Locking down WLANs

By on
Locking down WLANs

If I say the word security to you, what comes to mind? Do you think of the access card keys that allow you into your buildings; firewalls to protect your IT infrastructure; or cameras to monitor facilities? Perhaps you think of how to protect the data on your laptop if it is stolen.

The fact is, the way that companies view security today is rapidly changing. Not only is there a convergence between the physical and electronic infrastructure, there is also an increasing need to ensure that the device itself is safe from theft and data transmitted from it is also secure.

This convergence of physical and electronic security is further complicated by increasingly stringent compliance requirements. When this fact is compounded with the rising use of handheld devices and the countless wireless networks being set up without the knowledge of IT departments, it's easy to comprehend just how complex the security concerns are for all industries.

Wireless LANs (WLANs) are cropping up more and more because they are inexpensive and easy to install. Most companies, however, lack the means to identify if and when an employee installs a wireless router that could potentially make their network vulnerable to intruders. WLAN hacking has become commonplace, as evidenced by new buzzwords such as "war driving" (aka LAN jacking), which amounts to driving around in a car with a Wi-Fi equipped computer to detect wireless network activity ripe with information to hijack. This is similar to using a scanner to detect specific radio signals.

War driving is seen by some as the future of internet computing, the argument being that sharing bandwidth is an extension of wireless commuting. The problem occurs in the need to secure the data on these wireless devices.

So, can companies today ensure that these data and devices are protected?

Fortunately, there are a variety of ways to protect your data from hackers. MAC (Media Access Control) address authentication with optional DHCP (Dynamic Host Configuration Protocol) server settings can enable you to set up a list of allowed addresses that can access your data. IPSEC (IP security) can be used to encrypt traffic over network nodes, reducing the amount of plaintext transmission. WEP (Wired Equivalency Privacy), too, can be enlisted to manage access points, but tends to be weak cryptographically. Of course, WPA (Wi-Fi Protected Access) is more secure than WEP; however, it leverages access points that may require updating your system. Finally, a VPN (Virtual Private Network) is one of the most flexible methods. Because it is more difficult to implement, though, it's generally recommended for larger networks.

These are but a few of the ways to manage your data security. So how then does all of this relate to compliance? There are a number of government-mandated compliance acts around the world. In the U.S., the most worrisome include three big ones.

The Sarbanes-Oxley Act requires chief executives of publicly-traded companies to personally validate the accuracy of financial statements and other information. This law was designed to restore confidence in corporate governance because it ensures that internal controls manage the documentation of information contained in financial statements.

The Gramm-Leach-Bliley Act applies to any company that collects consumer financial data, and mandates that the data be protected via effective internal controls.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to develop standards for the secure transfer of any patient information. These standards include insurance, identification and health information for individuals.

Security of data is central to each of these government directives. Now that senior executives in companies are personally liable, it is critical that organizations concentrate on the need to keep wireless transmission of this information secure, as well as their internal network managment.

All wireless communication, especially RFID, which is a market in its infancy, needs to be evaluated in companies along with compliancy requirements and an overarching security process.

Ray Cavanagh is president of the Cavanagh Consulting Group, which is based just outside of Boston.

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?