Wi-Fi creates new vulnerability

Listen to this article

00:00
00:00

Wireless networks are growing fast. “I have seen Wi-Fi roll out aggressively for years and problems with security standards don’t seem to slow it down,” says John Girard, of consultancy Gartner.

“Only 9 per cent of our clients say they have no plans to implement wireless Lans.”

Growing just as fast as the wireless networks, however, are fears over its security.

Kaspersky Lab, a security consultancy, believes the large number of open networks based on Wi-Fi, a wireless networking standard, could lead to a new generation of computer viruses that use these networks to propagate.

And SecureTest, another consultancy, believes it is relatively easy to hijack a series of laptops through an insecure Wi-Fi connection.

Guarding against attacks in this fast-changing environment depends on management and processes as much as on technology.

Measures are being taken, however. Since March 13, all products certified as “Wi-Fi” have had to incorporate a security specification called Wi-Fi Protected Access 2, or WPA2.

Although WPA2 is far more secure than previous Wi-Fi based security, there may still be vulnerabilities, depending on how it is configured, says Mr Girard.

While the encryption of data ensures that it cannot be eavesdropped on by crackers, authentication and authorisation of users connecting to the network might pose problems.

For example, one version of the WPA2 specification, called “Personal”, is easy to set up, but it uses authentication “keys” that could pose a security risk.

A second, more secure, version called “Enterprise” employs a range of complex identification mechanisms to be used through a centralised Extensible Authorisation Protocol or “EAP” server.

Properly configured, it could be almost impregnable but is far harder to implement. EAP-based security does not necessarily depend on use of WPA2 but running an EAP server could stretch the capabilities of many small businesses.

For those companies that have Wi-Fi installations, switching all their equipment to WPA2 is an expensive option: “We’re advising our clients to move to WPA2 where they can,” says Mr Girard, “but always follow best practice.”

One option is to have employees connect to the Wi-Fi network through virtual private networks that terminate at the corporate firewall. These are secure “tunnels” for transmitting data through the insecure internet or a Wi-Fi network.

“That’s a solid solution,” says James Walker, Product Manager at ZyXel, the equipment maker.

Different users could be put on separate “virtual” networks allowing them the right type of access privileges depending on their security level. The technology to do this is widely available.

Because WPA2-Enterprise is an implementation of a standard called 802.1x, which concerns networking security as a whole, whether wired or wireless, businesses can develop a holistic view of security.

Kail Krall, Global Mobility Product Manager at HP’s ProCurve Networking division, says companies should control who, how and when any part of the network is accessed.

“Security should be viewed in layers,” says Richard Edgar, Global Product Manager for Wireless at 3com, the networking company. Hence, each part of the network can allow different levels of access depending on the security level of the user.

Wi-Fi security can also be configured in this way. For example, a network administrator could allow visitors to the office access to the Wi-Fi network so they can surf the internet and check their
e-mail, but forbid them access to corporate systems.

This layered view also helps to deal with a range of network security issues. For example, employees might install a rogue Wi-Fi access point for their own convenience, not realising they are offering crackers a way into the corporate network.

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.