|
"It is
impossible for ideas to compete in the marketplace if no forum for
WIRELESS
SECURITY
Author: Brad Beutlich
Introduction As more and more "Hot Spot" wireless 802.11b networks are materializing and the cost of wireless access cards for laptops is decreasing, many corporate employees, with cards supplied by their company or with ones purchased on their own, are using these networks to check their e-mail or download a document while getting their morning cup of coffee at their local coffee shop or while waiting at the gate for an airplane. Unlike the secured wireless network that might exist within the corporate walls, the road warrior wireless access is an IT Director’s nightmare. Everyone knows that the Internet is not necessarily a very secure environment, "Browse at your own risk" if you will. The threat from a hacker to an employee’s privacy on a cable attached network connection, however, requires rather sophisticated equipment and knowledge. A "Hot Spot" network is designed to provide the same security as the Internet, but the hacking threat could be sitting at the table across the coffee shop and you would never know it. In essence, when an employee uses a "Hot Spot" wireless connection to access his or her corporate information systems, every other person at that "Hot Spot" might have the ability to access your corporate information. Expecting the hot spot providers to provide security is unrealistic. If anything, the hot spot providers cannot provide any security and any mention of security in their advertising could cause them serious liability. In the legal vernacular the term used is "false sense of security." This term usually applies to physical security but it is being applied to cyber security, as well. It goes something like this: If a consumer of one of these hot spots is harmed while acting under the assumption that there is security present, the company providing the wireless network is liable for any cyber harm inflicted on the individual. You can thank the lawyers for this one! Remote Access Options Hot spot wireless systems fall into two business models: Free service provided as an encouragement to use the facility like a coffee shop or deli, or pay-for-use service like an airport, hotel or in some cases an entire community. Both systems provide network access where a person can use a web browser or a Virtual Private Network (VPN) connection. VPN VPN solutions have been around for a number of years and have been considered one of the most secure methods for remote access to corporate networks. A VPN is a very attractive method for remote access since the VPN user will be presented with a desktop interface almost identical to the one they are accustom when they are in the office. In a home environment, a VPN is a very secure connection for a number of reasons. A VPN:
However, in a hot spot wireless environment, a VPN connection can be a security risk. A VPN is a network-to-network connection. The importance of this statement will become clear soon. The main problem with using a VPN in a public wireless hot spot connection is that everyone accessing the hot spot is sharing the same network segment. It is very easy for a hacker, using readily available tools, to scan all of the connected PCs to determine who has and hasn’t applied the latest security patches. Once a hacker finds a PC that hasn’t been patched, they can access that PCs hard disk. If an employee has already logged into their corporate network, the hacker can then use the employee’s connection to access corporate information. Once a hacker has passed the corporate firewall, he or she is now connected to the corporate network and any network resources can be jeopardized. If an employee’s PC is properly patched, then the risk of being hacked by a fellow coffee drinker is minimal, but it is a known fact that the hacker community tracks the vulnerability of PCs more than a corporate employee or even the corporate security specialist. The safest security posture is to assume that all employee PCs will not be appropriately configured or patched. If the IT department then assumes that employees are inclined to use wireless hot spots, a VPN connection should never be an available option for employees…even from their home. There should be a VPN prohibition to the home connection even if an employee has established a wired home connection to be secure. To better understand this position, one needs to look at the challenges facing a corporate security specialist. Network security is made up of equal parts of preventative technologies, security policies, employee education and human nature anticipation. It is the latter element that dictates this VPN prohibition. There is no remote access solution that looks and acts more like an employee’s desktop interface than a VPN. All other solutions lack this "it’s just like being there" feel. Therefore, since a VPN connection works the same at home and at the hot spot, an IT department would be naive to believe that an employee would use anything other than a VPN connection if given the choice, even if security policies and employee education state that VPNs should not be used at hot spot connections. Web Access to Corporate Systems One of the most proven network security strategies is to insulate a corporate network by providing access to resources at the application layer using a variety of protocols rather than at the network layer. Accessing a web server running an application such as e-mail or a customer sales database over the Intranet using a standard web browser begins to insulate the underlying corporate network from would-be hackers. In order to give complete Web access to corporate systems, however, there is an increased necessity for stronger authentication. Stronger authentication is defined by the concept of one, two and three-factor authentication. The generally accepted factors of authentication are:
One-factor authentication is what you know. Two-factor is what you know plus what you have and three-factor is the sum of all three. One of the reasons why a VPN solution is so secure in a wired connection is because the VPN client must be installed and custom configured on an employee’s PC. In essence, since a username and password is a login requirement (one-factor), the employee’s PC with the VPN client and custom configuration is a second factor of authentication. By moving corporate application access to the Internet and using usernames and passwords, you have increased the security of the corporate underlying network, but not only can anyone hack into the web application by guessing the username convention and passwords, but the data between the browser and the web server is being sent and received in clear text. This is the main reason why companies have been reluctant to provide employee access through this method. Now add a secure authentication solution using two-factor authentication coupled with Secure Socket Layer (SSL) encryption and you have a complete solution that is secure even if the employee’s PC hasn’t been appropriately patched or configured and is secure whether the PC is on a wired or a wireless connection. Enter the NetSwift™ iGate Rainbow Technologies’ NetSwift™ iGate Appliance provides security from any computer with a web browser to the corporate systems without concern for the networks or the PC the employee chooses to use. In this way, an IT department doesn’t need to worry whether employees are following corporate security policies. To understand how NetSwift™ iGate works, one needs to understand a fundamental principle of security. The best form of security provides access by inclusion rather than denial by exclusion. Some think that a firewall is designed to deny access, while in reality, a firewall is designed to allow access, authorized access. The NetSwift™ iGate takes this concept to new levels. What makes the NetSwift™ iGate solution so secure is that it implements the Secure Socket Layer (SSL) protocol to secure the connection over all access links, wired or wireless and remote, in combination with the iKey USB authentication token, which allows the access by inclusion. Only users with properly permissioned iKeys can pass through the NetSwift™ iGate appliance. Implemented under the SSL protocol, which is built into all web browsers, Rainbow's iKey authentication token essentially "stores" the client password (the shared secret). The shared secret is a 128-bit key that never leaves the token. Used extensively in eCommerce solutions, SSL enables secure connections to be tunneled through an IP network. Because SSL is a component of the web browser, there is no complex VPN client software to purchase or install. How iKey Solves the Weak Password Problem To overcome the vulnerabilities attributable to weak passwords, the iKey requires the use of a Personal Identification Number (PIN), establishing a true two-factor authentication. With two-factor authentication, successful access requires not only a tangible object that the user carries, the iKey, but also intangible information that only the authorized user knows, their PIN. As a result, this combination approach constitutes one of the strongest forms of access control. For network security, two-factor authentication is not only extremely secure, but also scalable and portable. To achieve two-factor network authentication, Rainbow's iKey USB token stores the user's "credentials" - strong keys selected by network administrators. But, since the user's secret resides on, and is supplied by, the iKey token, he or she only needs their PIN to access the network. If lost or stolen, the token is useless to anyone else. In fact, it will lock up after a fixed number of incorrect guesses at the PIN. To assign the shared secret to be stored inside the iKey, the network administrator uses a powerful generator that selects a 128-bit random stream. A hacker usually has a simple choice to make - to mount a virtually impossible exhaustive attack on the 128-bit traffic encryption key, or to break a weak password. But with a shared secret that is as strong as the traffic encryption key, the attack is eliminated. The hacker now faces two unfeasible options. The diagram below details a sample configuration for secure application access using the NetSwift™ iGate. This configuration secures any type of connection an employee could use with or without IT department knowledge or permission. Conclusion In this rapidly changing technology environment, an IT department must assume that employees will take advantage of mobility technologies, especially when they are easy and cheap to implement on their own and are readily available. Relying on an employee to "do the right thing" and to "read the security policy manual" could prove to be a very costly mistake. Presenting a security solution that makes the networks irrelevant is the only defensive posture that cannot be compromised. NetSwift™ iGate could well be the perfect answer to your network security problems because:
Visit the Authors Web Site
Click Here
for The Business Forum Library of
White Papers
Search Our Site Search the ENTIRE Business
Forum site. Search includes the Business
|