Quocirca's Straight Talking: Get smart about wireless security

Companies are going ahead with wireless deployments, despite concerns over speed and security. There's not much to do about the former, but Quocirca's Dale Vile has some advice for safeguarding wireless networks.

Everybody is now into wireless - well not quite, but in a study recently completed by Quocirca, we estimated that just over half of European corporates have at least one wireless pilot or rollout on the go aimed at providing remote access to business systems.

What's interesting when we conduct research in this space is that despite the significant investments in wireless that companies are making or planning, two issues are always highlighted as limiting factors.

The first is connection speed, which is understandable given that the laptop is still regarded as the most important mobile device and GPRS, the only pervasive wireless network, is even slower than the average dial-up connection. 3G and Wi-Fi hot spots will ultimately help here when they achieve reasonable levels of coverage, but for the time being, there is not a great deal that can be done about this issue.

The second limiting factor is uncertainty about security. Again, this is not surprising, as protecting the corporate network from attacks over the traditional wired internet is still an ongoing challenge. As soon as we add wireless into the mix, especially when public IP networks are involved, the vulnerabilities multiply. IT and communications managers are therefore quite right to be especially mindful of the security implications of wireless access.

But clearly these issues are not stopping people from going wireless. Of the 200 adopters of wireless technology we spoke to in our most recent research (conducted April/May 2004), over 60 per cent of them had rolled out at least two projects. Some had even rolled out five or more. We are therefore seeing not just initial investment taking place, but incremental investment, suggesting that many are overcoming their concerns enough to keep moving forward.

An important clue here lies with the initial focus on the laptop or notebook PC. Many IT departments have already put a lot of thought and effort into how best to secure and protect this type of device when users are on the road. Of course 100 per cent security is pretty near impossible to achieve, especially when flesh and blood users are involved in the equation. But taking the laptop away from users is not an option, so the sensible approach has been to do the best you can through a combination of policy and technology. In terms of technology, common measures have included antivirus, personal firewall, VPN and various forms of authentication tools.

Indeed those who have implemented such a comprehensive approach generally tell us that their existing measures and policies for protecting laptops and notebooks are "definitely" or "probably" adequate for dealing with wireless access. Some network infrastructure and security vendors have pointed out, however, the problems of ensuring that antivirus signatures are kept up to date, that systems software is at the appropriate release level and that personal firewalls have not been opened up too much either deliberately or inadvertently by the user.

The concept of authenticating the integrity of the device as well as the user ID during connection has therefore emerged, the idea being that users are placed into quarantine if their machine is not up to spec.

Solutions for managing security policy enforcement in this way and implementing staged access to the network rather than the traditional "all or nothing" approach to connection are emerging from the likes of Cisco, 3Com, NAI, Symantec and Microsoft. Some vendors are even extending the idea to allow enforcement of more business-oriented policy through the same mechanism, e.g. making sure the sales person's price list is current as part of the overall validation and update process.

The challenge for some is that the approach to security we have described is representative of a new way of thinking, with the underlying assumption being that proliferation of wireless means networks are becoming "always open" in a physical sense. The emphasis, therefore, needs to be on smart logical security. We only need think of the problems associated with rogue wireless access points deployed unofficially and insecurely by users to appreciate the reasoning behind this view. To varying degrees, Wi-Fi hotspots, GPRS networks and other essentially open IP networks to which the user might connect can lead to similar exposures.

As with laptops and notebooks themselves, however, telling users they cannot take advantage of wireless is not an option as the productivity benefits are so great. Ensuring that the combination of written policy and clever technology is in place to minimise the exposure, therefore, is the only way forward as many have already acknowledged. The risks are then manageable.

A slightly trickier question is the one relating to PDA and mobile phone security, which is less of a known quantity to most IT departments. Some of the fundamental issues and solutions are the same as for laptops, e.g. a similar approach to authenticating users and encrypting connections can be taken. But what about direct attacks on the device itself? Does a Pocket PC or smartphone need a firewall? What about antivirus software?

In theory, any programmable device regardless of its size can be targeted with viruses and other sorts of malicious attacks. In practical terms, though, the actual threat for mobile phones and handheld computers is likely to be negligible at the moment because there are not high enough numbers out there of any single type of small form-factor device to make it worthwhile for the 'bad guys' to pay them significant attention. As the industry moves towards standardised platforms such as Symbian and Microsoft, this could change, but the security vendors are onto this already and are developing specific client-side protection for the devices most likely to reach critical mass first.

In the meantime, the most sensible approach to mobile security is the best approach to security in general. Try to understand the likely risks and take reasonable measures to deal with them. In the short term, for example, there is probably a greater risk of a user losing a PDA or having it stolen than someone or something hacking into it. Focussing on the practical rather than theoretical is the smart way forward.

The broader wireless research referred to in this article will shortly be available as a free-of-charge report. Please visit www.quocirca.com to register your interest in receiving a copy once it is available.