By Richard Boothroyd, Former Chairman of the BCS Security Committee, published in Computing 24 June 2004.

A major issue for operators of a wireless network is who is using their system and for what?

Recent investigations indicate that large numbers of wireless networks in major cities both broadcast who they are and operate without any encryption, which leaves them open to being used by unauthorised personnel as host sites for paedophile material.

Although no such site has yet been found, the fact is that wireless networking opens up a new range of security threats for network managers.

Until recently, network designers could control the network via hardwired systems, but wireless systems enable the world to listen to corporate data.

Most wireless systems have no default security and are thus inherently insecure, and installing corporate systems straight out of the box opens up networks to a potentially hostile world.

For a few hundred pounds or less, anyone can equip a laptop to receive the wireless data that is emitted from hundreds of corporate networks in major cities.

Many will be surprised that the range of a WAP can be considerably more than expected: with a new world record of 130 miles.

What is also emerging is the data traffic that can be obtained from homes using wireless technology to connect to their employers networks.

In many cases there is inadequate security to protect the corporate data and the employee and their employer could be at risk of opening their systems to external attack.

Whilst the 802.11x and Bluetooth standards have enabled great changes to be made in the workplace, it is the ease with which a wireless access point (WAP) can be added to a network that creates the problem.

The solution is to create a security culture in order to support the network and provide suitable education for staff. Such initiatives should be supported by senior management, otherwise the exercise will fail.

A busy senior executive working at home may connect to a corporate intranet through a wireless card installed in their portable not bother with a firewall, or ensuring that encryption is being used, and thus risk jeopardising a corporate network.
He or she may think that they are helping their employer, when they are actually placing them at risk.

So how can a wireless network be secured to prevent the 'cuckoo' syndrome? The first step is to accept that a wireless network can never be completely secure, but the residual risk can be reduced to a manageable level.

The corporate security policy must consider the risks created by wireless networks and determine what will and will not be permitted.

For instance an agreed encryption standard must be used on all corporate systems and virtual private network technology must be used when connecting externally to corporate networks. This would make is much harder, although not impossible, to capture and decrypt data traffic.

Unfortunately, the WEP encryption bundles with most wireless systems contain inherent flaws and are now being replaced by stronger TKIP systems that promise stronger security.

Corporate security policies will need to consider the security impact of home workers as increasing numbers of us decide to forego the daily grind into work and operate from home instead.

Unfortunately, many of us do not apply the same standards of security at home that we might at work, because we instinctively believe that our homes are secure, thus opening their corporate network to a number of security risks.

Network managers can control the wired environment but wireless networks are open to all and, unless data is protected, it is easily collected and viewed by unauthorised personnel. It is operating in an open environment.

So an effective education and training policy is important to demonstrate to employees the risks and show them how to avoid maintain a minimum residual risk.

Richard Boothroyd was Chairman of the BCS Security Committee from 1998 until 2000. He is a Principal Security Consultant for Fujitsu.