W I R E L E S S S O C I E T Y
The Big Trade-Off
Wireless networks are great, except for one thing: they're not secure. Here's what the experts say you should do to help keep your hard drive safe
By Maryanne Murray Buechner
November 8, 2004
Many people don't take full advantage of the security protections in their Wi-Fi home networks. Maybe they're not aware that their wireless router has built-in wired equivalent privacy (WEP), an encryption protocol that, when enabled, restricts access to those who have the WEP key — a string of characters that's generated when you first activate the encryption and which serves as a kind of password.
 |
 |
|
|
|
|
|
 |
|
|
 |
INVISIBLE LINK
Whether you're keeping your home safe or watching movies by the pool, wires aren't required |
|
|
|
|
|
|
 |
PHOTOS FROM SPOKANE
Sleepy Spokane, Wash., has a secret: it's the wireless hot spot of the future |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
Wi-Fi Gets Rolling
The Web is going wireless in offices, schools, RV parks and more—transforming our lives like no technology since the Internet itself |
|
|
|
|
|
|
|
|
Or maybe they'd like to share the wealth and let the neighbors in on their 6-megabit-per-second cable-modem connection. But these guests — invited or otherwise — could be up to no good. They could be using your Internet connection to upload a pirated movie, or to send spam in a way that makes it look like it's coming from you. They could install a keystroke grabber, a program that surreptitiously records information you type into your machine — such as the user name and password that logs you in to your bank's website — and quietly reports the info back to the hacker.
Feeling vulnerable now? Turn your WEP on and you shouldn't have to. Experts agree that the technology isn't perfect — a good hacker can crack it in about 15 minutes, some say — but the consensus seems to be that, well, it's better than nothing. Most troublemakers go for the low-hanging fruit — networks left wide open so that anybody with a Wi-Fi antenna within range can get on. So if you use WEP, they are more likely to knock at your network's door, find it locked, and move on to an easier target.
To improve your odds of being left alone, experts recommend using wireless gear offering Wi-Fi Protected Access, a new-and-improved form of WEP. More and more devices support WPA these days; if you've had your hardware for a while, check the manufacturer's website for a firmware upgrade and you may be able to get WPA that way.
Another way to keep bandwidth thieves and hackers at bay: switch off your network's "SSID broadcast" feature. (SSID is short for service set identifier, and it's the name you assigned your network when you first set it up.) This way, when a roving road warrior scans the area for available networks, yours won't even appear on the list. "Anybody who knows what they're doing will still be able to find you," says Joshua Lackey, senior ethical hacker with Managed Security Services, a division of IBM Global Services. This is why each machine on your network should have it own software firewall program installed, he says. "The more obstacles you put in the way, the better," Lackey says. "We call it the onion model of security: just pile layer upon layer."
That goes double for any business seeking to cut the cord. A corporation has more sensitive data to protect, and is more vulnerable. The biggest problem plaguing corporate Wi-Fi networks, Lackey says, are unauthorized access points — somebody plugging in a Wi-Fi antenna box in order to bring access into a new area. Sometimes the "rogues" are the company's own employees, with innocent intentions — they want to check e-mail from the cafeteria, say — who don't realize that they've just opened up the network to the world. And sometimes it's someone with more malevolent motives. "The problem is, anybody can walk into a store and buy an access point, plug it into a network and go," says Jason Hart of White Hat, a security firm based in the U.K. "The devices are so cheap now. And new laptops automatically find available networks, which are always transmitting out, saying, ‘I'm here.'" The solution: ask your network installer to include some way of monitoring network activity. The hard part, Hart says, is finding the location of these access points so that they can shut them down.
Telecommuters can be very dangerous to a corporate network because they connect from the outside. Rich Forsen, whose company Network Depot installs wireless networks for small- and medium-sized businesses in the Washington area (and firewalls for companies across the country), recommends that his clients use a SonicWall wireless gateway. The device lets you establish wireless virtual private network (VPN) connections for each employee who are logging in from anywhere inside the building. When that employee leaves for the day, he can use the same VPN software that's installed on his laptop to connect from home, and the same protections will apply. "That VPN acts as a personal firewall on your notebook," Forsen says.
One of Forsen's clients, Tom Andresen of Innovate.org, says the three-employee firm wished to protect its network from outsiders, yet still be able to let visitors get online from the conference room. Network Depot set up a guest account, protected by a password that Andresen can hand out at his discretion. The guest user has unfettered access to the Internet but can't get onto the company's internal network.
The biggest challenge is striking the right balance between security and convenience, Forsen says. "Those are primary goals," he says, "and they are always at odds. It's an ongoing war for us." But Innovate's guest account, he says, "is one of those few areas where you can have your cake and eat it too."
Another tactic now in vogue: intrusion protection software that inspects packets of data coming in and out of the network and screens for worms and trojans, insidious virus variants, and spyware. Businesses can subscribe to an intrusion protection service as a supplement to their existing firewall.
Authenticating users on the network is a separate issue that should be addressed. One way to do this is with biometrics — for example, requiring that a user be identified first with a fingerprint before he's allowed to log on. IBM recently added fingerprint scanners as an optional feature on its T42 line of notebook computers; the tiny scanner, which costs about $50, comes embedded in the wrist rest. Swiping your finger unscrambles the password stored on the machine.
Of course, every security measure costs money to implement. "You have to think about the business case," Lackey says. "Will [going wireless] save money, make money, increase productivity? And do the benefits justify the risks? Because once you go wireless, it's hard to go back."
|
His life and death recalled in images
Premium Content
