Are Wireless Networks A Security Threat?

From the Dec. 2008 Issue

Recently, a letter was submitted to the editor asking about the security of wireless networks and how to secure them. In this month’s column, we will examine wireless security and take a look at two emerging technologies, cellular data cards and WiMAX. All wireless devices have some type of security concerns depending on how they are configured and/or used. The various types of wireless connections provide different ways of connecting whether on the corporate network or the Internet.

Before jumping into the discussion of wireless devices, let’s make sure the definitions and processes related to the topic are up to date.

Many accounting firms have considered wireless networking in their offices but remain concerned about security. We have all heard about WEP and the coverage in the media about how its encryption protocols have been compromised by hackers. While this is true and is a concern for wireless WEP-encrypted networks, WPA-protected networks do not have the same problem, provided a strong security key is utilized. A strong security key would be defined as a long string of characters generated at random from the 95 allowable keys. For instance, Maryhadalittlelambthatspent12daysinthepasture is a stronger encryption key than GTbh1256. It would take years to brute force attack the Mary phrase, but only a few hours to crack the GT phrase. If used properly, WPA can provide a secure wireless network connection for an accounting office. WEP should never be used because the encryption has been compromised.

Implementing WPA is a fairly simple process of configuring the device for WPA connections and then setting up that protocol on all the other wireless devices in the office. Provided a strong pre-shared key is used, the chances of the wireless network being compromised are very low. WPA can be used provided best practices are followed. If WEP is being used in your wireless network, it is time to convert to WPA.

Many of us in the public accounting profession travel away from the office for periods of time to service our clients or attend events. When traveling, we rely on the client or the free wired or wireless connections in the hotel for access back to the office to check e-mail, obtain files or perhaps work remotely through a terminal server. While the client network is hopefully secure, the hotel or other Wi-Fi hotspot is probably anything but secure. This opens our computers and our data to exposure to others who might want to examine the contents of our computers. Using a software firewall helps block access to ports not being used, but there are many ports open on a computer that can allow someone to view information. Some of these ports may be opened by software, and we may have no idea that the ports are even open. For example, some HP printer software opens ports on the computer that allow for wired network connections to be established with the computer. Hotel networks are rarely secured with any type of encryption. This allows users to access the hotel’s network without difficulty. This very openness of hotel networks is what causes issues for many business travelers even if a VPN might be used.

Cellular data cards provide a better level of security and connection to the Internet and corporate network resources than connecting through the unsecured Wi-Fi network o fthe hotel or local cofee shop. The cards are installed on the laptop and connect the laptop directly to the Internet via the provider’s network. While you have a direct connection to the Internet, the ability for others to see you on the cellular network is more limited than it is on a hotel or coffee shop network. This does NOT mean that the connection is secure. All it means is that you have eliminated the middleman in the connection. You are connected directly to the Internet via the cellular service in the same way your DSL or cable modem connects. Irrespective of the type of connection being used, a software firewall should be running on your workstation to protect against threats on the Internet.

Cellular data service is going to be the next generation for wireless access when working outside the office. Its ease of use, increasing data speeds and better reliability will make this solution the option of choice in the immediate future. As this solution becomes less expensive and more reliable (see Cellular Data Cards box at right for my personal experience), this will prove to be a very beneficial service for most accounting firms. The shareable nature of this type of connection and the ease of configuration make it much easier for users to utilize this technology. Instead of having to spend time connecting to a client or Wi-Fi network, the cellular data connection can be quickly established and enable employees to work faster.

WiMAX is an emerging technology and is actually being adopted in the third world faster than it is in the United States because an existing infrastructure does not exist in the third world. Pakistan is currently the leader in adoption of WiMAX technology with 17 cities currently using the system and plans to get it set up in all 71 cities in Pakistan. It will come here in the United States eventually as our existing copper-based wired network ages and needs to have significant replacements. WiMAX is the future, and cellular is the bridge technology.

Definitions & Processes

Access Point (AP) – The central control point to which other wireless devices such as computers and printers authenticate to gain access to the corporate network.

Wired Equivalent Privacy (WEP) – This protocol was introduced in 1997 to secure wireless communication between devices and access points by encrypting the broadcast traffic. The protocol has been replaced by other protocols because its encryption algorithms have been compromised. Unfortunately, even with the protocol being compromised, it is still in widespread use today.

Wi-Fi Protected Access (WPA and WPA2) – These protocols were released as interim standards while the IEEE, the Internet standard setting body, worked on fixing the WEP protocol standard. This protocol has remained, been expanded and is becoming the standard for wireless encryption between the device and the access point. All wireless devices sold since September 2003 with the designation Wi-Fi Certified support this standard. This standard does have some interoperability issues with some devices, and as a result not all equipment will work with WPA encryption, especially older equipment built before 2001. The weakness in this protocol is with short, easy-to-break passwords used in establishing a Pre-Shared Key. A brute force attack can be used to crack this password. Passwords of more than 13 characters reduce this possible vulnerability to almost zero.

Cellular Data Cards – These devices attach to a computer, most often a laptop, to provide an always-on connection to the Internet via the cellular system. While this technology has been around for several years, the recent upgrade to the 3G standard has made this type of access much more stable and beneficial. Most of these cards run at a speed equivalent to a DSL connection.

Worldwide Interoperability for Microwave Access (WiMAX) – This protocol provides wireless transmission of data using a variety of transmission modes such as point-to-point or cellular-like access. Speeds are much higher than other types of access such as Cellular or standard wireless. WiMAX is not currently a heavily adopted technology in the United States. Some believe it will replace other connection technologies in the future because of its higher speeds, cellular-like access, and because it can serve as a last mile connection to people currently underserved by other technology in rural or remote areas. It is a competitor to DSL and cable.

Virtual Private Network (VPN) – This is generally a software package that creates an encrypted connection, commonly called a tunnel, through the Internet to the office network from wherever the remote computer is located and connected to the Internet. This encrypted connection passes data from the remote computer to the corporate network without using the open and more public Internet to transmit the communication. The remote computer acts as if it is directly connected to the corporate network even if it is located hundreds of miles away and connected via a non-corporate controlled connection, such as cellular or a Wi-Fi hotspot.