ZDNetAsia : Printer Friendly - Wi-Fi is not 'enterprise-secure', says AT&T

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Asia.
--------------------------------------------------------------

Wi-Fi is not 'enterprise-secure', says AT&T

By Aaron Tan
Wednesday, November 02 2005 06:39 PM
URL: http://www.zdnetasia.com/news/communications/0,39044192,39287407,00.htm

Wi-Fi networks are not secure enough for enterprises to run their businesses, according to a senior AT&T executive.

Steve Hurst, product director for managed security services at AT&T, told ZDNet Asia that although some attempts to improve the security of Wi-Fi networks have met with success, engineers involved in the technology have yet to develop a secure architecture.

"It is better today than it was two years ago, but it's still not difficult to crack into a Wi-Fi network. There are free tools available over the Internet that allow you to break into most Wi-Fi deployments," he said.

Hurst likened Wi-Fi to Microsoft Windows, both of which are ubiquitous and, hence, are frequent targets for hackers. Although "there are security issues with Linux and other operating systems", he noted that "they don't have the visibility of Microsoft".

He added: "The fact that Wi-Fi is being deployed for public Internet access with large numbers of users makes it a big target for hackers. There are enough people out there looking for challenges to stress Wi-Fi infrastructures."

When Wi-Fi first surfaced, the mentality towards security was dramatically different from what it is today. The issues were more to do with the connectivity method than anything else, he said. Implemented then were wireless security standards such as WEP (wired equivalent privacy) and WPA (Wi-Fi Protected Access), which have already been deemed insecure, he added.

"But with Sep. 11, and other terrorist activities around the globe, the visibility of security has increased significantly. At the same time, the European Union and the U.S. have regulations to make privacy, security and compliance paramount in the eyes of companies."

Despite this, employees are still not heeding corporate security policies by installing rogue wireless network devices, such as access points, in offices to make their lives easier, he said.

To ensure better security protection, companies have procedures and systems to identify networking gear, because "Wi-Fi devices are stupid devices that only pass data and do not authenticate users", he added.

According to Hurst, AT&T has developed systems that identify all the hardware that are running on a network and who is responsible for them. "We can analyze traffic that passes through the network to a level where we can identify rogue hardware," he said.

"It is a very costly prospect right now, because of the huge amount of data that needs to be analyzed. You have to look at detailed data flows to identify rogue devices that do not announce their presence," he added.

Some companies, Hurst said, have tried to walk around their premises looking for unauthorized hotspots. "But that way, you are protected for 10 minutes at most, because someone who sees you coming will unplug the hotspot access point and put it back on when you're gone," he pointed out.

An insecure channel?
Hurst said that the Internet will never be a secure communication channel because TCP/IP (Transmission Control Protocol/Internet Protocol), which controls how data flows through networks, was not designed with security in mind.

A move to the next-generation Internet Protocol version 6 (IPv6), which is more secure than the present Internet infrastructure, could bolster Internet security, he said. But this seems unlikely for now, because it would take a lot of resources to perform the migration on a global level.

Because Wi-Fi is inherently insecure, "we treat Wi-Fi as untrusted, internally," he said. AT&T employees are required to use VPN (virtual private network) to access the company's internal network, if they hook on using Wi-Fi, he explained.

Furthermore, Hurst revealed, telecommuting employees on external Wi-Fi networks have to maintain the same level of security as they would at the company's premises. He added employees will be briefed on the security procedures while using their remote access software.

However, for some reason, if an employee's computer is not considered "trusted", the firewall within their remote access software will be activated. "This is to prevent someone who tries to come down your pipe and access your (corporate) information."

Aruba Networks, with its Mobile Edge architecture, holds a different view on Wi-Fi security. The wireless technology, said company founder Keerti Melkote, can in fact be more secure than traditional wired networks.

He noted that traditional LAN access points typically do not authenticate users, who can just plug in their laptops to access the network.

Melkote, who is also the vice-president of marketing, told ZDNet Asia: "We came up with a centralized architecture last year that can address both wired and wireless security."

Aruba's architecture, he explained, involves using "mobility controllers" to manage network access by employees over wired and wireless connections alike, using the 802.11i security specification that was ratified last June. This standard, he said, would allow companies to add a security layer to their wired networks.