|
Whenever you communicate over the Internet using a
wired or wireless connection, you may want to ensure
that your communications and files are private and
protected. If your transmissions are not secure, you
take the risk of others intercepting your business
e-mails, examining your corporate files and records,
and using your network and Internet connection to
distribute their own messages and communications.
How
secure you want your network to be depends on how
you use the Net. If you're just surfing to do
research or watch movies, you may not care if anyone
picks up part of the transmission, but that's up to
you. Even if you're shopping and purchasing items
over the net, those financial transactions are
usually protected by a technology called Secure
Socket Layer (SSL). However, if your data is
confidential or if you want additional security,
there are several different technologies you might
consider implementing. Remember, security is a
personal decision, and we encourage you to use at
least some level of security as a deterrent to
intrusion.
In a
home wireless network, you can use a variety of
simple security procedures to protect your Wi-FiŽ
connection. These include enabling Wi-Fi Protected
Access, changing your password or network name (SSID)
and closing your network. However, you can also
employ additional, more sophisticated technologies
and techniques to further secure your business
network.
For more information
on implementing security techniques, see
Securing The Network.
Return to
Top
WPA
and other wireless encryption methods operate
strictly between your Wi-Fi enabled computer and
your Wi-Fi CERTIFIED™ access point. When data
reaches the access point or gateway, it is
unencrypted and unprotected while it is being
transmitted out on the public Internet to its
destination — unless it is also encrypted at the
source with SSL when purchasing on the Internet or
when using a VPN. So while using WPA will protect
you from external intruders, you may want to
implement additional techniques to protect your
transmissions when you use public networks and the
Internet. There are several technologies available,
but currently VPN works best.
Return to
Top
WPA2
(Wi-Fi Protected Access 2) provides network
administrators with a high level of assurance that
only authorized users can access the network. Based
on the ratified IEEE 802.11i standard, WPA2 provides
government grade security by implementing the
National Institute of Standards and Technology (NIST)
FIPS 140-2 compliant AES encryption algorithm. WPA2
can be enabled in two versions —
WPA2 - Personal
and
WPA2 - Enterprise.
WPA2 - Personal protects unauthorized network access
by utilizing a set-up password. WPA2 - Enterprise
verifies network users through a server. WPA2 is
backward compatible with WPA.
Return to
Top
WPA is a powerful, standards-based,
interoperable security technology for Wi-Fi
networks. It provides strong data protection by
using encryption as well as strong access controls
and user authentication. WPA can be enabled in two
versions —
WPA-Personal
and
WPA-Enterprise.
WPA-Personal protects unauthorized network access by
utilizing a set-up password. WPA-Enterprise verifies
network users through a server. WPA utilizes 128-bit
encryption keys and dynamic session keys to ensure
your wireless network's privacy and enterprise
security.
Return to
Top
Most
major corporations today use VPN to protect their
remote-access workers and their connections. It
works by creating a secure virtual "tunnel" from the
end-user's computer through the end-user's access
point or gateway, through the Internet, all the way
to the corporation's servers and systems. It also
works for wireless networks and can effectively
protect transmissions from Wi-Fi equipped computers
to corporate servers and systems.
Most
corporate IT departments are already skilled with
VPN and can modify existing systems to support Wi-Fi
networks. A VPN works through the VPN server at the
company headquarters, creating an encryption scheme
for data transferred to computers outside the
corporate offices. The special VPN software on the
remote computer or laptop uses the same encryption
scheme, enabling the data to be safely transferred
back and forth with no chance of interception.
IT
Managers can set up VPN to support mobile
professionals communicating from airports or hotels
and telecommuters working from home, as well as
wireless and wired computers located inside the
company facility.
At
the corporate location, companies can provide
security and still allow open access to the Internet
and email for guests by giving individuals who need
to access the network different levels of access.
Visitors to the company, as well as mobile workers,
can still have unfettered access to the Internet and
use standard e-mail protocols. However, VPN access,
which enables access to the corporate network,
corporate e-mail and communications systems, is
provided only to those who've been given
authorization.
There are many
different types and levels of VPN technology, some
of which are very expensive and include both
hardware and software components. However, Microsoft
provides a basic but free VPN technology with its
advanced server operating systems. For more
information, check out
Microsoft's VPN Overview.
Return to
Top
Firewalls can make your network appear invisible to
the Internet, and they can block unauthorized and
unwanted users from accessing your files and
systems. Hardware and software firewall systems
monitor and control the flow of data in and out of
computers in both wired and wireless enterprise,
business and home networks. They can be set to
intercept, analyze and stop a wide range of Internet
intruders and hackers.
Like VPNs, there are
many types and levels of firewall technology. Many
firewall solutions are software only; many are
powerful hardware and software combinations. Some
Wi-Fi gateways and access points provide a built-in
firewall capability. But even if they don't, most
Wi-Fi gateways include a
NAT
routing capability that acts like a basic firewall,
making the networked computers and their data
invisible to simple hacking scans and probes.
Return to
Top
As
part of the 802.11b standard, every Wi-Fi radio has
its unique Media Access Control (MAC) number
allocated by the manufacturer. To increase wireless
network security, it is possible for an IT manager
to program a corporate Wi-Fi access point to accept
only certain MAC addresses and filter out all
others. The MAC control table thus created works
like "call blocking" on a telephone: if a computer
with an unknown MAC address tries to connect, the
access point will not allow it. However, programming
all the authorized users' MAC addresses into all the
company's access points can be an arduous task for a
large organization and can be time consuming — but
for the home technology enthusiast it can be quite
effective.
It is
also possible for a dedicated hacker to "spoof" a
MAC address, by intercepting valid MAC addresses and
then programming his or her computer to broadcast
using one of those. Despite that, for small network
installations, using a MAC filtering technique can a
be very effective method to prevent unauthorized
access.
Return to
Top
RADIUS (Remote Access Dial-Up User Service) is
another standard technology that is already in use
by many major corporations to protect access to
wireless networks. RADIUS is a user name and
password scheme that enables only approved users to
access the network; it does not affect or encrypt
data. The first time a user wants access to the
network, secure files or net locations, he or she
must input his or her name and password and submit
it over the network to the RADIUS server. The server
then verifies that the individual has an account
and, if so, ensures that the person uses the correct
password before she or he can get on the network.
RADIUS can be set up to provide different access
levels or classes of access. For example, one level
can provide blanket access to the Internet; another
can provide access to the Internet as well as to
e-mail communications; yet another account class can
provide access to the Net, email and the secure
business file server.
Like
other sophisticated security technologies already
mentioned, RADIUS comes in a variety of types and
levels. You can use the free RADIUS provided by
Microsoft for its advanced server operating systems,
or you can use a sophisticated hardware and software
solution.
Return to
Top
Another way to protect your wireless data is by
using a technology called Kerberos. Created by MIT,
Kerberos is a network authentication system based on
key distribution. It allows entities that
communicate over a wired or wireless network to
prove their identity to each other while preventing
eavesdropping or replay attacks. It also provides
for data stream integrity (detection of
modification) and secrecy (preventing unauthorized
reading) using cryptography systems such as DES.
After
a client and server have used Kerberos to prove
their identity, they can also encrypt all of their
communications to assure privacy and data integrity
as they go about their business.
Kerberos works by providing principals (users or
services) with digital tickets that they can use to
identify themselves to the network and secret
cryptographic keys for secure communications. A
ticket is a sequence of a few hundred bytes that can
be embedded in virtually any other network protocol,
thereby allowing the processes implementing that
protocol to be sure about the identity of the
principals involved.
Kerberos is available free from MIT and as a product
from many different vendors.
Return to
Top
With
the burgeoning success and adoption of Wi-Fi
networks, many other security technologies have been
developed and continue to be developed. Security is
a constant challenge, and there are thousands of
companies developing a cornucopia of solutions.
There
are a variety of proprietary third-party security
solutions that effectively "ride on top of" a
standard Wi-Fi transmission and provide encryption,
firewall and authentication services. Many Wi-Fi
manufacturers have also developed proprietary
encryption technologies that greatly enhance basic
Wi-Fi security.
Encryption techniques use special technologies to
scramble transmissions on one end and then
unscramble them on the other. Other techniques use
special keys or codes that enable the computers to
talk to each other: the sender's computer transmits
a key or code to the receiving computer, and if the
keys match, the sender is allowed into the system.
The
Wi-Fi Alliance, the IEEE 802.11 standards committee
and many Wi-Fi members are working to develop new
security standards such as 802.11i and 802.1x .
These new security standards will use advanced
encryption technologies such as AES and TKIP, as
well as secure key-distribution methods.
Hackers can break encryption codes by intercepting
and analyzing large amounts of data, but breaking
codes takes time. By automatically "changing" the
encryption keys every five minutes or so, the Wi-Fi
network is already using a new code by the time a
hacker has managed to intercept and crack the old
one. Most enterprise-level Wi-Fi networks already
enable IT managers to change the codes manually, but
802.1x makes the process automatic.
Return to
Top
Individuals and companies that have the desire to go
beyond basic security mechanisms can choose to
implement and combine these basic technologies to
increase protection for their mobile workers and
their data. As with any network, wired or wireless,
the more layers of security that are added, the more
secure your transmissions can be.
Return to
Top
Wireless networks in public areas and "HotSpots"
like Internet cafes may not provide any security.
Although some service providers do provide this with
their custom software, many HotSpots leave all
security turned off to make it easier to access and
get on the network in the first place. If security
is important to you the best way to achieve this
when you are connecting back to your office is to
use a VPN. If you do not have access to a VPN and
security is important, you may want to limit your
wireless network use in these areas to non-critical
e-mail and basic Internet surfing.
The
good news is that many HotSpot providers and Wi-Fi
manufacturers are implementing improved security
technologies to protect Wi-Fi users against
interception and eavesdropping in public HotSpots.
Return to
Top |
