Wireless Access Control

Follow these guidelines to protect the confidentiality and integrity of e-mail and other data broadcast over a wireless network.

IT DOESN’T TAKE MUCH TO SNEAK onto someone else’s wireless network. Thousands of business- and home-access points are compromised every day by cyber ne’er-do-wells and data thieves who sniff out vulnerable access points. All of which begs the question: Is your wireless network secure?

Nothing wireless is airtight, but chances are your network is fairly safe. That’s because state and local governments have taken a far more measured approach than have the purveyors of public hot spots, such as those found in Internet cafes.

Just what does it take to build a secure government wireless network? Municipalities with such projects under way, including Grand Rapids, Mich.; Corpus Christi, Texas; and St. John’s County, Fla., offer helpful advice.

Grand Rapids, Mich., began testing a citywide wireless network, as well as wireless broadband access for police and fire, in June 2005. Scheduled for completion in January 2006, the test is being conducted with 10 providers. Each is testing its own equipment in different parts of the city.

After a formal request for proposal is issued in January, the contract will be awarded in February, reports Tom McQuillan, director of information technology for Grand Rapids. If all goes as planned, fee-based wireless access will soon be available to all residents of the 45-square-mile city.

With the project, Grand Rapids is hoping to bridge the digital divide between cyber haves and have-nots. “Our goal is to empower the public,” McQuillan says. To that end, he has been collaborating with IT colleagues at the county and state levels, SBC Communications’ SBC Michigan unit, Grand Rapids’ media cooperative Community Media Center and wireless consultant Excelsio Communications, based in Alpharetta, Ga.

During the test phase, the network is free — and unsecured, says McQuillan. That means users who fail to use password protection and some form of data encryption run the risk of their transmissions being read by prying eyes. After a vendor is selected, the network will use a security method known as Advanced Encryption Standard-Counter Mode/CBC-MAC Protocol (AES-CCMP).

This encryption method is considered vastly superior to the Wired Equivalent Privacy security standard still used by many public hot spots. WEP employs static 56-bit encryption keys that must be changed manually, and that means even casual hackers can monitor a wireless network and determine the WEP key after intercepting a few minutes’ worth of data traffic.

On the other hand, AES-CCMP, which is used by the federal government for transmitting nonclassified electronic documents, automatically and randomly changes encryption keys that are 128, 192 or 256 bits. At the moment, AES-CCMP is considered unbreakable.

Additionally, the Grand Rapids wireless network will accommodate virtual private networks. VPNs, which use “tunneling software” to create a private network over the public Internet, have become commonplace among commercial businesses and government agencies. Grand Rapids municipal employees are expected to use a VPN, allowing them to securely access their office records from home or while on the road.

The city has not yet decided how it will handle one group of municipal employees: public safety workers. Police, fire and rescue workers may get their own wireless fidelity (Wi-Fi) network that operates on the 4.9 gigahertz band, which is separate from the rest of the network that will operate on the 2.4GHz band. Either way, Grand Rapids vows to make the public safety network secure.

Meshing in Texas

A much different wireless project is under way in Corpus Christi, Texas. Officials there are deploying a Wi-Fi mesh network. Typically, mesh networks are more costly to deploy and operate, but they are also more reliable.

Think of a mesh network as a geodesic dome. Each joint (or, in the wireless network, each access point) is connected to several other joints. If one breaks, sufficient connections can be maintained. If an access point fails in a nonmesh network, all user connections in that area are lost, because the access points are hard-wired to communication lines, but not to each other.

To build a mesh network, Corpus Christi and other municipalities are fastening Wi-Fi access points to traffic lights, lamp posts and the like, allowing a signal to hop from device to device until it reaches its destination. Some municipalities are even testing mobile mesh networks that essentially turn each squad car or fire truck into a receiver and a wireless access point that can transmit live video, high-resolution mug shots or building blueprints.

Corpus Christi is deploying its Wi-Fi mesh network citywide across 147 square miles. The project began as a way to support data transfer needs of an automated meter reading system being used for water and gas services. But the city is considering using it for other government agencies and for public use.

Security won’t be a concern, project planners insist. That’s because Corpus Christi’s mesh network has several layers of security, including a VPN, firewall, encryption and secure sign-on.

As a result, Corpus Christi is considering allowing citizen and consumer applications to run simultaneously with secure government applications. That means the city’s public safety departments could be on one network, its municipal systems on another, and residents and visitors on yet another, with all of them sharing the same infrastructure.

The city could set network privileges and control access. That would enable municipal employees to be authenticated by their notebook computer’s unique Media Access Control (MAC) address, while residents and visitors would need to supply a user name and password.

Sending Data, Saving Time

In St. John’s County, Fla., which covers 600 square miles on the Atlantic Coast, the county building department’s 32 certified inspectors use wireless devices to upload reports from the field. The field workers perform up to 900 inspections each week and, until recently, had to return to their office periodically to input data into the county computer.

Sending the data remotely saves each inspector about an hour a day. At the moment, the data is sent using short message service (SMS) text messaging over cellular phones. While that is not the most secure scenario, the county so far has not reported any data theft. In the near future, St. John’s County plans to transmit information over General Packet Radio Services/Enhanced Data GSM Environment cellular technology or over Wi-Fi networks, removing the reliance on SMS and enabling county employees to send data through a VPN.

Security Measures

If none of the above scenarios precisely matches your needs, there are still basic steps you can take to protect your wireless network. First, use several security methods, including data encryption, such as Wi-Fi Protected Access and Internet Protocol Security. Also, change the default settings on your network devices, including access points.

Anyone trying to hack into your communications will try these factory settings first. “The biggest challenge for Wi-Fi is that it’s unlicensed,” says Bill Stark, president of Excelsio Communications. “We were doing work in a community, scanning different channels, and we found 1,100 unprotected devices in a quarter-mile area.

“The exciting news is that some of the newer Wi-Fi infrastructures and most of the forthcoming WiMax infrastructures [broadband wireless standard for metropolitan area networks] include significant security improvements. In some cases, they are as good as, if not better than, wired security.”

Also in need of security are handheld devices that have the ability to download and store spreadsheets, databases and other sensitive information. The fact that the data is in a smartphone, rather than in a notebook PC, doesn’t make it any less important.

Don’t expect things to go smoothly or quickly. While municipalities have been understandably anxious to install public wireless networks, progress on security has been necessarily slow and methodical.

Part of the slowdown has been regulatory. Part of it has been budgetary. Part of it simply has been the diverse nature of the user base. Meter readers, for example, don’t need the same bandwidth as police.

Trying to satisfy all departments takes time. But remember, you’re creating a secure wireless network to beat the hackers, not the clock.

IT Takeaway: Beware of War Drivers

Do you work in a war zone? You do if your department or agency uses a wireless network. That’s because there’s a new hacking sport called “war driving,” in which miscreants, armed with a wireless network card in a notebook computer and global positioning system capabilities, drive around pinpointing vulnerable wireless local area networks whose signal has spilled beyond the confines of an office into the street. Once the signal is located, the war drivers can hop onto the exploited Internet connection and steal data.

There are steps you can take to avoid becoming a casualty of war driving or other wireless hacking. The United States Computer Emergency Readiness Team (US-CERT), a partnership between the Department of Homeland Security and the public and private sectors, and other experts, including the FBI, suggest these measures:

1. Change the default passwords that came with your wireless network devices. These are set at the factory, and every hacker knows what these passwords are.

2. Every wireless access point has a Service Set Identifier that lets wireless notebooks and handheld devices locate a hot spot. Like passwords, SSIDs are set at the factory, so you should change them.

3. Encrypt your data. Different encryption methods use different algorithms, though they vary in strength. One of the most widely used is Wired Equivalent Privacy. However, WEP has some security weaknesses, and Wi-Fi Protected Access is generally considered the better approach.

4. Install a firewall on your network and your wireless devices.

5. Install and maintain your antivirus software. Probably the best way to do this is with subscription-based antivirus software.

6. Restrict access to your network by filtering Media Access Control addresses. Each piece of hardware connected to a network has a MAC address, notes US-CERT. Your user documentation will have specific information about enabling these features.

7. If a device is capable, throttle back the broadcast power to adequately serve only the desired coverage area. This helps prevent excess bleed of the signal.

8. On a regular basis, perform your own war driving to see if your wireless network signal may be leaking out of your facility.

Creating a Mesh Network

When failure is not an option, government and public safety officials often turn to mesh networks. When arranged in a mesh, each node — including workstations, switches, routers and other devices — has redundant connections. That is, each workstation or other device is connected directly to several others.

Nodes in a mesh network are something like that Tinkertoy set you had as a child. Each node is connected to several additional nodes, so that if one fails, the rest of the network still functions.

The chief drawback of the mesh topology — particularly for the wired version — is the big expense of the large number of cables and connections required. To save money, some users opt for a partial mesh. With a partial mesh, some nodes are connected to all the others, while other nodes are connected only to those with which they exchange the most data. Other cities do as Corpus Christi, Texas, is doing and create a wireless mesh network. While it still requires the costly deployment of hundreds or even thousands of wireless access points, money is saved because far less cable is required.

Kevin Ferguson is a freelance technology writer located in Arlington, Mass.

Oct 31 2006