This post at Dark Reading reports on a worthwhile presentation by AirPatrol CEO Nicholas Miller at CSI SX: Security Exchange, which was held concurrently with InterOp in Las Vegas this week. Interestingly, the same speech and report could have been delivered two years ago. The point is that companies are at risk and aren't doing enough to protect themselves.
Miller makes two suggestions, the most important being a change in basic approach. Today, he says, companies deploy a wireless system and then spend a lot of time and money adding security to the gadgets they use on it. This is wrong. The more effective approach, he says, is to deploy wireless security first. Once a safe environment is created, Miller is quoted as saying, "you could literally go out and buy the access points at Best Buy."
The other point Miller made is that is that the systems should be made location-aware. This is good news for firewall vendors. It may be a stretch to say that firewalls are fighting to remain relevant, but they clearly are scrambling to adjust to a reality in which the perimeter is far less definitive than it was when they first were developed. One new role firewalls can take on is to provide this awareness. The firewall would be able to determine, for instance, whether an access point (AP) is in the accounting department or out in the parking lot.
It appears that spotty progress is being made. This release describes surveys done by AirDefense in San Francisco and, timed for the Interop show where the results were released, in Las Vegas. In the latter survey, the company found that 65 percent of 640 APs run by retailers were encrypting with either the first or second version of Wi-Fi Protected Access (WPA and WPA2). However, 82 percent of 1,557 APs in hotels and casinos in the vacation and convention city used either the easily defeated WEP or no encryption at all. In San Francisco, more than 60 percent of retailers used WPA or WPA2, but many still utilized the store name in their Secure Service Set Identification (SSID). This is considered a dangerous practice by most -- but not by all.
This refresher on wireless security should be sent to decision-makers in the organization. The Tech Herald writer provides good information and, along the way, takes apart two common myths. The first myth is that WEP is better than no security at all. On an absolute basis, this may have a small bit of truth. The real-world implementation of the statement -- that WPA or WPA 2 is great, but WEP will do -- is negative. Simply, WEP is so easily hacked that it is all but worthless. The writer then describes WPA and WPA-Enterprise, as well as of media access control (MAC) address filter. The second myth he explodes is that AP placement -- putting it in the middle of the building or home -- improves security. The truth, he says, is that hackers will find the signal regardless of AP placement.
There is great opportunity for vendors in security wireless networks, and they are taking advantage. One such company is AirTight, which early this month introduced SpectraGuard. It surprises the NetworkWorld writer reporting on the introduction that no company offered such a service -- in which wireless security is packaged as an online, software-as-a-service (SaaS) offering -- until now. Sensors are installed at the site, but other elements, including auditing and reporting, are done by the service provider. The service fulfills seven compliance mandates and, at $2 per floor per day, is comparatively inexpensive, the story says.
The bottom line is that wireless security continues to be a work in progress. While significant progress is being made, the sense is that much remains to be done -- and that a significant portion of corporate users are not paying enough attention.