Wireless communications
offer organizations and users many benefits such as portability and
flexibility, increased productivity, and lower installation costs.
Wireless technologies cover a broad range of differing capabilities
oriented toward different uses and needs. Wireless local area network
(WLAN) devices, for instance, allow users to move their laptops from
place to place within their offices without the need for wires and
without losing network connectivity. Less wiring means greater
flexibility, increased efficiency, and reduced wiring costs. Ad hoc
networks, such as those enabled by Bluetooth, allow data
synchronization with network systems and application sharing between
devices. Bluetooth functionality also eliminates cables for printer and
other peripheral device connections. Handheld devices such as personal
digital assistants (PDA) and cell phones allow remote users to
synchronize personal databases and provide access to network services
such as wireless e-mail, Web browsing, and Internet access. Moreover,
these technologies can offer dramatic cost savings and new capabilities
to diverse applications ranging from retail settings to manufacturing
shop floors to first responders.
However, risks are inherent in any wireless technology. Some of these
risks are similar to those of wired networks; some are exacerbated by
wireless connectivity; some are new. Perhaps the most significant
source of risks in wireless networks is that the technology’s
underlying communications medium, the airwave, is open to intruders,
making it the logical equivalent of an Ethernet port in the parking
lot. The loss of confidentiality and integrity and the threat of denial
of service (DoS) attacks are risks
typically associated with wireless communications. Unauthorized users
may gain access to agency systems and information, corrupt the
agency’s data, consume network bandwidth, degrade network
performance, launch attacks that prevent authorized users from
accessing the network, or use agency resources to launch attacks on
other networks.
Specific
threats and vulnerabilities to wireless networks and handheld devices
include the following:
-
All the
vulnerabilities that exist in a conventional wired network apply to
wireless technologies.
-
Malicious entities may
gain unauthorized access to an agency’s computer network
through wireless connections, bypassing any firewall protections.
-
Sensitive information
that is not encrypted (or that is encrypted with poor cryptographic
techniques) and that is transmitted between two wireless devices may be
intercepted and disclosed.
-
DoS attacks may be
directed at wireless connections or devices.
-
Malicious entities may
steal the identity of legitimate users and masquerade as them on
internal or external corporate networks.
-
Sensitive data may be
corrupted during improper synchronization.
-
Malicious entities may
be able to violate the privacy of legitimate users and be able to track
their movements.
-
Malicious entities may
deploy unauthorized equipment (e.g., client devices and access points)
to surreptitiously gain access to sensitive information.
-
Handheld devices are
easily stolen and can reveal sensitive information.
-
Data may be extracted
without detection from improperly configured devices.
-
Viruses or other
malicious code may corrupt data on a wireless device and subsequently
be introduced to a wired network connection.
-
Malicious entities may,
through wireless connections, connect to other agencies or
organizations for the purposes of launching attacks and concealing
their activities.
-
Interlopers, from
inside or out, may be able to gain connectivity to network management
controls and thereby disable or disrupt operations.
-
Malicious entities may
use third-party, untrusted wireless network services to gain access to
an agency’s or other organization’s network
resources.
-
Internal attacks may be
possible via ad hoc transmissions.
The National
Institute of Standards and Technology (NIST) recommends the following
actions:
Agencies should be aware
that maintaining a secure wireless network is an ongoing process that
requires greater effort than that required for other networks and
systems. Moreover, it is important that agencies assess risks more
frequently and test and evaluate system security controls when wireless
technologies are deployed.
Maintaining a
secure wireless network and associated devices requires significant
effort, resources, and vigilance and involves the following steps:
-
Maintaining a full
understanding of the topology of the wireless network.
-
Labeling and keeping
inventories of the fielded wireless and handheld devices.
-
Creating backups of
data frequently.
-
Performing periodic
security testing and assessment of the wireless network.
-
Performing ongoing,
randomly timed security audits to monitor and track wireless and
handheld devices.
-
Applying patches and
security enhancements.
-
Monitoring the wireless
industry for changes to standards that enhance security features and
for the release of new products.
-
Vigilantly monitoring
wireless technology for new threats and vulnerabilities.
Agencies should not
undertake wireless deployment for essential operations until they have
examined and can acceptably manage and mitigate the risks to their
information, system operations, and continuity of essential operations.
Agencies should perform a risk assessment and develop a security policy
before purchasing wireless technologies, because their unique security
requirements will determine which products should be considered for
purchase.
For more info on the topic
read the source here: Wireless Network Security: Bluetooth,
802.11, handhelds (pdf)
Wireless
Security Resources:
Wireless
Lan Security Site
Wireless
LAN FAQ
Wireless Security
Wireless Networking Security Reference
Wireless Home Neworking Security Tips
Wireless Security Article
Wireless Security Tutorial
Wireless networking Tutorials
Recent comments