THE ENTERPRISE OF THE FUTURE IS ONE IN WHICH every employee will be a mobile user and where every laptop and handheld device is wireless. But as today's companies extend their wireless capabilities across their entire enterprise, several issues come to the forefront, not the least of which is the security of their proprietary data. Despite the complexity of the problem, an enterprise can undertake some relatively simple measures to thwart hackers and maintain the integrity of their wireless network.

Avoid Factory Default SSIDs
Wireless LAN "war drivers" regularly canvass business areas armed only with sniffing equipment such as a laptop, a wireless access card and other tools that are readily available on the Internet. But the practice of "war chalking" takes this concept to another level by using physical demarcations to expose the existence of access points, thus exploiting them not only for their own use, but publicizing holes for others to take advantage as well. One means of avoiding these types of attacks is to avoid advertising your WLAN's very existence.

Discovery of the WLAN itself is the first step to a successful hack, but there are several measures that can be taken to make life difficult for the casual hacker. The first of these involves the SSID's factory default. SSID is short for Service Set Identifier, a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS. Every access point and all devices attempting to connect to a specific WLAN must use the same SSID. Because an SSID can be sniffed in plain text from a packet, it should be changed from the factory default so as to avoid easy detection. Another means of thwarting war drivers and chalkers is by controlling your signal as much as possible.

The less you leak into insecure areas, the more difficult the hack. If possible, adjust access point antennae and power levels to avoid signal leakage to areas where coverage is neither required nor desirable.

Deploy Device-Independent Authentication
Many companies rely on device authentication to protect their WLAN from intruders, but this approach proves problematic on several fronts. Not only does a lost or stolen device represent a severe threat to the integrity of the WLAN, but laptops are also relatively easy to dupe. Reliance on device-independent authentication, such as user names and passwords, begins to address this problem by focusing on the user not the device. But the optimal solution involves the use of RSA SecurID token deployments. The RSA algorithm is a public-key encryption technology that has become the de facto standard for protecting data that is sent over the Internet. RSA SecurID authenticator functions like an ATM card for your network, requiring users to identify themselves with two unique factors—something they know and something they have—before they are granted access. With a constantly changing RSA SecurID authenticator generating a new, unpredictable code every 60 seconds, tokens add a layer of security that passwords alone simply cannot provide. This type of system also provides users with a machine-neutral environment, where they can log in from any box as long as they are armed with their password. In addition, effective device ID system will almost certainly require database customization, while user authentication is typically easier to integrate with existing databases.

Use VPN Technologies to Protect Data
Authentication is the first step to enable a device to access the wireless network, and authentication techniques used in wireless LANs have traditionally been based on WEP (Wired Equivalent Privacy) shared key authentication. Unfortunately, WEP has proven to be weak and easily circumvented, with WEP cracking tools readily available. To improve the security provided by WEP, many access point vendors have introduced mechanisms for dynamically assigning WEP keys to clients when they start communicating with an access point. These Dynamic WEP solutions eliminate the need for distributing and managing a global WEP key at every client. Though it makes the hacker's task more difficult, recent studies have shown that dynamic WEP can still be broken within a few minutes. Enterprise wireless LANs require a security solution designed and engineered to deliver authentication, access control, and privacy services. VPN technologies such as IPsec with 3DES can protect data by ensuring that users authenticate to the network, that the user's credentials are made available to all access points in the environment, that appropriate access control policies are enforced throughout the wireless network, and that encryption is efficiently implemented to protect enterprise data.

Limit or Control WLAN Traffic
After determining who is allowed on the network, the next issue involves controlling a user's capabilities once there. Clearly, most enterprises will see a need to restrict access to certain servers or limit guests mobility on the WLAN. Firewalls normally restrict access to the network itself by implementing packet filters on routers to inspect IP addresses as a means of determining authorized users. But if the WLAN is to be used for a selected purpose (e.g. access to an ERP system), then specific packet filters designed to only allow that access should be placed on the WLAN.

Move Security from Access Points to a Wiring Closet
Access points are situated for ideal throughput and coverage, and as a result are often positioned in an open setting where they are exposed. Unscrupulous visitors and careless employees can easily move, replace, or reset them with alarming ease. When also considering the fact that many vendors are equipping the access points themselves with security measures, it is important to ensure the integrity of your WLAN's security by splitting out security from the physical access points. Treat your security solution as you would the rest of your sensitive IT equipment - with storage in a secured wiring closet.

Actively Monitor Access Point Configurations
It is not sufficient to configure an access point correctly - once configured properly, they must stay that way. Consider how easy it is for someone to perform a hardware reset on an access point that sits on a desk or ceiling, and then consider the damage that a misconfigured point can wreak on the WLAN. Security measures can be completely counteracted when misconfigured points inadvertently broadcast the WLAN's location to hackers. Monitoring software that constantly sends queries to determine any configuration anomalies is the answer. By actively monitoring the AP configuration, you can ensure that the AP is automatically reconfigured should such an event occur.

Use Monitoring Software for Rogue WLAN Detection
Today's employees are more than capable of creating a rogue WLAN, whether well-intentioned or not, inside a business. It is easier to control commercial access points, but rogue devices can transparently reside on the network while tying the network to a wireless device. New software tools to ease this task are now readily available and can detect all the known devices on the network, and differentiate them from foreign wireless devices.

Take Steps to Secure Client Devices
Over a WLAN, an intruder can attack wireless clients themselves in a peer-to-peer fashion because clients talk directly to not only the network, but any other wireless host accessing the WLAN as well. This attack can give the intruder what appears to be legitimate network access by simply using a client as an accepted entry point. To address this issue, desktop firewalls should be deployed, along with network management tools that actively audit and manage the client before permitting access via the WLAN.

Police Bandwidth
Wireless access points have low bandwidth capabilities and are shared by multiple users. This scenario allows intruders to simply blast traffic over the wireless link to prevent additional traffic with what are known as Denial-of-Service attacks. But even legitimate users can unintentionally hog bandwidth in the course of their everyday responsibilities. Particularly in environments in which different users need to perform different mission-critical tasks, bandwidth must be policed to provide fair access. As part of the packet filtering solution, a good solution installs software that controls traffic by slowing large downloads in addition to a wide variety of other measures.

Deploy Real-time Policy Management
Once the WLAN is up and security measures have been deployed, that's when the real job of securing the wireless network begins. As they are deployed, wireless LANs will span entire campuses and incorporate multiple global sites. Security policy changes (e.g. valid user lists, access rights, etc.) will naturally change. These changes must be reflected in real-time throughout the WLAN, to reduce the window of opportunity for intrusion and, more importantly, provide immediate lock-down of detected security holes.

Sandeep Singhal, CTO of Fort Lee, NJ-based ReefEdge, Inc. is an expert in the mobile intranet and Internet, handheld computing, and distributed systems. Prior to co-founding ReefEdge, he was Chief Architect for IBM's Pervasive Computing Division, has served as a researcher and software engineer for IBM and for NASA, and on several study panels for the National Research Council. He holds MS and PhD degrees in Computer Science from Stanford University, as well as BS degrees in Computer Science and in Mathematical Sciences and a BA in Mathematics from Johns Hopkins University. He is also an Adjunct Assistant Professor at North Carolina State University.