Layering Wi-Fi security

DigitalNet Vice President and CTO Mary Stassie knew something wasn’t quite right when she saw the car idling in the parking lot near her building — and the fact that the car’s occupant appeared to be measuring wireless communication reception in the area didn’t help.

The CTO knew this could pose a risk to any surrounding wireless networks. However, spotting the potential intruder didn’t send Stassie into crisis mode, thanks in part to a solid IDS (intrusion detection system) that indicated no network penetration. The IDS is also just one part of a multilayered security system implemented as part of the methodical, deliberate approach Stassie took in 2002 while deploying the company’s 802.11b network, which extends to 1,700 employees in 19 offices stateside and abroad.

“We treat wireless as a less secure point-of-presence in the network,” Stassie says. “We recognize that there is a higher risk and try to control that risk through best practices and policies.”

For government services provider DigitalNet, which promotes its security as “baked in — not bolted on,” the aforementioned best practices for Wi-Fi security means lessening risk and potential for damages through a multilayered approach. “Wireless security is still very immature,” Stassie says. “But there are things that CTOs can do to make that environment good enough to address most of the issues.”

Think airports, not fortresses

Experts are increasingly supporting the multilayered approach instead of the traditional “fortress model — thick walls with guard towers and lookouts, drawbridge and gatekeeper, and a moat with crocodiles,” says Steve Bittinger, a research director at Stamford, Conn.-based Gartner.

Bittinger suggests following a flexible, layered model akin to the goings-on of an airport that must secure the facility, numerous passengers, and staff, using different tools to do so, such as x-ray scanners, metal detectors, ID checks, and sniffer dogs. The “airport model” separates the traffic and tools into discrete functional areas. “The challenge is for enterprises and value chains to re-architect themselves to consider and deal with security based on the airport model,” Bittinger says.

At Herndon, Va.-based DigitalNet, Stassie’s security model includes multiple layers dedicated to wireless and wired networks, data, and mobile device protection. For instance, WLAN intrusions could be thwarted by DigitalNet’s containment methodology: the company’s access point transmitter is set to use the least amount of power necessary to serve the wireless clients without breaching building walls.

“[By doing this,] we control the access points so the WLAN can’t be accessed outside the perimeter of the building. Then we use a shareware tool where we actually go outside and test the perimeter,” Stassie notes.

Keeping the signal in is coupled with keeping intruders out. Stassie deploys AirDefense’s IDS, managing field-office sensors from the company’s Herndon, Va. headquarters. The CTO also puts both the IDS and DigitalNet’s network managers through surprise testing to insure security practices are sharpened. “We had some folks doing demos for us in the office. As soon as they [hit] an access point, they were picked up by AirDefense and we got a call from the managers,” Stassie adds.

Making the layers work

Setting practices for internal WLAN access is just the start. Other layers in Stassie’s security architecture are aimed at corralling the company’s increasingly mobile employees and clients.

“We see wireless as a cost-effective way of addressing the telecommuting and mobile employees,” she explains. “Employees will use wireless laptops so that they are connected no matter where they are. Our business development, sales, and management [employees] use PDA-type wireless devices and do not always have to carry a laptop.”

While more mobile devices mean increased productivity, it also means CTOs must consider risks of a lost PDA, Bittinger says. “The ‘layered’ approach to security applies just as much to the mobile environment as anywhere else. In fact, the biggest threat to mobile workers is not that someone will listen in to their communications, but that they will lose or have their portable device stolen.”

Contingency plans for device protection are essential, since a single lost device potentially presents a gaping security hole into corporate and client data and systems. To lower the risk, Stassie combines fingerprint biometrics for PDAs and mobile laptops with a policy stating that employees can only use approved products with common operating environments.

Employees who primarily use mobile devices are not given access to proprietary data, the CTO says. Those who must work in sensitive systems through Wi-Fi are routed through an authorization and authentication server. “We have the ability to lock down the wireless more strictly than at the desktop because of how the use is defined,” Stassie says.

While Stassie uses encryption — DES, triple DES, and AES — for data on DigitalNet’s 802.11b network, she’s not using 802.11b’s native security. “WEP is easy to crack. 802.1x, LEP, PEAP, and other EAP methods can be very vendor specific and may not work across different platforms.”

“Layering security is a means to provide some assurances that if one layer has been breached, other layers will still protect you,” Stassie explains. “It’s the layering that provides you with some assurances. People, processes, and procedures are important. Everyone must understand their roles and the importance of having the processes in place.”