Republished with permission of
Originally published 2 July 2002.
Wireless at Home
by Fred Avolio, .
By now, in this forum you've read enough about Wireless LANs to scare you away from them. At least you'll approach WLANs with suspicion -- as well you should. Rik told you of the weaknesses in WEP . Corey told you to relegate Wireless Access Points to the DMZ , and Dave said to put them entirely outside . No one has said to throw them out entirely, for two very good reasons. First, WLANs are useful in some situations. Second, you wouldn't listen to us anyway.
You know what to do about WLANs at the office. But, what about our users when they go home? As many have pointed out, "wireless" is very affordable. And it works. (As I type this, I sit out on my deck, wirelessly connected to my otherwise wired home network and, via my ISP, to the Internet.) So, how do you help safeguard your users -- and the corporate data on their computers? It starts with your (and your users') understanding the risk.
Understand the risk
First, we realize that the risk is going to be a function of the vulnerability, the level of threat, and how much it would cost your company if someone were able to steal proprietary information (or at the minimum, to piggy-back on your Internet connection). As the other editorials have told us, real vulnerabilities exist. The vulnerabilities are in the very infrastructure of WLAN technology.
Threat, or threat rate, is more difficult to measure. We have to take into account physical parameters. For example, not only does it matter how far the WAP can transmit, but it also matters how close people can get to the user's house without being obvious. Some-time LiveSecurity columnist Lisa Phifer picked up eight access points while driving along the New Jersey Turnpike at highway speeds. And from her desk, she received the broadcasts of her next-door neighbor's WAP.
Also, threat increases if attacking your network is attractive to a would-be attacker. Has the employee recently ticked off his neighbor (or worse, his neighbor's teenaged son)? Does your company deal in military secrets or pizza dough recipes? And what's the competition like in the pizza industry , anyway? The same kind of threat analysis that you do for your company network has to be extended to employees' homes. Not in as much detail, not with as much effort, but similarly. Attacking your employee's network and system is either worth something to someone or it is not. No matter how we figure the threat, it is greater than zero.
How do you estimate the cost to the company (or the individual, for that matter) of a break-in -- the event cost? It depends. What secrets does the home network hold? Does it have corporate information? How about military secrets or personal, financial, or medical information? Having a home WAP is similar to running Cat-5 wire connected to a hub inside your house, out to the end of your driveway, with an RJ45 socket on it. Someone could drive up, plug in, and access your home network. They can do the equivalent via a connection to the WAP. And they could sniff all packets traveling by radio between the WAP and each wireless client.
Bridging policy and practice
Perhaps by now you are convinced that the best acceptable use policy for home users with WLANs is to not allow them. You would be right. However, since we know that people will ignore that directive, after explaining the risks to them, as I did above, you will need to put some guidance in place that they might actually follow. This is neither meant to be fatalistic nor overly pragmatic. As security professionals, our job is not to provide security. It is to secure the mission requirements of the organization.
Let us assume we are talking about average-grade risks. Our main concern is not with targeted attacks by agents of other governments. (Because in that case we can say, "Thou Shalt Not Do This," making sure people know infractions could lead to time in a federal penitentiary.)
First, as poor as it is, WEP should be used for authentication and integrity. PC cards that support 128-bit or better are a bit more expensive, so many home users don't have them. Make them a requirement if people want to "plug" their work computer into home WLANs.
Next, require that they use a random key. Many WAPs will generate a key from a password. As Rik pointed out a few weeks ago, implementation weaknesses undermine this. If your users employ this method, they should enter random letters and numbers for the passphrase, and allow the WAP to generate the keys. Then they can manually enter the generated encryption keys into the wireless clients. They must change the key weekly. They probably won't, but if you require it weekly, maybe they will do it monthly. Remind them.
Users should change all defaults on their WAPs. Default keys must be replaced, default security settings changed (since all these devices have WEP disabled from the get-go), default broadcast channels switched, and the SSID renamed to something non-generic. It is best if the name does not identify the name of the owner (though in a small neighborhood, this might be a moot point). It certainly should not identify the employer of the individual. An SSID that broadcasts "ABC1" is less interesting than one that says, for example, "cia-home1." From a risk standpoint, it is irrelevant that "CIA" are the homeowner's initials.
They should change the default IP address of the WAP as well as the default administration password. Some WAPs use a hard-connected USB port for administration, but many can be administered via a network-connected Web interface. If the kid next door enables his wireless card, and sees your WAP broadcasting (because it broadcasts on the same channel as his), and sees that your SSID is "linksys", he might be tempted to try to connect to IP address "192.168.1.251" and login with password "admin." Every vendor has a list like that. That's why it is important to change the defaults.
Recall that in " Five 'Must Have' Defenses for Mobile Computer Users ," I wrote, "The mobile computer is an extension of the private network ..." The user with a WLAN is arguably at greater risk than other mobile users. Disk encryption protects the data on a PC while it is powered off and at rest, but if that data flows over a home network, we need extra protection for that network or the computer. Personal firewalls must be used, with a policy that disallows services between computers. Otherwise, there is no good way to keep that teenager next door from your computer's folders.
Finally, and this is perhaps most important: establish a policy that says users of home WLANs must configure their WAPs to filter, only talking to a fixed set of MAC addresses. This is tedious to do in an organization with many computers. It is a short job for someone working on a home network.
How much to worry
Not every employee has a home WLAN. Not everyone has a home network. But just as every computer user who does not have a home network probably will one day, those who have home networks today will soon add a wireless access point. You can control WLAN use in the office, to some extent. Since you probably cannot "war drive" around every employee's home looking for WAPs, you have to put policies and procedures in place to mitigate the risk when employees use company computers on home WLANs. Because in this case, what people do in the privacy of their own homes is your business. ##
What did you think of this article? Is there a security topic you want our experts to tackle? Let us know at firstname.lastname@example.org .
For other helpful articles, log into the LiveSecurity Archive .
Copyright© 2002, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.