From the Dec. 2008 Issue
Recently, a letter was submitted to the editor asking about the security of wireless networks and how to secure them. In this month’s column, we will examine wireless security and take a look at two emerging technologies, cellular data cards and WiMAX. All wireless devices have some type of security concerns depending on how they are configured and/or used. The various types of wireless connections provide different ways of connecting whether on the corporate network or the Internet.
Before jumping into the discussion of wireless devices, let’s make sure the definitions and processes related to the topic are up to date.
WIRELESS OFFICE NETWORKS
Many accounting firms have considered wireless networking in their offices but remain concerned about security. We have all heard about WEP and the coverage in the media about how its encryption protocols have been compromised by hackers. While this is true and is a concern for wireless WEP-encrypted networks, WPA-protected networks do not have the same problem, provided a strong security key is utilized. A strong security key would be defined as a long string of characters generated at random from the 95 allowable keys. For instance, Maryhadalittlelambthatspent12daysinthepasture is a stronger encryption key than GTbh1256. It would take years to brute force attack the Mary phrase, but only a few hours to crack the GT phrase. If used properly, WPA can provide a secure wireless network connection for an accounting office. WEP should never be used because the encryption has been compromised.
Implementing WPA is a fairly simple process of configuring the device for WPA connections and then setting up that protocol on all the other wireless devices in the office. Provided a strong pre-shared key is used, the chances of the wireless network being compromised are very low. WPA can be used provided best practices are followed. If WEP is being used in your wireless network, it is time to convert to WPA.
THE TRAVELING WIRELESS OFFICE
Many of us in the public accounting profession travel away from the office for periods of time to service our clients or attend events. When traveling, we rely on the client or the free wired or wireless connections in the hotel for access back to the office to check e-mail, obtain files or perhaps work remotely through a terminal server. While the client network is hopefully secure, the hotel or other Wi-Fi hotspot is probably anything but secure. This opens our computers and our data to exposure to others who might want to examine the contents of our computers. Using a software firewall helps block access to ports not being used, but there are many ports open on a computer that can allow someone to view information. Some of these ports may be opened by software, and we may have no idea that the ports are even open. For example, some HP printer software opens ports on the computer that allow for wired network connections to be established with the computer. Hotel networks are rarely secured with any type of encryption. This allows users to access the hotel’s network without difficulty. This very openness of hotel networks is what causes issues for many business travelers even if a VPN might be used.
Cellular data cards provide a better level of security and connection to the Internet and corporate network resources than connecting through the unsecured Wi-Fi network o fthe hotel or local cofee shop. The cards are installed on the laptop and connect the laptop directly to the Internet via the provider’s network. While you have a direct connection to the Internet, the ability for others to see you on the cellular network is more limited than it is on a hotel or coffee shop network. This does NOT mean that the connection is secure. All it means is that you have eliminated the middleman in the connection. You are connected directly to the Internet via the cellular service in the same way your DSL or cable modem connects. Irrespective of the type of connection being used, a software firewall should be running on your workstation to protect against threats on the Internet.