By Jillian Ruffino
Published in the November 2007 issue of Today’s Facility Manager
Facility managers think a lot about protection. Access control, surveillance, and other physical security measures have made it possible for facility professionals to sleep soundly at night.
But, in some cases, the “bad guys” may be immune to these barriers. What if they could simply walk through the walls of a facility and gather data? What if an organization’s information were floating in the air, accessible to anybody with a few simple software tools?
This is the perception that is common among facility managers about wireless technology, and it is not entirely inaccurate. Amit Sinha is the chief technology officer for Atlanta, GA-based AirDefense, a company that provides wireless security and monitoring. He explains, “With wireless networks, the whole notion of a physical perimeter guarding your network is completely decimated. In the days of wired networking, facilities had Category 5 cables that ran inside buildings, and traffic between internal, trusted networks and the external Internet was policed from that well defined choke point. Now, wireless clients are broadcasting in a shared medium and the frames they are transmitting can be sniffed by people outside the perimeter.”
Sinha outlines the dangers that facilities face when they incorporate wireless networks into their operations. In one scenario, a person can be outside of a facility and discover open or misconfigured wireless devices. This can be done with the aforementioned “sniffer,” a program that monitors and analyzes network traffic. A sniffer can be used to capture data being transmitted on a network.
Another danger is “masquerading,” the process of using an “evil twin.” An evil twin is a rogue wireless access point that pretends it is a legitimate member of the wireless network. To appear valid, the bogus network is given a name similar to that of the legitimate network. There are free software (freeware) tools available that can be used to set up evil twins.
Opines Sinha, “This is the most serious protocol level vulnerability from a wireless security perspective. A lot of the management and control frames within Wi-Fi networks are not authenticated.”
Wireless technology can also make wired connections less secure. This may leave a facility vulnerable to “insertion.” An outsider may be privy to multicast and broadcast frames flowing on the internal wired network and leaking over the Wi-Fi interface. This person can then capture those frames, do whatever he or she pleases with them, and insert them back onto the wired network.
Wireless networks, however, do not need to be left vulnerable to these types of attacks. Chris Kozup is the senior manager, mobility for Cisco, headquartered in San Jose, CA. He is a firm believer in wireless technology, but he warns, “The wireless environment is an asset that a business owns and must manage. If an organization does not actively own and manage that asset, it will have problems.”
Securing Wireless Networks
What can facility managers do to ensure their wireless networks are safe? Sinha offers the following advice: “Security best practices always mandate that facility professionals use a layered approach to security.”
The first layer in Sinha’s approach is to create a secure infrastructure. “Use access points that support high security,” he counsels, “which would be WPA2 enterprise that uses 802.11 based authentication and AES256 bit encryption.”
The second step is to monitor air space 24 hours a day, seven days a week. Cisco’s Unified Wireless Network is one solution that is capable of accomplishing this.
“In addition to having core security measures,” explains Kozup, “all of our access points have the ability to scan the radio frequency environment, and when someone does bring in a rogue access point, our access point will detect that through the air. In the past, facilities didn’t know what was happening in the radio frequency environment, but now not only do we ensure that we have robust security for the traffic that is authorized, we also have sensing, monitoring, and analysis capabilities to understand and have visibility into that wireless medium continuously.”
AirDefense offers Enterprise, a wireless intrusion prevention system. This product complements encryption and authentication protocols and eliminates rogue devices, making sure there are no unauthorized devices connecting to a facility’s network. It can detect over 200 different types of attacks and policy violations. Enterprise also features over the air termination techniques as well as over the wire suppression techniques to block out intrusion attempts and rogue devices trying to connect both to wireless and wired networks.
Sinha also stresses the need for forensic tools. “Enterprise has sensors that monitor the radio frequency space and log everything into the server to create a forensic database storing months of information. It logs 300 different statistics for every wireless device that enters the airspace on a minute to minute basis,” he explains.
In Wireless We Trust?
Many are still dubious, however, about their facility’s ability to guard against the dangers that wireless presents. Kozup, on the other hand, is quite confident about wireless technology. He says, “We have many customers who use wireless networks as the basis for mission critical applications. This technology has passed the stage of early adopter emerging technology and has become a mature, stable technology that businesses use on a daily basis.”
Kozup believes that early experiences with wireless may have tainted facility managers’ views of this type of network. The initial encryption mechanism included with Wi-Fi was WEP. “The problem with WEP,” as Kozup explains, “was that companies often didn’t take the time to turn that feature on. The second problem, which we discovered back in 2001, was that the protocol itself was flawed.
What is happening since then is that hackers and different entities have developed increasingly fast ways of cracking that WEP protocol.”
These early problems, Kozup asserts, led many organizations to slow down their deployments of wireless LANs. In response, he continues, “Cisco, in conjunction with other leading manufacturers (like Intel), worked aggressively in the industry standards bodies to deliver 802.11i. What this provided was a robust framework not only for encryption, but also for authentication.”
In other words, 802.11i, which was implemented in the form of WPA2, not only secures and encrypts packets of data sent through the air from a laptop to an access point, but the access point must also verify who the user is before granting access.
“So,” says Kozup, “we now have the tools to have a great level of confidence in the security of wireless systems. The encryption algorithm used as part of WPA is called AES, which is generally accepted as being the most robust encryption algorithm commercially available.”
Kozup encourages facility managers to communicate with IT departments to get a better understanding of wireless possibilities.
A Wireless Tomorrow
The wireless industry is currently in transition. It is moving toward a new standard, dubbed 802.11n. This development will provide several benefits. Kozup explains, “This next generation of Wi-Fi will deliver much greater throughput and reliability. With it, it is possible to have speeds approaching 600 mega bits from a single access point; wireless will start to be on par with wired throughput.”
With 802.11n, the reliability of wireless systems may also start to approach that of wired technology [for more on this subject, see “The Wireless Facility… Inside And Out,” by Tom Condon, September 2007].
Looking ahead, Kozup envisions the use of dual mode devices which connect users to Wi-Fi networks when they are in facilities and switch to cellular when they are not.
Ultimately, wired and wireless will unite. Most businesses are likely to have an integration of these two technologies, with systems throughout the facility using both and facilities working with IT departments to manage them as a single system.
When it comes to the security of wireless networks in the days to come, Sinha says, “It’s a cat and mouse game. Hackers will keep trying to break wireless protocols and new protocols will emerge.”
Ensuring the security of wireless networks is a constantly evolving practice. While many facility managers are still cautious when it comes to this technology, it should be seriously considered.
This article was based on interviews with Kozup and Sinha.