Countering Lack of Security in Wi-Fi Hot Spots

By John Desmond

April 30, 2004

In a report on 'Securing the Mobile Device,' the Burton Group outlines options users tapping the 802.11 protocol have for securing their transmissions and guarding the integrity of their data.

Public hotspots are not secure, not even turned on with Wired Equivalent Privacy (WEP), the 1999-era security standard of 802.11 Wi-Fi communications, making them a risk for any business professional to use, says Mike Disabato, senior analyst with the Burton Group.

In a report on "Securing the Mobile Device," Disabato outlines options that users tapping the 802.11 protocol have for securing their transmissions and guarding the integrity of their data.

At a minimum, the mobile user should be using an encrypted VPN over 802.11 to secure the transmission. In addition, the user should have a personal firewall, should be running a virus scan and spyware remover, and possibly should be encrypting sensitive files.

Newer vulnerabilities include connection sharing, set by defaults in the original Windows XP operating system by Microsoft, which can allow access to an enterprise network and/or the content of the communicating device, and the wireless technology now built into many laptop PCs (either Bluetooth or 802.11).

Bluetooth is less of a risk than 802.11 because the range is not as great, the association mechanism is more strict, and it has good encryption features. The 802.11 security options include WEP, Wi-Fi Protected Access (WPA and WPA2) and 802.11i/AES, expected to be available later this year after IEEE committees ratify the standard.

Those users without strong protection who are using 802.11 communications for business, need to be aware of the risks.

"Public hot spots and not secure and even if the user's machine is WEP-enabled, it takes about 30 minutes to crack WEP using tools easily available to hackers," Disabato says.

The encrypted VPN options include IPSec and SSL. IPSec provides full use of network resources, including legacy applications, and provides strong authentication via a unique client on each user device. It is limited by the requirements that client software must be installed and managed on the device, and that firewalls must be configured to accommodate it. It is well-suited for applications including site-to-site VPNs, telecommuter VPNs and voice and data traffic.

SSL VPNs provide a "clientless" extranet option and freedom to user any remote access device with a browser. The session is specific to an application or server to access control is tight. Its drawbacks include limited to Web applications over HTTP and slower performance due to SSL handshaking. It is well-suited for enterprise applications portals and e-business applications such as business to business or business to consumer.

"For most Web-based applications, SSL will be fine," Disabato says. "For power users who need legacy application access in particular, IPSec is a better option."

For security managers to get a handle on remote users, he suggests conducting "a risk assessment of all the information that will travel over the mobile connection. Use encrypted VPNs or remote authorization. And have the security system be the same for your people no matter what device they use or where they are."

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.