Norm Jacknis
Westchester County is one of the first jurisdictions in the country to require security on wireless systems. Jacknis said that driving around neighborhoods with a wireless laptop showed that about one-third of wireless networks are open, many of which don't even change the default name of their devices. Last April the county executive signed a law mandating" minimum security measures" for all commercial businesses that offer public Internet access and/or maintain personal information on a wireless network.
Joining Jacknis were Bob Gaughan of Nortel, Brad Dupuy of HP, Tom Carpenter of LearnKey, Bruce Cole a New York State executive, and Steven Warshaw of the Warshaw Group.
Security and management are intertwined, said Dupuy. He suggested a holistic approach to security focused on how secure the data needs to be. If security is compromised, he asked, "will people die?" Are your users trained to understand the wireless system?
As presenters were quick to point out, wireless security is just part of a bigger picture, that someone can steal a laptop from an office with thousands of names, Social Security numbers, credit card information, etc.
Carpenter said over the last year, sixty percent of his focus has been on wireless, helping lock down already existing wireless systems. He was in a town in Ohio, he said, and found an open government wireless network with no protection whatsoever. The Department of Defense, he said, in 2007 will require 802.11i with RSN implemented.
Warshaw focuses on mobile applications in the field, mostly cell phone networks. A health department that needs wireless connectivity, for example, requires in-transit encryption, as well as encryption on the devices in the event they are lost or stolen. They would also need to encrypt the data on the database server in case of a breach. The devices are also on the Internet, so they would need a firewall. Then VPN could be used to secure the servers and the devices themselves.
One presenter said that having an open wireless network is like dangling an Ethernet cable out the window, and another said it was like dangling an entire switching network out the window. Someone sitting in the parking lot could -- at the very least -- use network bandwidth, and could even emulate an access point, so that turning on the system in the office would connect through "some guy out in a car who is sniffing passwords."
"Always before, your network was contained in those cables," said Gaughan. "It's not contained any more." The winner of a recent competition for Wi-Fi connection distance made a link over 110 miles with a special antenna, and no other amplification.
Security can be especially important if both public and municipal communications run on the same wireless network.
One presenter said that on the GTC show floor, he discovered lots of wireless access. One had WEP, which would be the one a hacker would attack, he said, as it is not secure.
Some of the discussion covered security protocols and encryption, the advantages and disadvantages of each (VPN can slow down wireless transmissions, for example, unless it is optimized for wireless.)
Dupuy said he would recommend five steps for security that include:
- Become invisible to the outside
- Monitor your waves
- Create policy and educate users
- Look for offenders
- Establish management buy-in.
