Securing teleworker wireless LANs

More about Lisa

For years, companies have wrestled with security risks introduced by teleworkers. According to ITAC, one in five U.S. employees spent some time working from home in 2001. Growth is being accelerated by residential broadband services -- In-Stat/MDR estimates that 14% of U.S. homes now have cable modem or DSL. High-speed, always-on connections make working from home more palatable, but they also increase risk by adding new territory that must be defended from abuse and attack.

Today, residential wireless LANs are tossing fresh fuel on this smoldering fire. According to In-Stat/MDR, six million Wi-Fi home nodes were sold in 2002, projected to reach 33 million by 2006. Wireless LANs make Internet connection, printer and file sharing among PCs in the home much easier. But when one of those nodes is a teleworker desktop or laptop, securing the WLAN becomes a corporate concern.

Expanding the security gap

1. War drivers can use unprotected home WLANs to freeload on company-paid broadband connections. Freeloaders can tap spare capacity -- or use your link to send spam, porn or even to attack someone else, leaving you holding the liability bag.

2. By eavesdropping on wireless traffic, attackers can gather server identities, user credentials and confidential payload -- for example, recording email messages, hashed logins for offline dictionary analysis or valid frames to be used in replay attacks.

3. Personal traffic on home WLANs can inadvertently leave expose company resources. For example, a teleworker that shares a printer on the WLAN becomes vulnerable to NetBIOS probes and attacks by anyone within a few hundred feet of the household access point.

4. Teleworkers equipped with perimeter defense measures like SOHO firewalls or desktop firewall software can open wireless back-doors without realizing it. For example, an AP dropped inside a home WLAN, behind a firewall/VPN appliance, could ride a tunnel from the appliance into the company network.

Filling that gap

1. Educate teleworkers about the inherent risks associated with wireless. Awareness is growing, but many otherwise-savvy users are still in the dark.

2. Define an acceptable use policy that explains permissible use of company resources on residential WLANs, acceptable configurations and recommended or required security measures.

3. Actively promote safer home WLANs. For example:
   1. Recommend a list of approved wireless routers and supply secure network topology diagrams and set-up instructions for them, or
   2. Let teleworkers requisition a pre-configured wireless router from your IT department (i.e., extend your process for supplying secure PCs to teleworkers), or
   3. Outfit teleworkers with appliances that you can manage remotely – for example, the Colubris CN100 is a firewall/VPN client/AP for teleworkers.

4. Choose the right hardware for the job. Terminology can be confusing, and many teleworkers don't understand the difference between a wireless AP and router, or between a router with an integrated VPN gateway or VPN pass-through.

5. Enable basic 802.11 security. MAC access control lists, shared key authentication, and WEP aren't perfect, but they are still useful as a first line of defense. In a small, self-contained WLAN, shared keys and ACLs are manageable. Supply guidance on how to pick good SSID and key values, when to update keys, etc.

6. Harden wireless devices. Teach teleworkers to change or disable unused listening ports and configure hard-to-guess passwords. Connect only with known APs, disabling Windows XP's ability to connect to any non-preferred network.

7. Extend existing desktop security measures. For example, reconfigure VPN client policies to also apply to wireless adapters, and identify wireless router VPN pass-throughs that are compatible with your VPN client.

8. If you don't use VPN on the WLAN, consider other options to increase protection for sensitive traffic. For example, use SSL webmail instead of POP or encrypted screen sharing instead of cleartext remote desktop access.

9. Rethink home network trust. Sharing printers and files may be acceptable on a residential Ethernet that's protected from the Internet by a firewall/router. Doing so over wireless probably is not. Help teleworkers to identify new sources of risk.

10. If you haven't already, get started now. Home WLAN adoption is now growing faster than enterprise WLAN use. If your workers carry laptops or have PCs at home, odds are excellent that you already have at least a few teleworkers using wireless.
    

    Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows XP security issues, updates and alerts Fast Guide: Hardening Remote Desktop Step-by-step guide: Elevating privileges for an administrator Checklist: Protecting users from themselves Microsoft: Stealth rootkits are bombarding XP SP2 boxes Step-by-step guide: Hack to speed up security scans Step 1: Understanding the limitation Step 3: Be forewarned Client hardening Locking down services on XP client workstations Longhorn's lengthy security wish list Securing Windows legacy operating systems How 'limited' malcode pulled off the year's biggest attack Taking over the domain How to get an attacker out of your network Checklists: Harden access control settings Freeware tool for password tracking and storage Protect desktop files and folders from inside snoops Keeping remote PCs patched Checklist: Use secedit to configure workgroup security Checklist: Automate security administration for standalone PCs Exam Cram Quiz #2: Managing service packs and security updates RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.