Securing teleworker wireless LANs

More about Lisa

For years, companies have wrestled with security risks introduced by teleworkers. According to ITAC, one in five U.S. employees spent some time working from home in 2001. Growth is being accelerated by residential broadband services -- In-Stat/MDR estimates that 14% of U.S. homes now have cable modem or DSL. High-speed, always-on connections make working from home more palatable, but they also increase risk by adding new territory that must be defended from abuse and attack.

Today, residential wireless LANs are tossing fresh fuel on this smoldering fire. According to In-Stat/MDR, six million Wi-Fi home nodes were sold in 2002, projected to reach 33 million by 2006. Wireless LANs make Internet connection, printer and file sharing among PCs in the home much easier. But when one of those nodes is a teleworker desktop or laptop, securing the WLAN becomes a corporate concern.

Expanding the security gap

1. War drivers can use unprotected home WLANs to freeload on company-paid broadband connections. Freeloaders can tap spare capacity -- or use your link to send spam, porn or even to attack someone else, leaving you holding the liability bag.

2. By eavesdropping on wireless traffic, attackers can gather server identities, user credentials and confidential payload -- for example, recording email messages, hashed logins for offline dictionary analysis or valid frames to be used in replay attacks.

3. Personal traffic on home WLANs can inadvertently leave expose company resources. For example, a teleworker that shares a printer on the WLAN becomes vulnerable to NetBIOS probes and attacks by anyone within a few hundred feet of the household access point.

4. Teleworkers equipped with perimeter defense measures like SOHO firewalls or desktop firewall software can open wireless back-doors without realizing it. For example, an AP dropped inside a home WLAN, behind a firewall/VPN appliance, could ride a tunnel from the appliance into the company network.

Filling that gap

1. Educate teleworkers about the inherent risks associated with wireless. Awareness is growing, but many otherwise-savvy users are still in the dark.

2. Define an acceptable use policy that explains permissible use of company resources on residential WLANs, acceptable configurations and recommended or required security measures.

3. Actively promote safer home WLANs. For example:
   1. Recommend a list of approved wireless routers and supply secure network topology diagrams and set-up instructions for them, or
   2. Let teleworkers requisition a pre-configured wireless router from your IT department (i.e., extend your process for supplying secure PCs to teleworkers), or
   3. Outfit teleworkers with appliances that you can manage remotely – for example, the Colubris CN100 is a firewall/VPN client/AP for teleworkers.

4. Choose the right hardware for the job. Terminology can be confusing, and many teleworkers don't understand the difference between a wireless AP and router, or between a router with an integrated VPN gateway or VPN pass-through.

5. Enable basic 802.11 security. MAC access control lists, shared key authentication, and WEP aren't perfect, but they are still useful as a first line of defense. In a small, self-contained WLAN, shared keys and ACLs are manageable. Supply guidance on how to pick good SSID and key values, when to update keys, etc.

6. Harden wireless devices. Teach teleworkers to change or disable unused listening ports and configure hard-to-guess passwords. Connect only with known APs, disabling Windows XP's ability to connect to any non-preferred network.

7. Extend existing desktop security measures. For example, reconfigure VPN client policies to also apply to wireless adapters, and identify wireless router VPN pass-throughs that are compatible with your VPN client.

8. If you don't use VPN on the WLAN, consider other options to increase protection for sensitive traffic. For example, use SSL webmail instead of POP or encrypted screen sharing instead of cleartext remote desktop access.

9. Rethink home network trust. Sharing printers and files may be acceptable on a residential Ethernet that's protected from the Internet by a firewall/router. Doing so over wireless probably is not. Help teleworkers to identify new sources of risk.

10. If you haven't already, get started now. Home WLAN adoption is now growing faster than enterprise WLAN use. If your workers carry laptops or have PCs at home, odds are excellent that you already have at least a few teleworkers using wireless.
    

    Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Wireless LAN Advisor Understanding wireless antennas -- Part 2 Understanding wireless antennas - part 1 Signs of WLAN intrusion On the horizon: News from 802.11-Planet Consolidating control using WLAN switches Upgrading to Wi-Fi protected access Wireless adapters for your PDA Wireless options for your PDA Configuring service set identifiers Migrating to 802.11g Wireless Networks IEEE 802.11w protects wireless LAN management frames Measure wireless network performance using testing tool iPerf 802.11s mesh networks How to prioritize wireless traffic Wireless security protocols -- How WPA and WPA2 work Wireless security -- How WEP encryption works Prevent IP address conflicts on your wireless network by managing DHCP scopes Understanding 802.11n wireless antennas Voice over wireless LAN deployment requires constant maintenance Wireless WAN technologies -- an overview for network pros Wireless Network Implementation Mastering 802.11n: Implementation tips and answers to frequently-asked WLAN questions LANs vs. WLANs: Which network designs are used for each company size? Will mixing 802.11g and n APs in the same network cause conflicts? How each wireless technology differs: Wi-Fi, WiMax and WLANs Voice over wireless LAN is on the rise: Prepare your networks Wireless networking problems combining 802.11n and 802.11g APs cause Wireless LAN tips from Iraq: Networking Joint Base Balad Wireless LAN vulnerabilities Are there 802.11n wireless network range extenders to boost my signal? Accessing printers on a LAN while connected to a WLAN RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 802.11a  (SearchNetworking.com) Asynchronous Pulsed Radiated Incident Light  (SearchNetworking.com) cognitive radio  (SearchNetworking.com) direct sequence spread spectrum  (SearchNetworking.com) frequency-hopping spread spectrum  (SearchNetworking.com) phase-locked loop  (SearchNetworking.com) radio frequency  (SearchNetworking.com) wireless mesh network  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.