN access. The vendor is working closely with ISPs in the Middle East, including Etisalat in the UAE, to promote the development of hotspots in the region.

In its offices in Dubai, Intel has switched over to a wireless environment, with workers equipped with laptops based on either Centrino or its Pentium M mobile processor. “In order to do this, we have to have a secure WLAN environment,” says Toni Prince, Intel MEA business development manager for telecommunications and ISPs. “Today at Intel we use a VPN gateway. VPN is pretty much the ultimate security level right now for corporates.”

However, Prince doesn’t believe that SoHO users or home users need to invest in as expensive a solution as a VPN. “For most people, security is not exactly an unfounded fear, but to crack even WEP security, you’ve got to actually be there to collect the data, and you’ve got to want to target that particular business or user,” he says. “While its one thing to randomly collect data, picking up and cracking data from a targeted business is not as easily done as people think.”

Prince is also fairly skeptical about the dangers posed by warchalkers in this region. “People in the UAE or Saudi driving around and doing this? It probably happens in some locations like say Dubai Internet City, but I would guess people only really do it to prove they can,” he says.

Prince is also keen to allay the fears of users in public hot spots, such as hotels or restaurants. “If you’re a serious corporate user getting ready for a big meeting then you really should be accessing your system via a VPN anyway,” he argues.

US Robotics’ Field agrees that the dangers posed by wireless are largely overstated. “Just changing your default settings and actually activating all your security settings should be enough for most people. That’s pretty much all I do for my home network because I don’t have a lot of stuff of value there,” he says.

There is also the fear that by leaving your WLAN exposed you are going to be providing bandwidth to all and sundry who will surf the web at your expense. However, the amount of bandwidth used in such cases is often comparatively small, so it is debatable as to just how much of a problem this is.

Simple steps that companies – or home users – could take to protect themselves include things like positioning wireless access points further inside buildings so they are less likely to leak out on to the street. Looking at what MAC addresses – used to identify hardware on a network – are allowed to access the WLAN would also be useful.

Ultimately though, with the range of devices allowing wireless access increasing, and the weight of notebooks decreasing you may well find that you’re just as likely to allow access to your network by leaving your kit behind somewhere as by falling prey to a man with a piece of chalk.
||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code