While everyone agrees that information and network security must be an integral part of any IT solution, there is one key element in security that is unique -- and that is, unlike all other elements of IT, no security implementation is ever "done." Given the broad array of threats and, more importantly, that these threats are constantly evolving, any viable security solution must be designed for growth, change, resilience and adaptation.
This observation is no truer than when wireless is added to the network security mix. The lack of a requirement for a physical connection between the client and the rest of the network opens numerous opportunities for both eavesdropping and unauthorized access. It gets worse, though. Unauthorized (or "rogue" access points) can be connected to a network, creating a security hole, and connections to insecure external networks are an obvious challenge. While security has often been a showstopper and remains (as it should) a major concern, there are now effective solutions to most wireless security challenges. Channel professionals can play a key role in keeping their customers informed as to the need for security planning and also present the latest in security solutions and best practices.
The first step in meeting the enterprise wireless security challenge is to have a corporate security policy defining what information is to be protected, who should have access to it, and how security is administered. This document needn't define solutions, nor be specific to wireless, but it should provide a framework for the technical task ahead. Surprisingly, many organizations do not have a security policy in place, and channel professionals can assist here by providing both guidance and templates.
Next, it's important to think about security from a network and not just a wireless perspective. This is the key to effective network security -- too often, enterprise IT managers believe that simply securing the airlink (the connection between wireless devices and the rest of the network) is enough. But wireless security alone most certainly is not, as this approach leaves the rest of the network vulnerable to compromise. The best strategy, then, is to think "end to end," making sure that no holes exist at any part of the network value chain.
There are two key mechanisms for providing assurance in this area. The first of these is encryption. Critical data (as designated in the Security Policy) needs to be encrypted when moving through any part of the network, wired or wireless, enterprise or public. It should also be encrypted when stored on both mobile devices and servers – and it should never appear in the clear except, again, to authorized users.
Authorization is obtained via authentication, which is proving one's identity to the network (and also the network proving its identity to the user to avoid users giving up their credentials and other valuable information to someone impersonating a network). Authorization can be as simple as the traditional username/password pair, or can involve more elaborate techniques like hardware tokens and even biometric identification.
There are a broad range of tools available to deal with the wireless-specific security threats. Some are built into basic networking equipment, such as carrier-operated cellular networks and enterprise wireless LANs, and some are available as additional network hardware and software. In the case of WLANs, these can include sireless LAN assurance tools, like AirMagnet and WildPackets' Omnipeek, spectrum assurance tools like Cognio's Spectrum Expert, and security-enhancement tools from AirDefense and AirTight Networks, among others. The specific choice of equipment can involve a complex process in which a VAR or integrator can play key role. All of the above in fact create numerous opportunities for VARs, integrators and others serving the needs of the enterprise network.
About the author
Craig J. Mathias is a Principal with Farpoint Group, an advisory firm specializing in wireless networking and mobile computing. Founded in 1991, Farpoint Group works with technology developers, manufacturers, carriers and operators, enterprises and the financial community. Craig is an internationally-known industry and technology analyst, and serves on the advisory boards of four industry conferences. He is the author of numerous articles on mobile and wireless topics, and a columnist for Computerworld, SearchMobileComputing.com, and Unstrung.com. As an expert on SearchNetworkingChannel.com, Craig answers your wireless LAN and mobile networking questions. He holds an Sc.B. degree in Applied Mathematics/Computer Science from Brown University.