Irish wireless networks dangerously vulnerable

The survey revealed that while wireless networks are becoming increasingly popular, many firms are failing to follow basic security guidelines or set security policies. The consequence of this, says LAN Communications, is that wireless network infrastructures are being left open to a variety of attacks, including eavesdropping, denial of service, unauthorised access and data tampering.

The survey was carried out in three locations at Dublin’s CityWest Business Campus and IFSC as well as Cork’s Airport Business Park during December 2003 and January 2004. Using a laptop computer and audit software from Red-M, security specialists from LAN Communications performed a wireless scan to passively “sniff” wireless communications. The audit was carried out without active intrusion into any company’s network infrastructure.

From the data obtained, the survey found that 52 per cent of the wireless access points were not configured to use basic encryption technologies, which are usually found as standard on modern devices. Surprisingly, given the financial services sector’s need for security, that figure rose to 70 per cent in the IFSC.

The survey detected a total of 147 wireless devices in 33 separate networks and revealed other serious network security flaws. 69 per cent of detected access points were found to be broadcasting network names, information that could prove useful in gaining unauthorised access to a corporate infrastructure.

Neil Wisdom, sales director of LAN Communications, said that the biggest surprise of the survey was the diversity of security brands detected. ‘We found a lot of lower cost, lower function devices many from companies whose names we had never heard of.’  One of the reasons for this, he suggested, was that many individuals had bought their security devices for their own machine. However, he said the problem with this was that while it offered a little bit of security in isolation, ‘that in itself has little protection in a wireless LAN’.

Wisdom said that implementing 58-bit encryption is regarded in the industry as technology that can offer very strong protection to wireless networks. In addition, he said the investment in making a wired network very secure will be undermined if a wireless network is not protected to the same degree.
Another basic failing in wireless security revealed by the survey, said Wisdom, was that 11 per cent of access points had not been configured correctly and were still using manufacturers’ default settings, suggesting that some devices were quickly installed with little thought given to correct network configuration or security imperatives.

Pat Moran, director of Technology & Security Risk Services, Ernst & Young, stressed the need to focus on user authentication and end-point security as part of a security strategy.
‘Users should look at implementing the IEEE 802.1x standard which dynamically assigns per-user, per-session encryption keys removing some of the known problems with current WEP*** encryption. The addition of personal firewall and intrusion prevention software at client level should also be considered as a prudent countermeasure, allowing true end-to-end policy implementation.’

31/05/04

Read More: security