FRAMINGHAM, 21 JUNE 2010 - Wireless has become a part of our official and personal lives. Securing against wireless threats has been and will continue to be an important piece in the overall enterprise security puzzle. However, as if following Darwin's theory of evolution, wireless security myths too are born, evolve and then die to be replaced by new ones.
An improved awareness of wireless security issues seems to have given network security professionals enough information to dispel certain wireless security myths (e.g., hiding your SSID in beacons will improve security; open APs with MAC filters can provide good security; use of static network IP addresses can impede an attacker; and WEP can provide good-enough security).
The fact that more and more users are moving towards WPA2 deployments confirms this. The recent PCI DSS wireless guideline (perhaps spurred by the infamous and high-profile TJX security breach) is certainly driving some of these developments. However, on the flip side, the wireless security community still lacks a clear consensus on how to handle threats caused by unmanaged devices.
This has led to an evolved set of wireless security myths that are probably harder to debunk. Let's take a brief look at them and discuss how enterprises can avoid some of these common pitfalls.
Myth 1: My enterprise is secure if we do not have a Wi-Fi deployment. Many people still think that they are secure if they have a "no Wi-Fi" policy. If only wireless security were that simple. In the real world where it is not possible to trust everyone, it would be naïve to assume the policy will never be violated. A disgruntled employee can implant a rogue access point, and even well-meaning employees can deploy APs that will inadvertently expose your network to rogue activity. Similarly, Wi-Fi client cards that come embedded in most of the notebooks today can be a potential source of threat -- they can be exploited by attackers. Further, other wireless technologies embedded in notebooks such as Bluetooth can create security vulnerabilities.
Reality: Assuming that a "no Wi-Fi" policy will secure your network is akin to an "Ostrich solution".
Myth 2: I use WPA2 in my network and I am secure. If you have rolled out your enterprise Wi-Fi deployment with WPA2, it is definitely a good start. WPA2 provides a strong cryptographic security for your WLAN APs and clients. However, in a large deployment, it is important to ensure that none of the devices are accidentally mis-configured, thus potentially exposing gaping security holes. Wi-Fi is increasingly used to carry mission-critical applications, so hackers and criminals will continue to focus on breaking Wi-Fi security. Researchers have recently demonstrated that WPA-TKIP can be compromised to achieve packet-injection attacks. Similarly, a Cisco WLAN controller-based vulnerability that can be exploited to "skyjack" Cisco LAPs has been reported.
Sign up for Computerworld eNewsletters.