Wi-Fi support has made its way into all kinds of consumer devices -- from smartphones to gaming consoles, cameras, DVD players and televisions -- and it is often implemented with native connection sharing capabilities. While great for consumers, this creates security and performance issues when any of these devices end up at work.
This article looks at three of the challenges consumer-ization presents to IT administrators. Further, it identifies some best practices that enterprise teams can implement to mitigate the problems.
1. Wireless intrusion points: Before wireless commoditization, wireless intrusion points in an enterprise were mostly limited to specific hardware such as wireless bridges and NAT/routers. One had to physically connect such a device to a network to create an intrusion point (exception being "soft AP" functionality available with a few add-on Wi-Fi cards on Linux/Windows).
Things have changed dramatically with the virtual Wi-Fi feature introduced in Windows Vista and Windows 7. Now almost any innocuous wireless notebook can become a threat to your security.
With virtual Wi-Fi, it is not only easy to set up a "soft AP" using the inbuilt Intel Centrino wireless adapter, but also, it is possible to enable a simultaneous client and AP mode operation. Moreover, free tools such as Connectify enable this configuration in just a couple of clicks.
Virtual Wi-Fi creates a wireless hotspot by "bridging" communication between two wireless interfaces on a host -- one that is used for client operations and the other that is used for AP operations. Note that the AP mode operation is very similar to that of a network address translation (NAT) AP.
Further, insecure Wi-Fi configurations such as Open and WEP are also allowed while creating virtual AP profiles. Thus, unauthorized users (ghost riders) can possibly piggyback behind authorized or guest users in your enterprise. This can pose a serious threat to enterprise security.
Realize that enabling 802.1X port control on your Ethernet ports will not block this threat for the simple reason that there is no unauthorized port to block. Further, network-access control cannot block such devices as they are hidden behind the NAT functionality of your authorized wireless client.
2. Wireless Extrusion Points: Wireless extrusions occur when an authorized wireless endpoint connects to an unauthorized device (e.g., access point or peer client). Wireless extrusions can potentially be exploited to launch man-in-the-middle attacks to compromise the specific client/user. Whether a client is actually vulnerable to such an attack depends on the WLAN profile/configuration of the client. For example, clients probing for any default or hotspot SSIDs are definitely vulnerable.
Several recent models of smartphone devices have an ability to act as Wi-Fi hotspots. For example, Palm, Symbian and Sprint EVO already support this feature, and hacks are available on the Internet to convert an iPhone into a hotspot. Such smartphones relay data between Wi-Fi and 3G/4G interfaces. Similarly, SIMFI technology allows pretty much any phone to be converted into a Wi-Fi hotspot.
There are multiple ways to exploit capabilities such as those mentioned. First, employees can use this for communication that violates your security policy (e.g., accessing a forbidden Web site from within the enterprise, uploading sensitive data bypassing your corporate firewall). Worse, an attacker can use this feature to convert a phone into a honey pot device. Further, a mobile honey pot makes it easier to cover more ground and quickly identify vulnerable clients.
Wireless extrusion can also happen via technologies such as Bluetooth as they increase their presence in enterprises. High speed/large range Bluetooth devices as promised by the Bluetooth 4.0 specification are expected to hit the market by the year-end. With more than an estimated 73% of phones supporting Bluetooth by 2012, Bluetooth can be another potential source of significant wireless extrusion.
3. Performance issues: Uncontrolled proliferation of wireless can lead to bizarre availability and performance issues for enterprise Wi-Fi users. Enterprises already face several challenges to ensure reliable WLAN operation, including client configuration/connectivity issues, insufficient capacity, coverage and interference.
Users adding their own APs in a sporadic manner is like pouring oil into flames. In a spectrum that is already congested, traffic from unmanaged APs can potentially degrade the throughput and latency of your authorized APs. It is hard to provision your WLAN for such sporadic load. Further, any QoS policies you implement can possibly be nullified by unmanaged devices.
Note that relying entirely on self-adjusting WLANs in such a highly dynamic scenario may not be a good idea. It is important to have continuous visibility into your airspace so that you can monitor the "health" of your WLAN and take corrective actions.
So now you know what can go wrong, but what can you do about it? There are certain best practices that enterprises can follow to combat the security and performance issues described.
First, restrict user privileges on notebooks (such as do not give administrative privileges) if at all possible. This will help enforce secure policies on endpoints and minimizes the chances of users modifying them. Note that such access restriction lacks flexibility and may not be suitable for some enterprises.
Second, install endpoint agents on authorized notebooks and enforce security policies to block certain communication. For example, virtual Wi-Fi-based connections, Windows Internet connection sharing (ICS)/bridging and Bluetooth communication. Such endpoint agents have the advantage of also protecting your devices when operating away from your enterprise.
Third, audit the configuration of your enterprise wireless clients on a regular basis and ensure that they do not probe for vulnerable SSIDs (e.g., default SSIDs, hotspot SSIDs).
Finally, employ over-the-air monitoring tools to scan your airwaves to detect wireless security and performance issues. Scanning can be done manually using certain hand-held tools or be automated via wireless IPS based solutions.
By their very nature, wireless security and performance issues are temporal in nature. Hence, the cumbersome manual scanning exercise may not be sufficient. Although automated solutions may require more capital upfront, they can reduce the overall operational expenses by providing reliable, 24x7 monitoring of your enterprise airspace.
The lesson -- implementing multiple layers of defenses provides you the best bet against the wireless security and performance issues.
AirTight Networks specializes in wireless security and performance management. It provides customers cutting-edge Wireless Intrusion detection and Prevention (WIPS) solutions to automatically detect, classify, block and locate current and emerging wireless threats.
Read more about anti-malware in Network World's Anti-malware section.