Picture a well-dressed woman standing in your company's lobby, chatting with your receptionist. Now imagine her laptop equipped with wireless sniffer software, sucking up all of your confidential documents and email messages. Or picture an enterprising young man who, just for kicks, has decided to set up on his laptop a rogue DHCP server, which diligently hands out invalid IP addresses to all of your desktop clients. With just a few thousand dollars worth of off-the-shelf computer hardware and software, an intruder can wreak havoc on your wireless network if you haven't taken the appropriate precautions to secure it properly. And after someone has gotten inside your network, you can't do much except unplug your wireless Access Point (AP) and clean up the damage.
Anyone can install wireless APs—even people outside your IT organization. If your organization is large, you might never know that some manager purchased a wireless AP from a discount store and hooked it into the network, just so his employees can wander around the office with their laptops. And this scenario might not even be happening in your building; it might be happening in a remote office, creating a gaping security hole in your organization's network. By nature, APs are a security problem—unless they're still in the box, wrapped in plastic and Styrofoam. However, by using your AP's security capabilities in conjunction with Microsoft Routing and Remote Access Service (RRAS), you can protect yourself from the inherent risks.
Wireless Security with Existing Equipment
You'll find many documents on the Internet about how to secure a wireless network by using nothing more than the equipment that your wireless manufacturer provides. Procedures for doing so vary from manufacturer to manufacturer, but a couple of common techniques are worth mentioning. Primarily, you should consider implementing both Wired Equivalent Privacy (WEP) and authorized media access control (MAC) lists, if your equipment offers these features.
WEP. Wireless networks' built-in encryption capabilities have been broken. Regardless of whether you use 40-bit WEP or 128-bit WEP, an intruder can decode the WEP key that you use for your network. As shocking as that revelation might be, even more shocking is the number of wireless networks that don't even use WEP. During a recent exercise in Washington, DC, I spent a mere 20 minutes worth of scanning for wireless networks and found more than 40 wireless APs, as Figure 1, page 60, shows—and hardly any of them were using encryption. Most people take the time to name their wireless network, simplifying even further the task of determining who's running an open network. I've obscured most of the network names in Figure 1, but 90 percent of the general public would recognize some of the names that I saw. (No, I didn't go past the White House.) If you don't plan to use WEP, you should at least avoid giving your network a descriptive name.
Although WEP has been broken, you can use it as a starting point for your network security to discourage people from attempting to enter your network. Some newer firmware revisions from wireless equipment manufacturers improve WEP security, making your WEP key much more difficult—if not impossible—to decode. So don't forget to upgrade the firmware on all your devices.
Authorized MAC lists. Some wireless APs let you build a table of authorized MAC addresses—the unique fingerprints of wireless NICs—into the AP. If an unauthorized wireless NIC attempts to associate with your wireless AP, the AP rejects it. This extra step takes a bit of effort because you'll need to manually add each card to the authorized MAC table. However, doing so adds an extra layer of security to your wireless implementation.
Security
Wireless networking's core deficiencies are in the areas of authentication and encryption. Wireless APs generally perform very little, if any, user authentication. If a user is within range of your AP and you're not using any type of security, he or she is connected to your network. WEP provides some value but has numerous inherent flaws. So here's a pop quiz: Which type of networking technology can authenticate users coming from an untrusted space and encrypt their communication so that someone listening can't intercept it? The answer is a VPN.
A VPN solves wireless networking's current deficiencies. Granted, getting connected becomes a bit more difficult for your users. But if you've already invested time in building a VPN infrastructure for your mobile users to access your organization's network, installing a VPN to authenticate wireless users is a relatively simple process.
Let's take a look at a fictional corporate network, before and after using a VPN to secure wireless connections. Figure 2 shows a network diagram of a typical wireless implementation, with the wireless AP behind the corporate firewall. Even after you spend tens of thousands of dollars on firewall equipment to keep untrusted connections out of the network, this type of implementation opens up a big hole within the trusted network space. Imagine a bank vault door at your front entrance but a rickety old screen door at your side entrance. Guess which point of entry an intruder will choose?
Figure 3 shows a secure method of implementing a wireless AP: behind a VPN server. This type of implementation provides high security for your wireless network implementation without adding significant overhead for your users. For extra protection, you might try moving the VPN server to sit in front of your firewall, but because APs are typically location-dependent, this approach won't work for everyone.
If you have more than one wireless AP in your organization, I recommend running them all into a common switch, then connecting the VPN server to the same switch. Then, your desktop users won't need to have multiple VPN dial-up connections configured on their desktops. They'll always be authenticating to the same VPN server no matter which wireless AP they've associated with.