Wireless Security Myths and Five Ways to Stop Unsafe Wi-Fi Use - Five Ways to Stop Unsafe Wireless Usage

Lisa Phifer is the owner of Core Competence Inc., a consulting firm specializing in network security and management technology. For more than 20 years, she has been involved in the design, implementation, and evaluation of networking and security management products. In her article for SearchNetworking, an online IT resource network, Phifer shares five tips for combating unsafe Wi-Fi use. Here’s what she recommends:

1. Disable Network Bridging

According to Phifer, any device that is simultaneously connected to more than one network has the potential to relay traffic between those networks. As an example, she cites Windows Internet Connection, which enables a Wi-Fi ad hoc peer to share a laptop's Ethernet LAN connection. Most companies advise that their employees disable unused connections, but a majority either forget or simply don’t take the threat seriously enough.

Phifer believes that the best way to discourage bridging is to define Windows hardware profiles that enable just one interface. As an example, she cites booting with an "office" profile that enables a laptop's Ethernet connection, but disables Wi-Fi. Alternatively, it’s possible to boot with a "hotspot" profile that enables a laptop's Wi-Fi connection, but disables Ethernet. According to the expert, hardware profiles are usually inconvenient and rarely stop users from manually enabling connections, but the good news is that they are simple to configure, easy to select, and available on every Windows laptop.

There are other approaches that can be used, with the easiest being defining interface rules to be enforced by mobile security agents on laptops and PDAs. To do this, Trust Digital Mobile Edge Device Security (and similar products) can be used. Besides permitting or denying the use of Wi-Fi, Ethernet, Bluetooth and 3G interfaces, it will enforce a security policy when mobile devices are used outside of the office.

2. Mandate VPN Usage

With over 20 years of experience, Phifer can say with little doubt that companies have no control over the security measures used to protect Wi-Fi traffic in home networks or public hotspots. As a result, the only way to ensure over-the-air business data protection (independent of access method) is to require VPN or application layer security. According to Phifer, mandating VPN use is not difficult when employees access the corporate network, but the difficult part is mandating VPN use for everything else.

Phifer says that one way to mandate VPN use is to launch a VPN client at start-up, require administrative privilege to stop the VPN client, and define VPN rules that prevent split tunneling. In other words, you have to force all traffic to any destination through the VPN tunnel. The only way this approach is truly problematic is that it may make accessing the Internet difficult while in hotels and airports or other public access venues that require Web login before a VPN tunnel can be launched.

If the previously suggestion is too problematic, Phifer recommends binding your VPN client to your remote access client, using policies to launch the VPN client as soon as network login is complete. This will automatically end the connection if the VPN client or tunnel fails. This may be the more ideal solution for some, as many remote access or Wi-Fi connection managers can be linked to VPN clients in this way.

3. Prevent Ad Hoc Connections

According to the statistics we discussed earlier, a majority of Wi-Fi users would be shocked to discover they have engaged in ad hoc peer-to-peer connections. Obviously, some ad hoc connections, such as sharing files between colleagues, are intentional, but most are not. According to Phifer, the ever-ubiquitous Windows XP actually promotes ad hoc usage in two ways:

• Defaults used by XP's Wireless Zero Configuration service allow clients to connect to any available wireless network, ad hoc or access point (AP).
  
• If an XP client has previously associated an AP with a given network name (SSID), it will try to re-associate to any device with that SSID--even if it’s an ad hoc peer pretending to be "linksys" or another common home/hotspot SSID

Phifer believes that the best way to stop ad hoc connections is to reconfigure XP to associate only to Infrastructure Mode SSIDs. For those that use Windows Active Directory for laptop/desktop administration, this change can be applied to WZC-related registry keys using Windows Group Policy Objects. Lastly, for companies that don't use WZC, third-party Wi-Fi connection manager "policy generation" tools can be used to accomplish this.

4. Control WLAN Associations

According to Phifer, when it comes to finding free Internet access, users can be surprisingly open-minded. Again, common defaults tend to promote association with any SSID (known or otherwise) or even worse, connection managers such as WZC do not differentiate between APs. This makes it incredibly difficult for users to know whether they've associated with the desired AP or a phony look-alike AP.

To keep this from happening, Phifer recommends requiring 802.1X authentication of the RADIUS server inside the target WLAN. So, when a client associates to an AP that uses 802.1X with an Extensible Authentication Protocol that supports mutual authentication, the user has the opportunity to verify the RADIUS server's digital certificate. Phifer makes it clear that clients should be configured to only associate with known/configured SSIDs and to validate the server's certificate when using 802.1X-capable SSIDs.

5. Deploy Wi-Fi Endpoint Security

Phifer is quick to point out in her article that using a variety of solutions to address threats individually does not provide comprehensive security monitoring or enforcement for Wi-Fi endpoints. Filling the gap is necessary to stay safe and to do this, Phifer recommends several vendors who offer host-resident wireless intrusion detection/prevention agents that watch, analyze, and even block Wi-Fi client activities.

Some examples of these vendors include AirTight Networks SAFE, AirDefense Personal, Highwall EndPoint, and Network Chemistry RFprotect Endpoint, which was actually the data source behind the wireless threat index published by the now defunct Network Chemistry. According to Phifer, some Wi-Fi endpoint agents can be used in standalone mode by individuals and small businesses, while others can be integrated with enterprise wireless intrusion prevention systems to create a single point of control over on-site and off-site Wi-Fi use.

Obviously, handling unsafe Wi-Fi use can be a difficult or somewhat arduous process, but it’s necessary, and in the long run you’ll be grateful that you’ve taken these steps to keep all of your company’s sensitive information safe.