GPSolo Magazine - December 2003
Benefit from Wireless Networks Through Risk Management
On a daily basis we hear many promises that something with the term “wireless” is going to make life better. Wireless phones (which are looking less like phones every day), Blackberrys, personal digital assistants (PDAs), satellite global positioning systems (GPSs), wireless networks—it’s no wonder wireless technology was labeled “the next big thing.” There are more electronic products sans wires than ever before.
Wireless networks, however, necessitate more than cursory consumer attention owing to the risks they can pose in legal environments. In this article, “wireless networks” refers to wireless local area networks (WLANs), specifically those supported by the popular 802.11 standards family such as 802.11a, 802.11b, and 802.11g (see sidebar “802.11 and the Need for Speed” on page 24). Another term frequently used for WLANs is “WiFi.”
Setting up a new WLAN does have some basic requirements: WLAN equipment that speaks the same 802.11 standard, whether version a, b, or g (this is for you to provide); technical know-how in IP networking (supplied by you or a willing techie friend); and some degree of WLAN technical savvy (that’s why you’re reading this article).
802.11 and the Need for Speed
WLAN standards have been evolving at a rapid pace, beginning with 802.11b, moving on to 802.11a, and debuting 802.11g in stores as you read this. WLAN speed is increasing as new technology is developed, and older technologies are very affordable as a result. The first 802.11 specification to hit the market, 802.11b, running at 2.4Ghz, is able to deliver 11Mbps under optimal conditions (typically less in the real world). The second specification, 802.11a, running at 5 Ghz, provides speeds up to 54Mbps. Some WLAN access points are capable of networking both 802.11b and 802.11a adapters together, so you don’t have to replace old 802.11b adapters if you move to 802.11a (the “a” and “b” standards are directly incompatible). The newly released 802.11g runs at 2.4Ghz and both 11Mbps and 54Mbps, and is compatible with 802.11b adapters directly. Because 802.11b was the first and most widely used WLAN standard, it is reasonable to expect that 802.11g will become a popular choice for 2.4Ghz/54Mbps WLANs in the near future.
If you’ve ever used a computer network, you can relate to WLANs. Such networks include Ethernet (wired) networks, broadband Internet networks such as DSL or cable, and telephone dial-up via modem. All these systems have a key point in common: They enable the computer you’re working on to be a client of the network being served by something else. The client computer utilizes an adapter to access the network. Servers control the network.
WLANs almost always use standard IP networking, the de facto standard for connecting computers on a network. WLAN clients require a WLAN adapter, which come in different forms: PCI cards for desktop computers, credit-card-sized adapters for laptops, and USB adapters for computers with a USB port running a USB-compliant operating system. The server of a WLAN is an access point. An access point may simply provide a communications bridge between WLAN clients and/or a wired network (such as Ethernet) or, more commonly, may also provide the WLAN with a router that lets users share a broadband Internet connection and a firewall to protect the WLAN from hackers. Additional features may include additional Ethernet ports, dynamic host configuration protocol (DHCP) servers for assigning IP configuration to clients, and activity logging for tracking what websites have been visited from within your network.
Note that WLAN adapters have two modes: peer-to-peer and infrastructure. An adapter using an access point should be set to infrastructure mode. The peer-to-peer mode works directly between WLAN clients and seldom is used because it is less secure and less scalable an access point.
Is It Safe?
Be sure to investigate your network’s security standards. Through 802.11b and 802.11a, the wired equivalent privacy (WEP) standard was widely deployed. But in February 2001 the Internet Security, Applications, Authentication, and Cryptography research group at the University of California, Berkeley, discovered that WEP security algorithms are flawed. WEP comes in 64-, 128-, and even 256-bit-strength versions, but the fatal flaw in WEP makes all of these versions vulnerable. The Institute of Electrical and Electronics Engineers (IEEE), the body responsible for ratifying all new 802.11 standards, promised that the next version (802.11i) would address WEP shortcomings; its ratification process, however, could drag on into 2004. Thus, the WiFi Alliance, a wireless industry consortium, and IEEE together developed WiFi protected access (WPA). WPA is an interim solution to WEP vulnerabilities, and the improvements scheduled for 802.11i will be backward compatible with WPA. WPA is appearing in new 802.11 devices now, and some vendors are providing WPA upgrades to existing products.
Benefits of Wireless Networks
If you have a broadband connection (DSL or cable Internet) in your home or office, you are part of a rapidly growing market segment (SOHOs: small office/home office networks) that values fast, always-on access to the Internet. Using the Internet is part of your daily life for e-mail, research, telecommuting, and shopping and other personal conveniences. It’s not surprising that your type of consumer also wants to share a broadband connection among multiple computers.
But what about all those Ethernet cables snaking all over your home and office—maybe you’re simply tired of running Ethernet cables to where the computers are and would like the network to come to you, whether you’re working at your desk or from your favorite easy chair in the TV room. WLAN router/firewall access points can meet both these challenges: They enable a wireless network to reach multiple computers and provide a shared broadband Internet connection among those networked computers.
Home offices and traditional business settings receive different benefits from WLANs. Home offices with broadband can especially benefit from WLANs, because most houses are not wired for computer networking. With little effort, virtually every PC in your house could be sharing printers and broadband Internet access—and with a laptop, from anywhere in the home with correct hardware. Traditional offices, on the other hand, may already have an Ethernet (wired) network that serves the purpose just fine (and with more security). If you’re considering a wireless network for a traditional office, be sure to pay attention to the risks, outlined later in this article, with a mind toward justifying, or not justifying, the need for a WLAN.
You may already have heard about hotspots—physical locations where WLAN access is available (and, thus, where Internet access is available). Hotspots can be found in public places such as Starbucks cafés or Marriott hotels, or in semi-public places such as airport terminals and colleges. Hotspots are wonderful for those who love their laptops and WLAN-enabled PDAs, especially for staying in touch. All you need is a WLAN adapter that speaks the right dialect of 802.11 and the hotspot’s WLAN setting (from the WLAN owner) so you can reset your adapter to match. But remember: In networking, convenience is always a tradeoff with data security.
Unfortunately, the very ease of setting up and using WLAN equipment gives rise to their greatest drawback: Almost every access point comes out of the box configured in a way that makes the WLAN vulnerable to being hacked or even innocently snooped. The choice to create a WLAN should be made with eyes wide open to the risks they currently carry.
Non-802.11 Wireless Networks
Wireless networking has a few popular forms, and each fits some applications better than others.
Assessment of Wireless Network Risks
The information security risks that WLANs present to a law office should be understood before the first piece of equipment is installed. The ease of WLAN setup sometimes masks many subtle configuration steps necessary to make WLANs more secure. The risks of WLANs are real and tangible. Imagine the information on your office computer hard drive—including case documents and electronic files—being reviewed day after day by the business upstairs. Or think about the contents of your home e-mails being read by that gossipy neighbor who accidentally found your wireless network while setting up her own WLAN. Such scenarios are real risks to the security of a wireless setup, and they are serious threats to the credibility and trustworthiness of a law practice.
The main source of WLAN risks is other people: neighbors who stumble onto your WLAN when using their own equipment (both home and office), freeloaders looking for high-speed Internet access through your network, or garden-variety hackers. Wardrivers, a new type of hacker, roam WLAN proximities with laptops equipped with WLAN adapters, in conjunction with special software for analyzing WLAN transmissions. The software has colorful names like “AirSnort” and “WEPcrack,” is freely available on the Internet, and is capable of decrypting WLAN transmissions that use the wired equivalent privacy (WEP) encryption standard—the protocol most commonly provided with 802.11 devices (see sidebar “Is it Safe?” on page 24). Also be aware that rogue access points can be set up within range of your own access point. Such rogues may interfere with the existing WLAN or, worse, could mount a malicious attack on your WLAN.
The other major risk is the configuration of the WLAN. Without paying special attention to specific settings on access points and adapters, an unwitting WLAN user could advertise the presence of the WLAN to others within radio range and unintentionally allow its information to be viewed by anyone who finds it. For example, all WLANs use a service set identifier (SSID) chosen by the owner as a network name. All WLAN access points are capable of broadcasting their SSID and do so in plaintext (not encrypted) form, readily available for viewing. But not all access points allow the broadcast to be turned off, and, even if it can be, few brands come out of the box with SSID broadcasting turned off. A WLAN that doesn’t broadcast an SSID cannot be easily found. Another tip: SSIDs should be chosen with the intent of foiling hackers’ attempts to connect a WLAN with anything material—using the words “law office” would not be good.
Even the simple act of choosing the location of the access point can be risky. In Washington, D.C., a wireless security consultant found a law office WLAN without WEP turned on (yielding plaintext data 100 percent ready for viewing) in the third story of an office building from two blocks away—because the access point was in the window. He also located 173 of 281 WLANs in the nation’s capital via broad-casted SSIDs. (See www.wificonsulting.com/Security/SecurityArticle-1.htm.)
If you like using hotspots, note that most run with a blank SSID and no WEP encryption, which means they typically will let any WLAN client join the network and also require you to operate without encryption. Lack of encryption aside, remember that you’re typically in a public setting when using a hotspot—don’t discount the amount of information that can be stolen through “shoulder surfing” (i.e., someone simply watching your screen).
These drawbacks create a tangible threat to data security for all users of the WLAN. Thankfully, users can take a number of simple actions to mitigate the risks WLANs present.
The Wire Is Dead, Long Live the Wire
Although wireless technology supplies glitz and glamour for the technology industry, some wired methods of networking computers in the SOHO market may still hold appeal:
Mitigation of Wireless Network Risks
WLANs are like cars—if someone really wants your car, that person can take it despite the locks and alarm systems. However, car security systems continue to act as deterrents to theft. In much the same way, the measures presented below raise significant roadblocks to passive or active breaches of WLAN security:
- Draft an information security policy that demonstrates your commitment to your legal clients’ privacy. Make other employees aware that they are bound by it by posting the policy or having each sign an agreement to uphold the policy. Keep a copy available in case a client inquires about such a policy.
- Get all WLAN equipment (client adapters and access points) from a single manufacturer, and have your choices validated by a salesperson or other knowledgeable person for full compatibility. Some manufacturers have added their own proprietary extensions to WEP—better yet, some new equipment includes “WiFi protected access” (WPA; see the sidebar “Is it Safe” on page 24). Remember that access points and clients must support the same standards in order to use them together.
- Rome wasn’t built in a day. Most WLAN setups typically take two to three hours—plan accordingly.
- Follow the manufacturer’s instructions for installing WLAN adapters onto client computers, and then do the same when setting up the access point.
- Make sure all clients have the same settings (SSID, WEP, radio channel) as the access point. Depending on equipment vendor, LED lights on the access point and icons or panels on the clients indicate whether or not you are on the WLAN.
- Resist the temptation to use the WLAN equipment immediately out of the box. Perform the additional configurations that will make the WLAN as secure as it can be.
- Change the default administrator password for your access point. This is usually the password used to connect to a web interface on the access point itself.
- If you have only WEP encryption, turn it on at the highest bit-strength you have, usually 128-bit, making sure to set this at the access point and on all WLAN clients. Yes, WEP is a flawed algorithm, but scrambling your data will prevent casual or accidental viewing of your transmissions—anyone else must have willful intent to decrypt your data with programs such as AirSnort and WEPcrack.
- If you have new equipment that supports WPA, enable it for the access point and for clients.
- Turn off SSID broadcasting if possible. This removes the largest billboard advertising your WLAN.
- Pick an SSID that is difficult to guess or connect to your business. “LALaw” is a poor choice; “67pumpkin-pie$%” is much better. Also avoid indicating the physical location of the WLAN.
- Turn your passwords into pass phrases. Pick difficult pass phrases for WEP and WPA. For example, “33mary99had66a00little11lamb*&^%$#” is good because it has letters, numbers, and non-alphanumeric characters, and no apparent association with a law practice.
- Restrict knowledge of SSIDs, pass- words, and especially the administrator user name and password for the access point.
- Control the reception area of the access point. Place access points in the middle of the area to be served by the WLAN, away from windows or exterior walls.
- If you rely on an access point’s DHCP server to supply IP configuration to your WLAN clients, be sure to enable MAC address access control lists (ACLs). This allows you to explicitly specify which WLAN client adapters can attach to your access point and thus receive IP configuration. Willful intent is necessary to impersonate a particular MAC address.
- If the access point does not have ACL capability, consider turning off the DHCP server and manually assigning IP configuration to each client PC instead. This prevents a hacker or freeloader who gets through every other roadblock from getting an IP address on your WLAN.
- For serious techies with existing wired business networks: The ultimate way to secure a WLAN is to place the access point into a demilitarized zone (DMZ, a highly controlled perimeter network) and require secure virtual private network (VPN) protocols for accessing the existing wired business network from the WLAN. Corporate IT environments now presume WLANs are untrustworthy, much like the Internet. The same technology used for secure VPN access to corporate networks can usually be made to work with WLANs. Because this can require significant technical know-how, this option usually is reserved for large networked environments.
A WLAN can increase the convenience of computing as well as enable file sharing and shared use of resources such as broadband Internet connections, printers, and other peripheral devices. Through careful configuration of WLAN settings, you can create a reasonably secure WLAN and enhance your law practice.
James B. Federline is a senior systems engineer experienced in computer networking technologies for corporate management information systems. Helen M. Federline is a freelance paralegal who does law office consulting and training.