Wireless Communications - Benefits and Risks - Essay Example

Running Head: Wireless Communications Wireless Communications - Benefits and Risks ID 19714 Order No. 274866 [Name] [University Name] [Course Name] [Supervisor] [Any other details] 21 February 2009 Table of Contents: Table of Figures Figure No. Description and Word Hyperlink Figure 1 A small office Wireless LAN (Source: Symantec Wireless LAN Security, 2002) Figure 2 Risk Analysis pertaining to Wireless Security (Source: TISN, Australia, 2008) Introduction: Wireless technologies allow end users to remain connected to their business services much more than wired technologies especially when the users are mobile. Modern businesses demand more mobility of people in the form of either travelling or else moving extensively in Office or Campus environments. While moving, people are expected to have continuous access to their voice as well as data resources like Voice over IP, ERP, SCADA, CRM, etc irrespective of time or location. Technologies like IEEE 802.11 Wireless LAN and GPRS for Wireless WAN have been able to fulfil such business needs by extending business benefits like Mobility/Freedom of people (virtualization of workplace), No wires (thus saving the company from the huge administration overheads of wired technologies), much more cost effective if calculated in terms of total cost of ownership, portability, flexibility, ease of installation, commissioning & maintenance, enhanced productivity, better workgroup collaboration, better customer/patient care, faster decision making etc. thus leading to improved competitive advantages of businesses. However, there have been some major concerns among users about wireless technologies in terms of speed/throughput, connectivity issues, range of coverage, interferences and above all security issues. The wireless security experts have been struggling to overcome the security risks involved in these technologies specifically the IEEE 802.11 Wireless LAN framework. A large number of business & educational journals & white papers have emphasized the security issues of wireless communications and need for stringent controls given that enhanced accessibility features of such technologies have also given birth to substantial access control vulnerabilities thus giving chance to unauthorized intruders to access the business resources of organizations. This paper critically evaluates the details of prevailing wireless technologies, their business benefits, associated security risks and the current mitigation strategies recommended by wireless security experts. The objective of the paper is to present first hand understanding of the proposed subject after carrying out in depth literature review. [Cisco Systems Inc. 2003; Wong and Dunn, 2003; Netgear Inc. 2007; WiFi, 2003; Rasori, Paul. 2004; Kim, S.H., Mims, C., & Holmes, K.P. (2006] Wireless Technologies: The Wireless LAN technologies are based on the IEEE 802.11 standard. The IEEE 802.11 is a family of specifications that are developed by the Institute of Electrical & Electronics Engineers for wireless LAN technology. IEEE 802.11 has specified an aerial interface between a wireless client and a base station or between two wireless clients. Following are the specifications in the IEEE 802.11 family: IEEE 802.11 - This was introduced in 1997 that provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS). IEEE 802.11a - This is an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS. IEEE 802.11b (also referred to as 802.11 High Rate or WiFi) - This is another extension to 802.11 that applies to wireless LANs and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band. 802.11b uses only DSSS allowing wireless functionality comparable to Ethernet. IEEE 802.11g (also referred to as 802.11 High Rate or WiFi) - This standard has enabled 54 Mbps of bandwidth on 2.4 GHz band and is normally positioned as an enhancement over IEEE 802.11a standard. The IEEE 802.11b & 802.11g standards are extensively used in the wireless LAN deployment even spanning large areas like an entire town. The network primarily is constructed using the following building blocks: (a) Wireless Client Devices: These are wireless client connectivity devices deployed on desktops & laptops that can enable connectivity to a Wireless Access Point within the range. (b) Wireless Access Points: These are wireless servers that can allow connectivity to multiple client devices within its range (area of coverage). Multiple Wireless Access Points are required if the physical area to be networked is larger than the coverage area of a single Access Point such that they can connect to each other via Wireless Bridges or Switches to finally lead the network connectivity to the Servers in Data Centers. (c) Wireless Bridges/Switches: These devices are used to aggregate the connectivity from multiple Wireless Access Points. When a user is roaming, the Wireless Access Point transfers the user connection to the subsequent Wireless Access Point which maintains the connection (before handing over to the subsequent Access Point) till the user has reached the edge of the range. The Wireless Access Points and the Wireless client devices interconnect through a medium of communication called "Basic Service Set (BSS)" that constructs a wireless network. Each BSS comprises of a unique identification called "Service Set Identifier (SSID)" that is formed using 32 bytes. A single Wireless Access Point can serve multiple SSIDs and hence multiple client connections from users roaming within the range. A typical small office Wireless LAN is presented in figure 1. The wireless client devices are connected to the Wireless Access Points which are connected to an Ethernet Hub through either wired links or wireless links whereby the hub may have hybrid functionality of built in bridge as well as Ethernet/Fast Ethernet connectivity over wired cables. Figure 1: A small office Wireless LAN (Source: Symantec Wireless LAN Security, 2002) The IEEE 802.11 family of wireless technologies has a number of vulnerabilities reported and demonstrated by security experts. The current standard security implementations are "Wired Equivalent Privacy (WEP)" and "WiFi Protected Access (WPA)" which do not restrict the vulnerabilities effectively. New standards like IEEE 802.11i (WPA2) & IEEE 802.1x that can ensure better security in Wireless networks are gaining popularity. The risks pertaining to Wireless Networks are covered later in this paper. [Brenner, Pablo. 1997; Terluin, Traci. 2000; Zyren, Jim. 2001; Kalbasi, Amir and Alomar, Omar et al. 2007] Benefits of Wireless Communications: In the modern business world, mobile technologies have multiple benefits. Practically, all laptop computers come with WiFi Client packaged and also popularity of PDAs have increased drastically. WiFi clients in laptops are either integrated on the board or else can be added by deploying Wireless PCMCIA cards. Now-a-days, wireless clients are available in the form of USB Modems that can dial to the nearest ISP location over a WLAN network. PDAs normally use GPRS networking but are also equipped with 802.11 client access technology. WLAN technologies are widely used in office & metropolitan applications like retail outlets, mobile Internet, mobile workforce of corporates (working outdoor when travelling - like in car, in train, at stations, at airports, in flights, in resorts, etc.) education networks, homeland security systems, temporary network extensions, guest connectivity to corporate networks, inventory & supply chain management, conference & meeting rooms, training rooms, work from home, shipping & docking areas, hotel industry, building lobbies, etc. The WLAN connectivity is provided by private WLAN Wireless Access Points within buildings or campuses and the same is provided through public wireless services providers like AT&T Wireless. Wireless networking has invoked the concept of virtual office such that employees are allowed to work from anywhere they want without visiting office premises regularly. This concept has helped in substantial reduction in operations & logistics costs but still achieves higher workforce productivity. A number of corporates have deployed wireless access hotpots (using self owned Wireless Access Points or through service provider network) such that employees can connect to the corporate business resources and collaborate with each other from anywhere they are - home, car, warehouse, airport, hotel, coffee shop, etc. Cisco Systems carried out an intensive research in 2003 in 400+ midsize & large organizations on the benefits of Wireless Networks and reported the following advantages perceived by the respondents: (a) Convenience: Employees need not carry hard copy print outs in the areas where wired computers are not available. They can carry a laptop with WiFi or a PDA to unwired areas (like a Warehouse) and still access the corporate data resources (like the Corporate Inventory System). Moreover, employees can conveniently access network resources when in meeting or conference rooms, in training rooms, when taking a break in the recreation areas, etc. Overall, employees can avail a lot of convenience in accessing personalized data sources from the corporate network (example, Intranet, ERP, Databases or E-Mail systems) from any place within the range of the wireless network. (b) Mobility: Employees, Partners, Stake Holders, Customers, etc. can access corporate data sources while travelling outside the office, from restaurants, coffee shops, home, car, airport, railway station, etc. Irrespective of the location and time, the connectivity to corporate resources is always available. (c) Productivity Enhancement: Employees, Contractors, Job Workers, Senior Management, Customers, etc. can mutually collaborate effectively without meeting in person and get the job done quickly. Flexible working hours of employees can enable them to work at timings favourable to business from places of their choice thus making them closely linked to business, enjoy work-life balance, improve quality of life and still generate better results for the organization. (d) Ease of Setup: The biggest advantage of Wireless networking is that there aren't any cables. Cable management itself is a huge administrative overhead on corporates - managing horizontal & vertical cabling, wiring closets, user end outlets, patch cords, mounting cords, etc. Moreover, wireless devices are very easy to configure and deploy - one may just have to follow a configuration wizard and then hang the device somewhere on the wall where a power point can be provided. In order to cover a large geographical area (like a large warehouse, shipping dockyard, shop floor, etc), one may need to just deploy wireless access points strategically placed with overlapping ranges such that roaming users can remain connected to the network. The wireless bridges or switches at the core of the network may be closer to the data center such that they can be connected to the servers or other telecommunications equipment through wired connectivity. (e) Scalability: Wireless networks can be grown quickly by just deploying new wireless access points or wireless bridges. For larger geographical coverage (similar to a metropolitan area network), services of a WLAN service provider can be hired. On the contrary, expansion of wired networks may require additional cabling which is expected to take much longer times and some times may even be carried out t the cost of spoiling the aesthetics. (f) Total Cost of Ownership: In a first glance, wireless access points and wireless bridges may appear to be costlier compared to the active components used in wired networking. However, when compared in totality including wiring costs, termination costs & administration costs, wireless networks prove to be much more cost effective compared to wired networks having similar capacities. [Cisco Systems Inc. 2003; Wong and Dunn, 2003; Netgear Inc. 2007; WiFi, 2003; Rasori, Paul. 2004; Kim, S.H., Mims, C., & Holmes, K.P. (2006] Having stated the above advantages, it is essential to enumerate the disadvantages of wireless networks. Wireless networks offer much inferior bandwidth & throughput compared to wired networks. Speed & throughput of the order of switched 100 Mbps or 1 Gbps are not possible on the current wireless networks. Moreover, wireless client connectivity suffers disconnections especially when the user is roaming. Hence, wireless networks are not suitable for high bandwidth applications like high end graphics and Virtual Reality. Other major disadvantage of wireless networks is interference from high frequency disturbances like lightening or cross talk connections with other wireless networks. This can however be solved to some extent using frequency hopping techniques. The biggest limitation of wireless networking is security. The modern WEP and WPA technologies do not guarantee fully hacking proof networking given that they remain vulnerable to known and emerging threats and the resulting risks to business. The next section describes about a number of security risks associated with wireless networks. Risks involved with Wireless Communications and their resolutions: Wireless networks can be easily discovered using modern utilities available on laptops. One can easily connect to the wireless network if not secured. A number of attack tools can even break the WEP security of wireless networks. The primary vulnerability of Wireless networks is due to the "leakage" of range beyond building premises such that they can be detected by people on roads, parking lots or nearby coffee shops. If the network is not secured, unauthorised access to business resources can occur very easily. Hence, the primary advantage of "not needing a wire to connect" becomes a blessing in disguise on the unprotected wireless networks. If the organization has a structured Security Risk Management framework analyzing security from Confidentiality, Integrity and Availability perspective, then the security experts should work on risk analysis from wireless networking assets separately as presented in the figure 2: Figure 2: Risk Analysis pertaining to Wireless Security (Source: TISN, Australia, 2008) The parameter Confidentiality is related to protection from unauthorised access to information, Integrity is related to protection from unauthorised modification of information and the parameter Availability is related to protection from unauthorized denial of service if an external attacker has chocked the wireless network bandwidth either by using Internet for heavy downloads or else by injecting Malware to cause availability issues on the network. These parameters are analyzed for every threat from Wireless networking to arrive at the potential impacts to the business as shown in Figure 2. The author hereby argues that structured analysis using a sound Security Risk Management framework shall result in end to end security deployment, evolution of stringent network security policies, ensure wider accountabilities across the organization, invoke disciplinary or legal actions against defaulters, and application of most appropriate controls without missing of any of them. A number of security papers on Wireless networking have focussed on ad-hoc implementation of security controls and hence the author argues that they cannot be used effectively to arrive at an integrated Wireless Security system. To ensure effective implementation of Wireless Security, it is required that every wireless device is registered in the asset list of the organization and the security team is continuously on the look out for unauthorized wireless devices on the network. Once the threats to Confidentiality, Integrity, Availability and the corresponding impacts from Wireless networks are known (Figure 2), the organization should analyze internal procedural weaknesses and probability of deployment of insecure Wireless Access Points such that a Wireless Security Policy for the entire organization is framed and communicated to all employees of the organization for essential compliance. The policy should also cover incident identification & reporting, change control on Wireless networks and punishments in case of a breach is identified. The threat analysis, risk analysis, implementation of organization wide Wireless Security policy and implementation & monitoring of controls should all form integral components of the Risk Management Framework. The known reasons for hacking on wireless networks are: (a) For fun - the attacker may be in need for an Internet connection but doesn't have one on his/her Laptop. Such attacks are not harmful in nature but do consume bandwidth. (b) Organized hacking - the attacker may be in need for information about an organization for specific money making purposes like head hunting, selling data, stealing software codes, stealing identification, etc. (c) Social Engineering - the attacker may be in need for information about people who can be social engineered to penetrate deep into the organization to steal business information or data. (d) Pushing Malware - the attacker may be hired by a competitor to cause damage to organization network by pushing Malware that can spread on the network and cause Denial of Service to spoil the productivity of the employees. (e) Terrorism - The attacker may be a terrorist who wanted to communicate to his/her counterparts or send terror warning messages through a network that cannot be traced back to them. (f) Internal Disgruntled Employee - The attacker may be an internal employee who is disgruntled due to some reasons and wants to carry out an internal fraud or cause harm by corrupting business critical data in sensitive areas where normally he/she doesn't have access. (g) Enemy attacks on Defence networks - The attacker may be a spy from enemy territories and trying to steal military secrets of a country. (h) Launching Exploits - The attacker may be a specialist exploiter of vulnerable software programs and has not been able to penetrate the corporate network through the web enabled servers given that they are protected behind advanced Intrusion Detection & Prevention Systems. Hence, the attacker is in search of other loopholes of the organization in the form of unprotected wireless networks. There may be a number of known & emerging reasons for attacks on Wireless networks. In nutshell, the primary reason for wireless networks becoming the favourite choice of attackers is the ignorance by the security experts of the organizations. Organizations having strong security teams who have deployed excellent security controls on the formal Internet gateways of the organization may ignore the informal communication channels of the organization simply because they have been deployed for lesser business critical purposes. The organizations that lack a single, large, end-to-end framework of Information Security end up committing such mistakes and hence develop vulnerabilities. The primary known reasons for such vulnerabilities are: (a) End users are allowed to install software on their laptops such that they can buy personal Wireless Internet connections, configure them on official laptop and use the connections when working in the office thus opening a vulnerable unprotected Internet connection on the enterprise network. (b) Wireless Access Points deployed outside the influence of IT Security department for temporary urgent business requirements. (c) Nil or weak security controls deployed on Wireless Access Points (like WEP). WEP can be easily broken by known & emerging attack tools like Kismet, Netstumbler, Wellenreiter, WEPcrack, Airjack, etc. (d) Service Set Identifier (SSID) broadcasts allowed thus allowing the Wireless Network to be discovered from outside the building. (e) Not implementing MAC binding of official laptops/PDAs for dynamic allocation of IP addresses (f) Investing in low cost Wireless Access Points not supporting advanced security features like MAC binding, WPA or WPA2 (802.11i) implementation. Overall, implementing wireless security not only requires intensive security control implementation but also requires proactive control mechanisms like vulnerability analysis & penetration testing. Businesses can mitigate the risks from Wireless networks by implementing controls in an end-to-end wireless security framework such that they do not miss on some vulnerabilities that are not considered. First & foremost, the organization needs to have a wireless security policy that states very clearly the procedure for deployment of new Wireless Access Points within the organization. The policy should clearly describe the process for requesting new Wireless Access Point, approving authorities, procurement accountability, deployment accountability, technical security settings, vulnerability analysis & penetration testing after the Wireless Access Point is deployed and then adding the device in the overall network diagram of the corporate. Basic security controls like WPA encryption, disabling SSID broadcasting and MAC address binding should be made mandatory on all the new Wireless Access Points deployed on the network. [Banks, Taylor L. 2002; Hamid, Rafidah Abdul. 2003; Moore, Matt. 2003; Petjsoja, Sami and Mkil, Tommi et al. 2008; TISN, 2008; Yates, Danielle. 2008; Zyren, Jim. 2001] Conclusion: Wireless networking offers some excellent benefits to the businesses in the modern era of global competitiveness and race for improving competitive advantages. The current technologies can not only ensure enhanced productivity & customer satisfaction but also leads to employee delight as they are able to work in flexible modes by choosing their workplace & time of work but still able to manage all deliverables on time and with desired quality. However, Wireless networks have some serious security issues which need to be taken care of through an end to end Risk Management Framework such that the entire organization complies with an end to end wireless security policy applicable to all employees. The organization should not only deploy appropriate technical security controls on the wireless devices but also ensure that unprotected Wireless Access Points are not deployed on the network, deliberately or ignorantly. Reference List: Banks, Taylor L. Defining Best Practices for Designing and Implementing 802.11 Wireless Security. Rev. 1.5. Vigilar, Inc. 2002. pp3-15. Brenner, Pablo. A Technical Tutorial on the IEEE 802.11 protocol. BreezeCOM. 1997. pp3-6. Hamid, Rafidah Abdul. Wireless LAN: Security Issues and Solutions. SANS Institute. 2003. pp5-17. Kalbasi, Amir and Alomar, Omar et al. Wireless Security in UAE: A Survey Paper. Department of Computer Engineering, American University of Sharjah (AUS), UAE. 2007. pp1-2. Kim, S.H., Mims, C., & Holmes, K.P. An introduction to current trends and benefits of mobile wireless technology use in higher education. AACE Journal, Vol. 14.No. 1. 2006. pp77-100. Moore, Matt. Wireless Threats to Corporate Security. Presentation for ISACA UK Northern Chapter. PenTest Ltd. 2003. pp7-25. Petjsoja, Sami and Mkil, Tommi et al. Wireless Security - Past, Present and Future. CODENOMICON White paper. CODENOMICON Ltd. 2008. pp2-12 Rasori, Paul. Understanding the Real Benefits of Wireless. The Financial Services Industry Source for Education, Inspiration and Actionable Advice. 2004. pp1-2. Terluin, Traci. IEEE 802.11b - Wireless LANs. Technical Paper. 3COM Corporation. 2000. pp3-13. The Benefits of Wireless LAN Switches in Small and Mid-sized Business Networks. NETGEAR, Inc. CA. 2007. pp2-5. Wireless Connectivity - The facts. WiFi - The Standard for Wireless Fidelity. 2003. pp1-4. Wireless LAN Benefits Study. Conducted by NOP World Technology on Behalf of Cisco Systems. Cisco Systems Inc. 2003. pp1-25. Wireless LAN Security - Enabling and Protecting the Enterprise. Symantec Wireless LAN Security. Symantec Enterprise Security. Symantec Inc. 2002. pp3-9. Wireless LAN Security - 802.11b and Corporate Networks. An ISS Technical White Paper. Internet Security Systems. Atlanta. 2001. pp2-6. WIRELESS SECURITY - INFORMATION FOR CIOS. IT Security Expert Advisory Group. Trusted Information Sharing Network (TISN) for critical infrastructure protection. Government of Australia. 2008. pp1-6. Yates, Danielle. Symantec Consumer Guide to Wireless Device Security. Symantec Enterprise Security. Symantec Inc. 2006. pp1-8. Zyren, Jim. IEEE 802.11g Explained. Wireless Networking. Intersil Corporation, 2001. pp1-8. End of Document Read More