Reflecting on Wireless Security
As we gear up for Cisco Live! 2009 in San Francisco, I’ve thought back to some of the other shows that I’ve been to over the past couple of months. In April, I had the opportunity to visit the RSA Conference 2009, where Cisco gave show attendees to RSA’s booth a sneak peak of the integration between RSA enVision and Cisco’s Context-Aware mobility service. And at Cisco Networkers Solutions Forum in Toronto, I had the honor to lead two sessions, one on strategies for 802.11n deployment and one on mobility services. On both occasions, I had the pleasure to interact with a number of customers and the same question came up: “Why do I need to worry about RF security if I don’t have a production wireless network?”
When asked that question, I generally respond by asking how the organization enforced their “no wireless” policies, not just for rogue access points but other forms of unauthorized wireless access as well. Generally, organizations admitted that while the policy is in place, there is not much teeth in terms of enforcement.
Clearly, organizations that have a wireless network need to be concerned about how they secure it. But, in the same way organizations need to deploy monitoring systems at the perimeter of their network to protect the corporate network from the WAN, organizations, regardless if they have a wireless network deployed, also need to have monitoring of the RF environment as well through solutions like wireless IPS. For instance, many know that rogue access points, either installed for malicious purposes or by an employee trying to obtain wireless access, can pose a serious threat in that they provide unsecured access into the corporate network from areas outside the building or campus. But, while rogue access points are a well known threat, ad-hoc networks can pose a significant threat as well. In this case, a client PC uses its own wireless card to act like an access point for other clients to connect to. This can present an unsecure back door to the client PC or, possibly, to the broader corporate network if it is connected to the wired network. Those who have seen the wireless network name “Free WiFi Internet” in areas like airports or even planes may have seen this concept at work. While scanning of the wired network may detect threats like rogue access points, only scanning of the RF environment itself can uncover threats like ad-hoc networks from your client devices.
Recognizing that the RF medium, irrespective of a production wireless network, poses its own security challenges, compliance structures like the Payment Card Industry’s PCI Data Security Standard (DSS) require scanning for wireless devices. This scanning is required regardless if there is a production wireless network in place. Two of the options to fulfill the requirement are to conduct quarterly scans or use a wireless intrusion prevention system to provide full time, proactive scanning. My colleague, Dimitris Haramoglis, has done an excellent job outlining that proactive scanning is both the technologically and financially superior method for wireless threat detection.
Organizations who have a “no wireless” policy need to realize that such a policy must be enforced through proactive monitoring of the RF environment. An advantage to Cisco’s approach to wireless intrusion prevention is that in laying the groundwork to monitor the RF environment, the organization also lays the groundwork to deliver enterprise mobility connectivity should an organization’s policy change. Without monitoring of the RF environment, a policy that may have intended to provide a stronger security posture may, in fact, leave the organization vulnerable.
Posted by Sean Ginevan at 03:46PM PST
Reggie Jun 21, 2009
Oh so true! Having a WIPS is CRITICAL. With new devices such as Sprint’s and Verizon’s MiFi devices.
The backdoor is more and more available for open networks with users have their shared drives and folders available to the nefarious networker.