I was reading the Australian Reseller News article today on wireless security. It had me intrigued that people seem to equate wireless security with a costly deployment.
“…Three quarters of respondents said that security spending was going to rise because of wireless and mobile technology, with half figuring this as a rise of 10 percent, and a further 10 percent predicting a dizzying 20 percent rise in costs…”
I think there’s two sides to this discussion.
Firstly there’s the company that deploys a wireless network – if they want to make it open to anyone then that’s their choice but its not rocket science anymore to secure it properly – and it shouldn’t cost any more than the wireless devices you purchase such as the quality ones from Cisco or HP for that matter. That said – make sure that the device supports at least WPA if not WPA2 and obviously 802.1x authentication but also for the future think about VLAN support for technologies like NAP which supports 802.1x VLAN’ing. I’ve done blogcasts on how to implement a secure wireless network before so its easy to do and if you already have Windows Server then you’re set and don’t need to buy any other software! Seriously. If you’re in a high security conscious environment the only extra it will cost is a penetration test.
Secondly there’s the client workstations. Nearly all of them have wireless LAN cards built in so they can easily connect to any hotspot you want to. The risks are real here folks and this is something to be worried about. In these instances you want to be providing two core things:
1. Proactive guidance to employees around safe practises
This is rarely ever done. Is it a good practise to do instant messaging of private conversations or confidential information over a public network? No. Could it be prevented? Yes. You know the risks but your users don’t so a simple education to the risks helps. Tell them to imagine everyone in the room is watching their naughty conversation And while they are at it tell them not to send anything that’s not over SSL. People are watching….you can be assured of it. Provide a general internet safety session to them. Heres some information that may help you in that quest: http://www.microsoft.com/technet/security/understanding/awareness.mspx
2. A machine that has an inbuilt firewall that blocks anything incoming
Windows 2000 doesn’t cut it anymore. If you are providing your employees laptops with Windows 2000 on it and with no third party firewall then you are potentially going to have problems. You need to be providing at least Windows XP with the default non-domain profile set to on and blocking anything incoming. While you’re at it take the time to set a screensaver timeout of 5 mins (through policy) to automatically lock the screen when its not being used. You’d be surprised at the amount of machines I see abandoned in the Qantas Club lounges with their screens unlocked and in plain view while their owners take off to the bar for drinks…
Within Microsoft we don’t have extensive costs for wireless deployments. We simply use what’s inbuilt and we educate our people in safe practises. If that works then you don’t need to buy anything else.