|More about Lisa|
For years, companies have wrestled with security risks introduced by teleworkers. According to ITAC, one in five U.S. employees spent some time working from home in 2001. Growth is being accelerated by residential broadband services -- In-Stat/MDR estimates that 14% of U.S. homes now have cable modem or DSL. High-speed, always-on connections make working from home more palatable, but they also increase risk by adding new territory that must be defended from abuse and attack.
Today, residential wireless LANs are tossing fresh fuel on this smoldering fire. According to In-Stat/MDR, six million Wi-Fi home nodes were sold in 2002, projected to reach 33 million by 2006. Wireless LANs make Internet connection, printer and file sharing among PCs in the home much easier. But when one of those nodes is a teleworker desktop or laptop, securing the WLAN becomes a corporate concern.
Expanding the security gap
Teleworker PCs connected to the Internet were always at risk, but broadband exacerbated this by expanding the window of opportunity. Teleworkers connected to home WLANs open that window even wider. Some new risks resulting from lax home WLAN security include the following.
- War drivers can use unprotected home WLANs to freeload on company-paid broadband connections.
Freeloaders can tap spare capacity -- or use your link to send spam, porn or even to attack someone
else, leaving you holding the liability bag.
- By eavesdropping on wireless traffic, attackers can gather server identities, user credentials
and confidential payload -- for example, recording email messages, hashed logins for offline
dictionary analysis or valid frames to be used in replay attacks.
- Personal traffic on home WLANs can inadvertently leave expose company resources. For example, a
teleworker that shares a printer on the WLAN becomes vulnerable to NetBIOS probes and attacks by
anyone within a few hundred feet of the household access point.
- Teleworkers equipped with perimeter defense measures like SOHO firewalls or desktop firewall software can open wireless back-doors without realizing it. For example, an AP dropped inside a home WLAN, behind a firewall/VPN appliance, could ride a tunnel from the appliance into the company network.
Filling that gap
What can companies do to avoid these pitfalls and encourage safer use of teleworker wireless LANs?
- Educate teleworkers about the inherent risks associated with wireless. Awareness is growing,
but many otherwise-savvy users are still in the dark.
- Define an acceptable use policy that explains permissible use of company resources on
residential WLANs, acceptable configurations and recommended or required security measures.
- Actively promote safer home WLANs. For example:
- Recommend a list of approved wireless routers and supply secure network topology diagrams and set-up instructions for them, or
- Let teleworkers requisition a pre-configured wireless router from your IT department (i.e., extend your process for supplying secure PCs to teleworkers), or
- Outfit teleworkers with appliances that you can manage remotely – for example, the Colubris CN100 is a firewall/VPN client/AP for teleworkers.
- Choose the right hardware for the job. Terminology can be confusing, and many teleworkers don't
understand the difference between a wireless AP and router, or between a router with an integrated
VPN gateway or VPN pass-through.
- Enable basic 802.11 security. MAC access control lists, shared key authentication, and WEP
aren't perfect, but they are still useful as a first line of defense. In a small, self-contained
WLAN, shared keys and ACLs are manageable. Supply guidance on how to pick good SSID and key values,
when to update keys, etc.
- Harden wireless devices. Teach teleworkers to change or disable unused listening ports and
configure hard-to-guess passwords. Connect only with known APs, disabling Windows XP's ability to
connect to any non-preferred network.
- Extend existing desktop security measures. For example, reconfigure VPN client policies to also
apply to wireless adapters, and identify wireless router VPN pass-throughs that are compatible with
your VPN client.
- If you don't use VPN on the WLAN, consider other options to increase protection for sensitive
traffic. For example, use SSL webmail instead of POP or encrypted screen sharing instead of
cleartext remote desktop access.
- Rethink home network trust. Sharing printers and files may be acceptable on a residential
Ethernet that's protected from the Internet by a firewall/router. Doing so over wireless probably
is not. Help teleworkers to identify new sources of risk.
- If you haven't already, get started now. Home WLAN adoption is now growing faster than
enterprise WLAN use. If your workers carry laptops or have PCs at home, odds are excellent that you
already have at least a few teleworkers using wireless.
This was first published in April 2003