WIRELESS SCRAMBLES TO BATTEN DOWN THE HATCHES
Defending Wi-Fi networks against hackers and freeloaders has some IT guys pining for good, old-fashioned wires.
(FORTUNE Magazine) – CHRIS ROULAND, CHIEF TECHNOLOGY OFFICER of Internet Security Systems, recently visited a big telecom company that bans employees from putting up their own antennas for wireless Internet access, or Wi-Fi, in its buildings. Such unauthorized access points, ominously called "rogue APs," give workers freedom to tap the corporate network from, say, the cafeteria or a conference room. But they also are a huge security risk--the wireless equivalent of leaving a Post-it note with your user name and password affixed to your computer screen.
Still, Rouland wasn't exactly surprised when he found a rogue AP lurking at the phone company--in its CEO's office. "Every big company is doing Wi-Fi," says Rouland, whose firm helps businesses safeguard their networks. "The question is whether they know it." The proliferation of corporate Wi-Fi systems, illicit and approved, has created a new wave of security challenges for already harried IT departments. And while other wireless systems used by business--cellular phone networks and the airwaves used by gadgets such as BlackBerries--also face security threats, none is as vulnerable or as tempting as Wi-Fi networks are today. Indeed, the very thing that makes Wi-Fi so attractive to companies--its ability to transmit large streams of data to every corner of a corporation over free, unlicensed airwaves--also makes it susceptible to freeloaders who simply want to "borrow" some broadband or hackers who aim to do real harm.
So companies have started spending big bucks to make sure their wireless local area networks are as secure as their traditional wired systems. The expense offsets some of the cost savings typically associated with Wi-Fi. But experts say extra security measures aren't optional anymore: With companies increasingly relying on Wi-Fi--analysts think roughly 10% of U.S. corporations now use untethered networks to help run their businesses--wireless security breaches could be devastating.
Suppliers of wireless gear argue (self-servingly, of course) that Wi-Fi systems can be even better than wired networks at thwarting security threats. Some wireless systems, for example, enable companies to know not only when but also where breaches occur: Technology embedded in the antennas serves as a sort of in-house global positioning system that helps pinpoint the source of the trouble. At a minimum, the move to Wi-Fi networks forces companies to take a closer look at their entire security setup. Knowing that a portion of their information may fly through the same airspace used by cordless phones and microwave ovens might prompt them to encrypt all their corporate data. "Wi-Fi doesn't introduce new security issues," contends Ron Seide, senior manager for Cisco's wireless networking group. "It does bring to the fore security issues that have long existed with wired networks."
Surprisingly, corporate America has yet to experience a widespread attack focused on wireless networks specifically (although a virus attack like last year's Sobig can spread via wireless networks as well as wired systems). "We're making our system as secure as possible based on today's technology," says Jason Van Ness, vice president for information technology at American Century Investments, a Kansas City company that has been using Wi-Fi in some form since 2002. But Van Ness knows he will have to work hard to stay one step ahead of the hackers and scammers. "What's secure today may not be secure six months from now," he says. Here's how American Century and two other institutions protect their wireless networks from interlopers.
Like most hospitals, Overlake Hospital Medical Center in Bellevue, Wash., just outside Seattle, is an ideal candidate for Wi-Fi: Its workers--nurses and doctors--are usually away from a computer or phone, yet they constantly need access to computerized information such as medical records and drug-safety data. And Wi-Fi provides the hospital with an easy way to give patients Internet access during their stays--a must-have for a hospital that serves many Microsoft employees. To make sure its two-year-old wireless network is hackproof--and that patients' medical records are secure--Overlake is upgrading to a new data-encryption standard called Wi-Fi Protected Access 2, or WPA2. Encryption uses mathematical algorithms to hide data from snoops. But the earliest versions of Wi-Fi encryption had serious flaws: Wi-Fi tools such as AirSnort could crack first-generation networks by gathering millions of encrypted packets of data--enough material to figure out a network's password in an afternoon. The newer WPA standard makes encryption harder to crack by generating a longer key, the sequence of bits that helps mask the data.
Overlake also has deployed access points and network-management software that helps it detect those pesky rogue access points. Some hospital employees had installed their own antennas with the best intentions--to share fast Internet access with colleagues. The problem is that the rogue APs weren't equipped with the hospital's security software, making them ideal entry points for interlopers. Overlake's new access points, from a startup called Airespace, can rat out unauthorized peers. The system also prevents other devices in the hospital from connecting to a rogue antenna. Wi-Fi gearmakers suggest (again, self-servingly) that one of the best ways to prevent rogue access points is to make company-sanctioned Wi-Fi more widely available, taking away employees' need to deploy Wi-Fi surreptitiously. Overlake has 36 access points now and plans to have 90 by the end of the year.
So far, the move to wireless networks has won high marks from the Overlake medical staff, who use Wi-Fi networks to do bedside admittance on laptops. The hospital even has wireless phones that run on the Wi-Fi network--nurses carry them to call physicians. And it plans to increasingly use special, eight- by ten-inch electronic tablets and PDAs in place of paper charts.
Even with all the security Overlake has installed, the hospital's tech staff remains nervous about breaches--a paranoia fueled in part by tales of people cruising neighborhoods in their cars looking for Wi-Fi networks to tap. (The practice, known as "war driving," was more common a few years ago when most Wi-Fi networks were less secure than they are today.) "If I could do it cost-effectively, I would put a wired device in every room," admits Kent Hargrave, who heads information management for Overlake. "But that's expensive and takes up real estate."
The Financial Institution
Like Overlake, American Century is upgrading to a more rigorous encryption standard. A mutual fund company with $90 billion in assets, American Century is fanatical about security: It has programmed its wireless security system to generate new encryption keys every couple of minutes--even when many security experts say a new key every 30 or 60 minutes would do. To help its techies more accurately pinpoint rogue devices, it has integrated architectural maps of its building into its security software.
The company, which has some 170 access points in eight locations, uses a centralized system to manage its wireless networks: If it wants to deploy a new security software, say, it can upgrade all its access points simultaneously, reducing chances that one antenna will be left unprotected for even a minute. The data traveling from access points to the central system go across a wired network (instead of the airwaves), making it that much harder for an intruder to sniff traffic flowing to the central system.
American Century relies on its network-management system to help it control, well, the stuff that's hard to control. Wi-Fi signals, for example, often bleed beyond a building's four walls--the diffuse nature of wireless makes it great for serving hard-to-reach corners of your corporate campus but also poses a security concern. American Century's system adjusts the power of the access points to minimize such "leakage." Similarly, when something interferes with the company's wireless signal-- radio-frequency jamming devices can be bought for a song on the Internet--the access points automatically seek out a less congested channel.
Like most companies, American Century has a reliable backup in case its wireless system shuts down: the traditional wired network that remains the workhorse of most corporations. "Our wireless network is in place for convenience and added functionality," says information chief Van Ness. "If we lose our wireless network, it may give people some heartburn, but it isn't going to put us out of business."
Rockford Corp., on the other hand, wanted to shut down its wireless network. When the maker of stereo speakers terminated an IT employee earlier this year, Rockford moved to make sure the fired worker wasn't able to tap the corporate network from a laptop in the parking lot. Using a sophisticated network-management system, "we went into lockdown mode" with the push of a button, says Mark Pareja, Rockford's network engineer. Its security system, developed by a company called Roving Planet, also enables Pareja to give different kinds of employees and devices different levels of access. So a worker using a Wi-Fi-enabled computer for shipping speakers can't use that device to surf the web all day. Rockford can grant an important visitor one-day access to the Internet over its Wi-Fi network--but block the guest from entering the company intranet.
Rockford's security has to be good: Its headquarters in Tempe, Ariz., sit smack in the middle of housing for Arizona State University students--a population that wouldn't mind grabbing some free broadband from their corporate neighbor, or try to crack its network for kicks. Rockford has taken all the usual measures to protect its network: It doesn't broadcast the names of its wireless access points, for example. All company data are encrypted, and the network is vigilant for rogue access points. But rather than wait for hackers and eavesdroppers to find him, Pareja plans to deploy Roving Planet "honeypots" that will decoy would-be interlopers while Rockford's network tracks them down.
FOR ALL THE ADVANCES IN WIRELESS SECURITY, companies are right to be just a bit jittery about Wi-Fi. "One never gets to a state with security where it is good enough forever," says Cisco's Seide. The ink is barely dry on WPA2, the encryption standard Overlake is using, yet some tech types already are talking about ways to make it more secure.
Even companies that don't have corporate Wi-Fi need to be vigilant. The widespread availability of Wi-Fi networks in places such as McDonald's restaurants and hotels means it is easier than ever for employees to use their work devices on noncompany networks--a great way to pick up a virus and bring it back to the office. (Many corporations avoid the problem by forbidding use of company devices outside headquarters, while others program the machines to require users to have the latest virus-protection software before they are allowed to access the company network.)
But no security system--wireless or wired--can do much to prevent carelessness. So until Internet bodyguards figure out a way to keep employees from affixing their passwords to their computer screens, companies will always have to remain a little paranoid.