|
FEATURE STORY
Insights into the latest wireless
LAN security issues
Enterprise Security at Public Hotspots - Best Practices for Mobile Workers
The growth of public Wi-Fi hotspots
is creating a new headache for enterprise IT security managers.
While this Wi-Fi pain doesn't have to reach migraine proportions,
enterprises must address the security risks that come from mobile
workers connecting to public wireless LANs at places like Starbucks,
McDonald's, airports, hotels and all places in between.
Even enterprises that delay in deploying wireless LANs in their
offices should assume that mobile workers
are using their enterprise-owned laptops with consumer-grade wireless
LAN cards to connect to home wireless LANs and public hotspots.
Public hotspots provide the easy and available connectivity that
mobile workers demand. However, mobile workers must take extra precaution
to properly encrypt and authenticate all traffic, use virtual private
networks to connect back to the enterprise network and lockdown
the configurations of all Wi-Fi ready laptops.
Hotspot services that charge users for wireless access typically
offer some form of security, but IT security managers should demand
their mobile workers to take the extra steps to ensure security.
Wide-open wireless hotspots offered by conferences or free Wi-Fi
proponents must be viewed as insecure public networks that demand
a higher level of scrutiny if they are to be used at all.
IT security managers should set a policy for how their mobile workers
are use of Wi-Fi hotspots and equip the mobile workers with the
knowledge and tools to securely use public wireless LANs.
AirDefense wireless LAN security experts recommend take the following
security precautions to protect themselves while using any public
hotspot:
- Turn off file and print sharing
from your laptop - This prevents other wireless users on the network
from accessing local files on your laptop
- Clear your list of "preferred networks"
for which Windows XP actively probes and broadcasts your corporate
and home SSIDs - If a hacker identifies your preferred networks,
he can trick your the laptop into thinking that he is actually
your preferred access point
- Turn off ad hoc networking and ensure
that your wireless card remains in "infrastructure only" mode
- This eliminates the threat of an intruder forming a peer-to-peer
connection with your laptop
- When using a VPN to connect back
to an enterprise network, disable split tunneling; and
- Utilize a personal firewall that
detects malicious scanning of your laptop.
At a recent wireless LAN conference,
AirDefense monitored wireless LAN traffic and recognized that very
few of the conference attendees securely accessed their corporate
email accounts through a virtual private network or any form of
encryption. On the first day of the conference, only 3 percent of
corporate email downloads were conducted through the secure tunnel
of a VPN. For the second day of the conference, this number rose
to 12 percent.
Without a secure connection to an enterprise email account, a wireless
station exposes the email account name and password to anyone passively
sniffing the WLAN traffic.
Other vulnerabilities at the conference included 84 user stations
that were configured to allow ad hoc networking and 17 ad hoc networks
that were formed between stations. These direct connections between
devices allow for easy file sharing but offer little security or
authentication. An executive's laptop in ad hoc mode opens the door
to allow a hacker to unknowingly connect to the laptop, access all
shared files and launch direct attacks.
Some of the most alarming vulnerabilities at the conference included
74 user stations that were in default settings with open SSIDs,
which automatically connected the station to the access point with
the strongest signal strength. These stations had no control over
which networks they connected to and could have been easily duped
into communicating with malicious hackers. Other concerns among
the stations and devices included 138 user stations that broadcasted
probes looking for networks that were not at the conference.
For more information about wireless LAN policies, request
the AirDefense policies white paper. |
 |
Not a subscriber?
Click
here to subscribe!