By Lisa Phifer
February 01, 2008
The only reliable way for employers to manage the associated risk for mobile workers is to define, monitor, and enforce hotspot acceptable use policies. Here, we show you how.
- New Security Conference Announced for March
- Skyfire Could Represent the Future of Mobile Web Browsing
- Boston Commuters to Get Free Wi-Fi
- Safely Share Your Access Point
Last month, we illustrated five common-sense steps that anyone can take to defeat most Wi-Fi hotspot threats. Unfortunately, many users still insist on skinny-dipping in shark-infested hotspot waters. The only reliable way for employers to manage associated business risk is to define, monitor, and enforce hotspot acceptable use policies.
Something old, something new
Many companies have policies governing secure remote access to corporate networks. Those policies and related countermeasures are an excellent starting point for securing business hotspot use. However, they must be extended to deal with risks unique to Wi-Fi.
Before Wi-Fi, remote workers used dial-up or broadband to reach corporate networks. Because those links connected business assets to the public Internet, measures were needed to deflect unsolicited inbound traffic and ensure data confidentiality. As a result, many workers are now required to use anti-virus, personal firewall, and a VPN tunnel when connecting from afar.
These measures certainly apply when Wi-Fi hotspots are used to support remote access. But in the all-wired world, workers knew exactly where and when they were connected. With Wi-Fi, nearly everyone forms accidental associations. Most have automatically (re)associated to a stranger’s AP with the same familiar home, hotspot, or muni SSID used in the past. Some have tried to connect to a legitimate AP, but were transparently redirected to a malicious evil twin. Both mistakes can place the Wi-Fi client at risk for hours or days without user awareness.
Further, users are sorely tempted by the ease and ubiquity of Wi-Fi. When employees jack into a hotel or business center LAN, they can identify the network owner. But when workers browse the airwaves, many connect to any SSID that might offer Internet access, without any real hope of knowing who they actually reached. For example, Windows XP users that associate to an Ad Hoc called “Free Public Wi-Fi” will, by default, automatically probe for that SSID forever more, passing this apparently-irresistible network name along to strangers.
Finally, open Wi-Fi APs create a cozy environment for anonymous cybercrime. Sure, the Internet makes it easy to launch application attacks from dynamically-addressed botnets. But personal firewalls can block those TCP/IP packets—they cannot stop PHY and MAC attacks like Wi-Fi driver exploits that can remotely take control of or crash a laptop that isn’t even associated. Public Internet hotspots exacerbate this by drawing potentially high-value business targets to venues where Wi-Fi attackers can hang out without raising suspicion.
Playing by the rules
Despite these risks, employers needn’t discourage Wi-Fi hotspot use. Convenient wireless Internet access can significantly improve worker productivity and availability. Taking steps to identify and mitigate these new risks can be a far better use of time and money.
If you are responsible for securing offsite workers, review your existing remote access policy to identify situations where Wi-Fi might be used. Decide who should be allowed to use Wi-Fi, where, and why. For example, should employees be allowed to use corporate laptops to send personal traffic over Wi-Fi at home or at public hotspots? Should they be allowed to use personal PDAs to send business traffic at ANY hotspot or only at authorized hotspots?
Next, analyze the business risks that hotspots add to each usage scenario, the security measures that might be deployed to mitigate them, and whether the resulting cost/risk/reward is acceptable. For example, perhaps you have the infrastructure to manage Wi-Fi settings and patches on corporate laptops, but not on personal PDAs. How does that impact the risk and cost of permitting business communication from personal devices at hotspots?
Use your analysis to decide whether or not to permit Wi-Fi in each scenario, and under precisely what conditions. If there are employees, devices, or applications for which hotspot risks are considered too great, specify how you will enforce those restrictions. Where public hotspot use is acceptable, identify recommended and/or required security measures and how they will be implemented and verified.
Protect and defend
After consideration, some businesses will ban hotspot use—but must then take steps to prevent it. Most will end up allowing hotspot use for business communication. Some may even encourage it by providing financial support. In all cases, the next step is to implement and enforce hotspot security in accordance with your defined policy.
Shore up client defenses. If you have a process for managing laptops, PDA, or smartphones, refine it to close Wi-Fi loopholes. Use your patch manager to automatically deploy Wi-Fi driver updates and related OS patches. Use device management tools (e.g., Group Policy Objects) to centrally-configure Wi-Fi parameters. Refine endpoint security policies where needed to facilitate hotspot use—for example, letting portal login traffic bypass your VPN client. Small businesses without fancy IT infrastructure may need to complete these tasks manually, but the goal is the same—assert control over client hardware, software, and settings to deflect not only Internet threats, but also Wi-Fi hotspot threats.
Help users get connected. Companies that want to pay for employee hotspot use should contract with a wireless carrier (e.g., T-Mobile, AT&T), hotspot provider (e.g., Boingo), or Internet access aggregator (e.g., iPass, Fiberlink). Subscriptions can help companies control hotspot costs by applying flat-rate fees or enforcing bandwidth limits. They can encourage use of reputable hotspots by requiring employee payment at any other hotspot. Many providers offer connection managers that automate secure login to deter password snarfing and evil twin attacks. In fact, connection managers can play a vital role in hotspot security policy enforcement. Most can auto-launch specified executables (e.g., VPN clients, host security checkers) upon hotspot connect. Some can even monitor on-going activity and disconnect if any mandatory process goes down.
Help users stay connected. Wi-Fi laptops tend to remain stationary during hotspot use, but handheld devices (like dual-mode smartphones) often do not. If you have workers who need to stay connected when moving between Wi-Fi hotspot and 3G wireless, consider equipping those devices with a Mobile VPN (e.g., NetMotion, Columbitech, AppGate). Unlike conventional IPsec or SSL VPNs, Mobile VPNs expect the client’s physical connectivity and IP address to change, taking steps to provide application persistence – even when the client roams into a deadspot and loses connectivity. To be clear – there are many hotspot users that don’t roam and don’t require a Mobile VPN. However, those who do often kill legacy VPNs that get in their way. A user-friendly alternative can promote safe communication at hotspots and everywhere else.
Watch over your workforce. Many security incidents are caused by Wi-Fi transparency. It is unrealistic to expect users to avoid threats they just can’t see. For comprehensive hotspot protection, complement your host firewall with a Wireless IPS agent that can stop threats at the MAC layer. Unlike a “personal” host WIPS that warns the user, an enterprise host WIPS (e.g., AirTight SpectraGuard SAFE) is controlled by a central server. That server enforces wireless connectivity rules and monitors incidents. For example, a host WIPS can stop simultaneous connection to Wi-Fi and Ethernet, preventing bridging onto your corporate network. It can stop users from seeing black-listed SSIDs, Ad Hoc nodes, or software APs. A host WIPS can require permission before connecting to a hotspot SSID or unfamiliar MAC, making users think twice before engaging in risky behavior—and letting you know when they do.
Educate your employees. Measures like these can protect workers that connect to public hotspots. Taking responsibility for security installation, configuration, monitoring, and response can reduce your risk, let you see how hotspots are being used, and enforce policy compliance. However, security awareness training is still important. Educate workers about hotspot threats and the steps you’ve taken to mitigate them. Explain what they must do to satisfy your acceptable use policy and consequences of non-compliance. Where vulnerabilities remain, teach workers how to protect themselves–for example, recommend how to secure personal communication and avoid accidental associations at home. Finally, listen to employee feedback and adjust your policies and implementation to deliver hotspot security AND usability.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, implementation, assessment, and testing of NetSec products and services for over 25 years.