One of the most frequently asked questions put to wireless local-area network (WLAN) vendors is, "What about security?" It is indeed wise for network administrators to be concerned about security, on any type of network.
Disgruntled employees, hackers, viruses, Internet-based attacks and industrial espionage are an unfortunate fact of life in any form of networking today. The issues of importance are the threats to the security of any network, how they specifically relate to WLANs, and those elements unique to WLAN technology available to combat these potential threats.
Jacques van der Merwe, Nanoteq Marketing Manager
LAN security issues - wired vs wireless
It is odd to those who specialise in WLANs that a significant degree of concern regarding security is often evident among users and managers of wired LANs. This concern, however, does not usually extend to the wire; the security of information on the wire is, perhaps incorrectly, assumed as a given. But as soon as data packets begin travelling through the air, a high degree of anxiety sets in. After all, it is reasoned, the wired LAN is inside the company's building, and the data stays on the wire, only available to authorised users with physical connections to that wire.
In fact, any network, including a wired LAN, is subject to substantial security risks and issues. These include:
a. Threats to the physical security of a network.
b. Unauthorised access and eavesdropping.
c. Attacks from within the network's authorised user community.
A WLAN has all of the properties of a wired LAN, except, of course, the wire itself, and thus security measures taken to ensure the integrity and security of data in the wired-LAN environment are also applicable to WLANs as well. The only real difference between a wired LAN and a WLAN is at the physical layer. All other network services and vulnerabilities remain.
WLANs in fact include an additional set of unique security elements which are not available in the wired world, leading to the proposition that WLANs are actually more secure than their wired counterparts, an opinion shared by many industry analysts and experts.
Given the obvious reliance of wired LANs on a wired physical plant, anyone gaining access to that wire can damage the network or compromise the integrity and security of information on it. Without the proper security measures in place, even registered users of the network may be able to access information that would otherwise be restricted. Disgruntled current and ex-employees have been known to read, distribute, and even alter valuable company data files. LAN traffic can be intercepted and decoded with commonly available software tools once one has physical access to the LAN cabling.
Network administrators, regardless of whether or not they have wireless segments on their LANs, need to have the appropriate security products for their environments, the proper security levels set for their users, and an on-going process to audit the effectiveness of security policies and procedures. Physical access to network wires needs to be protected. Unfortunately, the vast amount of wire inherent in most LANs provides many points for unauthorised access.
Products are available to help network administrators secure their networks from these threats. User authentication and authorisation is provided by most network operating systems, and can be enhanced by adding third-party products.
Perhaps the most difficult threat to detect is someone just looking at, and copying raw data on the LAN. Wired networks are particularly vulnerable to eavesdropping. Most Ethernet adapters on the market today offer a 'promiscuous mode' that, with off-the-shelf software, enables them to capture every packet on the network.
What network administer does not have some kind of 'packet sniffer' or LAN-traffic analyser for troubleshooting the network? Inexpensive and readily available programs let anyone with physical access to the network to read, capture and display any type of packet data on the net.
And even wired LANs have an unintended wireless component. Many types of LAN cabling, particularly unshielded twisted pair, radiate significant energy. This leads to the possibility that anyone with a strong motivation, the right radio equipment, and a good antenna can sit in the parking lot outside a building and actually intercept wired Ethernet data packets, without detection.
Data encryption is the only line of defence against this kind of threat. Unfortunately, a sense of complacency among network managers has resulted in the limited use of in-building encryption, often with unforeseen and unknown results.
Part 2 which will deal with wireless security considerations will follow in the next issue.
For details contact Nanoteq on tel: (012) 672 7000, fax: (012) 665 0343 or e-mail: email@example.com